CN106339629A - Application management method and device - Google Patents
Application management method and device Download PDFInfo
- Publication number
- CN106339629A CN106339629A CN201610701670.5A CN201610701670A CN106339629A CN 106339629 A CN106339629 A CN 106339629A CN 201610701670 A CN201610701670 A CN 201610701670A CN 106339629 A CN106339629 A CN 106339629A
- Authority
- CN
- China
- Prior art keywords
- application program
- target
- file access
- operating system
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 25
- 238000012545 processing Methods 0.000 claims description 23
- 238000001514 detection method Methods 0.000 claims description 13
- 238000001914 filtration Methods 0.000 claims description 9
- 238000004458 analytical method Methods 0.000 claims description 2
- 238000000034 method Methods 0.000 abstract description 18
- 239000002184 metal Substances 0.000 description 8
- 241000700605 Viruses Species 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 4
- 230000006855 networking Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000007943 implant Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an application management method and device. The method comprises the following steps: setting up file access rules of at least one first application in advance; after the at least one first application runs in an operating system, the file access request initiated by the at least one first application is intercepted; the file access request is analyzed to ensure the target application and the target file object corresponding to the file access request; the fact that whether the target application can access the target file object is judged according to the file access rules, if yes, the file access request is released so as to ensure that the operating system responds the file access request; if not, the file access request is intercepted. According to the technical scheme, the security of the operating system can be improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, and a system for managing an application program.
Background
With the continuous development of computer technology, various application programs installed in a computer operating system are increasing, and when an application program itself has a bug, an intruder can implant a trojan horse virus in the application program by using the bug, and then the application program is run in the operating system to execute a corresponding task (such as reading and writing a system file of the operating system) so as to threaten the security of the operating system.
At present, the security of an operating system is mainly improved through a feature code recognition technology, specifically, a feature code of an existing trojan horse virus is extracted and loaded into a feature code recognition library, whether a feature code identical to that in the feature code recognition library exists in an application program is judged, and if yes, the application program is prevented from running in the operating system.
However, in the above technical solution, since the update speed of the trojan virus is extremely fast, and the extraction of the feature code always lags behind the update speed of the trojan virus, after the application program is implanted with a new target virus, the application program can read and write the service data under the corresponding file object of the operating system, and the security of the operating system is low.
Disclosure of Invention
The embodiment of the invention provides an application program management method and device, which can improve the safety of an operating system.
In a first aspect, an embodiment of the present invention provides an application management method, including:
presetting a file access rule of at least one first application program;
intercepting a file access request initiated by the at least one first application program after the operating system runs the at least one first application program;
analyzing the file access request to determine a target application program and a target file object corresponding to the file access request;
judging whether the target application program can access the target file object according to the file access rule, if so, releasing the file access request so that the operating system responds to the file access request; otherwise, intercepting the file access request.
Preferably, the first and second electrodes are formed of a metal,
after the intercepting the file access request, further comprising:
recording the intercepted number of file access requests corresponding to the target application program intercepted in a detection period with a set time length, generating alarm information when the intercepted number is larger than a preset standard parameter, and sending the alarm information to an external alarm system so as to enable the external alarm system to alarm.
Preferably, the first and second electrodes are formed of a metal,
the presetting of the file access rule of at least one first application program comprises the following steps: presetting a file access rule linked list, wherein the file access rule linked list is used for storing the corresponding relation between the at least one first application program and the at least one file object;
the determining whether the target application program can access the target file object according to the file access rule includes: and inquiring the file access rule linked list, and judging whether the file access rule linked list has a corresponding relation between the target application program and the target file object.
Preferably, the first and second electrodes are formed of a metal,
the presetting of the file access rule of at least one first application program comprises the following steps: presetting at least two permission dimensions corresponding to at least one first application program respectively; wherein each authority dimension corresponds to at least one working state of the operating system respectively;
the determining whether the target application program can access the target file object according to the file access rule includes:
acquiring operating parameters of the operating system;
determining at least one target working state of the operating system according to the operating parameters;
determining a target permission dimension corresponding to the target application program when the operating system is in the at least one target working state;
and judging whether the target application program can access the target access object or not according to the target authority dimension.
Preferably, the first and second electrodes are formed of a metal,
the at least one operating state of the operating system includes one or more of the following operating states:
the terminal equipment for installing the operating system is communicated with an external network, the terminal equipment for installing the operating system is not communicated with the external network, and the number of times that the target application program accesses the system file of the operating system in a detection period of a set time length is larger than a preset threshold value.
Preferably, the first and second electrodes are formed of a metal,
further comprising: presetting a user starting rule of at least one second application program;
intercepting an operation instruction corresponding to the at least one second application program;
acquiring user information of a login user who has logged in the operating system at the current moment;
determining whether the at least one second application program comprises at least one first application program which can be started by the login user according to the user information and the user starting rule, and if so, releasing the running instruction to enable the operating system to run the at least one first application program; otherwise, intercepting the operation instruction.
In a second aspect, an embodiment of the present invention provides an application management apparatus, including:
the setting module is used for presetting a file access rule of at least one first application program;
the file layer filtering module is used for intercepting a file access request initiated by the at least one first application program after the operating system runs the at least one first application program;
the analysis module is used for analyzing the file access request to determine a target application program and a target file object corresponding to the file access request;
the first processing module is used for judging whether the target application program can access the target file object according to the file access rule, and if so, releasing the file access request so that the operating system can respond to the file access request; otherwise, intercepting the file access request.
Preferably, the first and second electrodes are formed of a metal,
further comprising: the alarm processing module is used for recording the intercepted number of file access requests corresponding to the target application program intercepted in a detection period with a set time length, generating alarm information when the intercepted number is larger than a preset standard parameter, and sending the alarm information to an external alarm system so as to enable the external alarm system to alarm;
and/or the presence of a gas in the gas,
the setting module is used for presetting a file access rule linked list, wherein the file access rule linked list is used for storing the corresponding relation between the at least one first application program and the at least one file object;
the first processing module is configured to query the file access rule linked list, and determine whether a corresponding relationship between the target application program and the target file object exists in the file access rule linked list.
Preferably, the first and second electrodes are formed of a metal,
the setting module is used for presetting at least two permission dimensions corresponding to at least one first application program respectively; wherein each authority dimension corresponds to at least one working state of the operating system respectively;
the first processing module comprises:
the acquisition subunit is used for acquiring the operating parameters of the operating system;
the first determining subunit is used for determining at least one target working state of the operating system according to the operating parameters;
the second determining subunit is configured to determine a target permission dimension corresponding to the target application program when the operating system is in the at least one target operating state;
and the processing subunit is used for judging whether the target application program can access the target access object according to the target authority dimension.
Preferably, the first and second electrodes are formed of a metal,
the setting module is further used for presetting a user starting rule of at least one second application program;
further comprising: the device comprises an application layer filtering module, an acquisition module and a second processing module; wherein,
the application layer filtering module is used for intercepting an operation instruction corresponding to the at least one second application program;
the acquisition module is used for acquiring the user information of the login user who has logged in the operating system at the current moment;
the second processing module is configured to determine, according to the user information and the user start rule, whether the at least one second application includes at least one first application that can be started by the login user, and if so, release the running instruction, so that the operating system runs the at least one first application; otherwise, intercepting the operation instruction.
The embodiment of the invention provides an application program management method and a device, wherein at least one file access rule of a first application program is preset, after an operating system runs the first application program, a file access request initiated by each first application program is intercepted, the intercepted file access request is analyzed to determine a target application program and a target file object (such as a system file, a log file and the like of the operating system) corresponding to the current file access request, namely the target application program initiating the file access request and the target file object needing to be accessed when the target application program executes a data access task, whether the target application program can access the target file object is further judged according to the preset file access rule, and only when the target application program is allowed to access the target file object in the preset file access rule, the intercepted file access request is released, so that the operating system responds to the file access request (for example, business data is read and written in a target file object), otherwise, the file access request is intercepted, so that the operating system does not respond to the file access request; in summary, in the technical solution provided in the embodiment of the present invention, by limiting the range of the file object accessible by the application program, the intruder cannot access other file objects that are not in the range of the file object accessible by the current application program, and thus, the application program is prevented from continuing to intrude into the operating system through the application program after being controlled by the intruder, and the security of the operating system can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flowchart of an application management method according to an embodiment of the present invention;
FIG. 2 is a flow chart of another method for managing applications according to an embodiment of the present invention;
FIG. 3 is a block diagram of an application management device according to an embodiment of the present invention;
FIG. 4 is a block diagram of another application management device according to an embodiment of the present invention;
FIG. 5 is a block diagram of another application management device according to an embodiment of the present invention;
fig. 6 is a block diagram of another application management apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides an application management method, including:
step 101, presetting a file access rule of at least one first application program;
step 102, after the operating system runs the at least one first application program, intercepting a file access request initiated by the at least one first application program;
step 103, analyzing the file access request to determine a target application program and a target file object corresponding to the file access request;
step 104, judging whether the target application program can access the target file object according to the file access rule, if so, releasing the file access request so that the operating system responds to the file access request; otherwise, intercepting the file access request.
In the above embodiment of the present invention, by presetting a file access rule of at least one first application program, after the operating system runs the first application program, a file access request initiated by each first application program is intercepted, the intercepted file access request is analyzed to determine a target application program and a target file object (such as a system file, a log file, etc. of the operating system) corresponding to the current file access request, that is, the target application program initiating the file access request and the target file object that the target application program needs to access when executing the data access task of this time are determined, and further, whether the target application program can access the target file object is determined according to the preset file access rule, the intercepted file access request is released only when the target application program is allowed to access the target file object in the preset file access rule, enabling the operating system to respond to the file access request (such as reading and writing business data in a target file object), otherwise, intercepting the file access request, and enabling the operating system not to respond to the file access request; in summary, in the technical solution provided in the embodiment of the present invention, by limiting the range of the file object accessible by the application program, the intruder cannot access other file objects that are not in the range of the file object accessible by the current application program, and thus, the application program is prevented from continuing to intrude into the operating system through the application program after being controlled by the intruder, and the security of the operating system can be improved.
Specifically, in a preferred embodiment of the present invention, the presetting of the file access rule of the at least one first application includes: presetting a file access rule linked list, wherein the file access rule linked list is used for storing the corresponding relation between the at least one first application program and the at least one file object;
the determining whether the target application program can access the target file object according to the file access rule includes: and inquiring the file access rule linked list, and judging whether the file access rule linked list has a corresponding relation between the target application program and the target file object.
In the above embodiment of the present invention, the staff only needs to fill the corresponding relationship between the at least one first application program and the at least one file object into the file access rule linked list, and after intercepting the file access request initiated by the at least one first application program, on the premise of not changing the original permission configuration information of the operating system, the control release or interception of the intercepted file access request can be realized according to the file access rule linked list; meanwhile, the corresponding relation between the at least one application program and the at least one file object is only stored in the file access rule linked list, a detailed path of each file object does not need to be written into the file access rule linked list, and user experience is good.
In an embodiment of the present invention, the preset file access rule may also limit a range in which each first application program can access the file object according to the type of the file object, for example, limit a target application program to only access a file (such as a txt text file) of a specified file type, correspondingly, after determining the target file object corresponding to the file object access request, further identify the file type of the target file object, and further determine whether the determined target application program can access the target file object of the type according to the preset file access rule; specifically, the file type of the target file may be determined here by the filename suffix name or the file binary data type of the target file.
Furthermore, the user can reasonably set the file access rule of at least one first application program according to the characteristics of each first application program; for example, a file object that the current first application program must access when working normally is set as a file object that the current first application program can access, and if the current first application program frequently requests to access other file objects that the current first application program does not need to access when working normally within a set time period, it indicates that the current first application program may have a vulnerability and has been controlled by an intruder; accordingly, in a preferred embodiment of the present invention, after the intercepting the file access request, the method further includes:
recording the intercepted number of file access requests corresponding to the target application program intercepted in a detection period with a set time length, generating alarm information when the intercepted number is larger than a preset standard parameter, and sending the alarm information to an external alarm system so as to enable the external alarm system to alarm.
In the above embodiment of the present invention, the number of intercepted file access requests corresponding to the target application program is the number of times that the target application program requests access to other file objects that do not need to be accessed when the target application program normally operates in a detection period of a set time length, the time length of the detection period and the standard parameter may be determined by analyzing samples of a corresponding number, and when the number of times is greater than the preset standard parameter, it indicates that the target application program may have a bug and has been controlled by an intruder, and generates an alarm message and sends the alarm message to an external alarm system, and the external alarm system gives an alarm according to the alarm message, so that a worker can be reminded of performing corresponding processing on the target application program in time.
Furthermore, because the operating systems are in different working states, the safety degrees of the operating systems are different, for example, in a data management system built by using one server and a plurality of terminal devices, the server can monitor and maintain the running states of the terminal devices in real time, and when the server monitors that the operating systems of the terminal devices are illegally invaded, the invaded operating systems can be repaired in time so as to prevent the invaded operating systems from being further damaged, and the safety is higher; on the contrary, when the server is disconnected from the terminal equipment, the security of the operating system in the terminal equipment is low; accordingly, when the operating system is in a working state with different security degrees, the same application program may correspond to different file access rules, and accordingly, in a preferred embodiment of the present invention, the presetting of the file access rule of at least one first application program includes: presetting at least two permission dimensions corresponding to at least one first application program respectively; wherein each authority dimension corresponds to at least one working state of the operating system respectively;
the determining whether the target application program can access the target file object according to the file access rule includes:
acquiring operating parameters of the operating system;
determining at least one target working state of the operating system according to the operating parameters;
determining a target permission dimension corresponding to the target application program when the operating system is in the at least one target working state;
and judging whether the target application program can access the target access object or not according to the target authority dimension.
Specifically, in a preferred embodiment of the present invention, the at least one operating state of the operating system includes one or more of the following operating states:
the terminal equipment for installing the operating system is communicated with an external network, the terminal equipment for installing the operating system is not communicated with the external network, and the number of times that the target application program accesses the system file of the operating system in a detection period of a set time length is larger than a preset threshold value.
For example, when the terminal device for installing the operating system is not connected to the external network, that is, when the terminal device is in an offline state, the security of the terminal device is low, and it may be set that the application a has access rights in n directions, that is, accesses n resources (n types of file objects or n file objects) in one right dimension a1 corresponding to the terminal device for installing the operating system in the offline state; on the contrary, when the terminal device equipped with the operating system is communicated with the corresponding server through the external network, the security of the terminal device is high, and the application program a can be set to have access rights in n + m directions in another authority dimension a2 corresponding to the terminal device equipped with the operating system in the networking state, that is, when the security level of the operating system itself is high, more access rights can be opened for the terminal device, so that the application program can access n + m resources.
In an embodiment of the present invention, the operation parameters of the operating system may include working parameters of a network port, installed in the terminal device of the current operating system, for connecting to the server corresponding to the terminal device, where the working parameters should reflect whether the current terminal device is communicated with the corresponding server through an external network.
In order to further improve the security of the operating system and prevent an intruder from intruding the operating system through the intercepted user account, the management authorities corresponding to different users can be further defined, i.e. different authority management dimensions are allocated to different users to define the application programs which can be run by the operating system when the current user logs in the operating system; specifically, in a preferred embodiment of the present invention, the method further includes: presetting a user starting rule of at least one second application program;
intercepting an operation instruction corresponding to the at least one second application program;
acquiring user information of a login user who has logged in the operating system at the current moment;
determining whether the at least one second application program comprises at least one first application program which can be started by the login user according to the user information and the user starting rule, and if so, releasing the running instruction to enable the operating system to run the at least one first application program; otherwise, intercepting the operation instruction.
For example, the applications installed in the operating system include A, B and C, and the corresponding user-initiated rules are: a user can control the application program A to run, a user administeror can control the application program A, B to run, and a server connected with a terminal device provided with a current operating system can control the application programs A, B and C to run; then, after the operation instruction corresponding to the application program B is intercepted, if the user who has logged in the operating system at the current time is guest, the operation instruction is intercepted, and if the user who has logged in the operating system at the current time is administeror, the operation instruction is released. It should be noted that, when a user logs in an operating system, the login request may also be identified, and if the preset user start rule does not have the authority limit for the user corresponding to the login request, the login request is intercepted; for example, if the administrator account of the database is root, an intruder obtains the authority of the root account by using an illegal means and tries to log in to access the database, and when the preset user starting rule does not have the related authority limit of the root user, the login request is intercepted to reject the login of the root account. Therefore, an intruder is prevented from logging in the operating system through the intercepted user account, and starting the corresponding application program without authorization to threaten the safety of the operating system.
In summary, the application management method in the above embodiment of the present invention can limit whether each application installed in the operating system can run in the operating system according to the current working state of the operating system, and simultaneously limit the file access permission of the application that can run in the operating system; in this manner, by limiting unauthorized execution and unauthorized access of applications installed in the operating system, the application itself can be prevented from being utilized by an intruder to compromise operating system security.
As shown in fig. 2, an embodiment of the present invention provides an application management method, which may include the following steps:
step 201, setting a user start rule of at least one application program needing to be monitored in an operating system.
For example, when the applications that the user needs to monitor include the application A, B, C, and the current operating system has user guest, user and administeror, the user start rule may be set as: administeror may launch application A, B, C and user may launch application A, B.
Step 202, setting authority dimensions corresponding to each application program when the operating system is in at least one working state.
For example, when the terminal device for installing the operating system is in an offline working state, in an authority dimension a1 corresponding to the application program a, the application program a has access authorities in n directions, that is, n types of resources (n types of file objects or n file objects) are accessed; on the contrary, when the terminal device installed with the operating system is in a networking working state, the application a has access rights in n + m directions in another permission dimension a2 corresponding to the application a.
In the embodiment of the invention, when the safety degree of the operating system is higher, more access rights can be opened for the operating system.
In the embodiment of the present invention, a file access rule linked list may be further set, where the file access rule linked list is used to record authority dimensions corresponding to the application programs A, B and C when the operating system is in the offline prevention state and the networking operating state, respectively, and each authority dimension stores a corresponding relationship between one application program and at least one file object.
Step 203, intercepting an operation instruction corresponding to at least one second application program.
Step 204, obtaining the user information of the login user who has logged in the operating system at the current moment.
It should be noted that, when a user logs in a current operating system, a corresponding login request may also be identified, and if a preset user start rule does not have a permission limitation for the user corresponding to the login request, the login request is intercepted; for example, the administrator account of the database is root, an intruder obtains the authority of the root account by using an illegal means and tries to log in to access the database, and when the preset user starting rule does not have the related authority setting of the root user, the login request is intercepted to reject the login of the root account.
Step 205, according to the user information and the user starting rule, judging whether the at least one second application program comprises at least one first application program which can be started by the login user, if so, executing step 206; otherwise, step 215 is performed.
For example, if the second application corresponding to the operation instruction is application a and the login user that logs in the current operating system is administeror or user, then step 206 is executed; otherwise, when the second application program corresponding to the running instruction is C and the login user logging in the operating system is guest or user, according to the preset user start rule, the application program C is the first application program that the login user guest or user cannot start, and step 215 is executed.
Step 206, releasing the intercepted operation instruction.
In the embodiment of the invention, after the intercepted operation instruction is released, the operation system can respond to the operation instruction so as to operate the first application program corresponding to the operation instruction in the current operation system.
Step 207, after the operating system runs at least one first application program, intercepting a file access request initiated by each first application program.
Step 208, the intercepted file access request is parsed to determine the target application program and the target file object corresponding to the file access request.
Step 209, obtain the operating parameters of the current operating system.
And step 210, determining a target working state of the operating system according to the acquired operating parameters.
In the embodiment of the present invention, the operation parameters may include working parameters of a network port used for connecting a server corresponding to the terminal device installed with the current operating system, and it may be determined whether the terminal device installed with the current operating system is in a networking state through the working parameters.
Of course, other operating parameters of the current operating system may also be obtained in step 209 to determine the target operating state of the current operating system, for example, obtaining corresponding operating parameters to determine whether the current operating system is in a locked state, and the like.
Step 211, determining a target permission dimension corresponding to the target application program when the operating system is in the target working state.
For example, when the target application program determined in step 208 is a and it is determined in step 210 that the terminal device installed with the current operating system is in an offline state, the target permission dimension is a1 by querying the file access rule linked list constructed in step 202.
Step 212, judging whether a corresponding relation between the target application program and the target file object exists in the target authority dimension, if so, executing step 216; otherwise, step 213 is performed.
Here, that is, by querying the file access rule linked list to determine whether there is a correspondence between the target application a and the target file object determined in step 208 in the target permission dimension a 1.
Step 213, intercept the file access request.
Step 214, recording the intercepted number of the file access requests of the corresponding target application program intercepted in a detection period with a set time length, generating alarm information when the intercepted number is larger than a preset standard parameter, and sending the alarm information to an external alarm system so as to enable the external alarm system to alarm.
Step 215, intercept the run instruction.
At step 216, the file access request is released.
As shown in fig. 3, an embodiment of the present invention provides an application management apparatus, including:
a setting module 301, configured to preset a file access rule of at least one first application;
the file layer filtering module 302 is configured to intercept a file access request initiated by the at least one first application program after the operating system runs the at least one first application program;
the parsing module 303 is configured to parse the file access request to determine a target application and a target file object corresponding to the file access request;
a first processing module 304, configured to determine whether the target application program may access the target file object according to the file access rule, and if so, release the file access request, so that the operating system responds to the file access request; otherwise, intercepting the file access request.
Further, in order to facilitate the user to timely process the application program controlled by the intruder, as shown in fig. 4, in a preferred embodiment of the present invention, the method further includes: the alarm processing module 401 is configured to record an intercepted number of file access requests corresponding to the target application program intercepted in a detection period of a set time length, generate alarm information when the intercepted number is greater than a preset standard parameter, and send the alarm information to an external alarm system, so that the external alarm system performs an alarm.
Further, in order to improve user experience, in a preferred embodiment of the present invention, the setting module 301 is configured to preset a file access rule linked list, where the file access rule linked list is used to store a correspondence between the at least one first application program and the at least one file object;
the first processing module 304 is configured to query the file access rule linked list, and determine whether a corresponding relationship between the target application program and the target file object exists in the file access rule linked list.
Further, in order to control that the same application program may have different file access permissions when the current operating system is in a working state with different security degrees, as shown in fig. 5, in a preferred embodiment of the present invention, the setting module 301 is configured to preset at least two permission dimensions corresponding to at least one first application program respectively; wherein each authority dimension corresponds to at least one working state of the operating system respectively;
the first processing module 304 includes:
an obtaining subunit 3041, configured to obtain an operating parameter of the operating system;
a first determining subunit 3042, configured to determine at least one target working state of the operating system according to the operation parameter;
a second determining subunit 3043, configured to determine a target permission dimension corresponding to the target application program when the operating system is in the at least one target working state;
a processing subunit 3044, configured to determine, according to the target permission dimension, whether the target application program may access the target access object.
Further, in order to further improve the security of the operating system and prevent an intruder from intruding the application program in the operating system through the intercepted user account, as shown in fig. 6, in a preferred embodiment of the present invention, the setting module 301 is further configured to preset a user start rule of at least one second application program;
further comprising: an application layer filtering module 601, an obtaining module 602 and a second processing module 603; wherein,
the application layer filtering module 601 is configured to intercept an operation instruction corresponding to the at least one second application program;
the obtaining module 602 is configured to obtain user information of a login user who has logged in the operating system at a current time;
the second processing module 603 is configured to determine, according to the user information and the user start rule, whether the at least one second application includes at least one first application that can be started by the login user, and if so, release the running instruction, so that the operating system runs the at least one first application; otherwise, intercepting the operation instruction.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiments of the invention have at least the following beneficial effects:
1. by presetting a file access rule of at least one first application program, after an operating system runs the first application program, intercepting a file access request initiated by each first application program, analyzing the intercepted file access request to determine a target application program and a target file object (such as a system file, a log file and the like of the operating system) corresponding to the current file access request, namely determining the target application program initiating the file access request and the target file object which the target application program needs to access when executing the data access task of the time, further judging whether the target application program can access the target file object according to the preset file access rule, releasing the intercepted file access request only when the target application program is allowed to access the target file object in the preset file access rule, and enabling the operating system to respond to the file access request (such as reading and writing business data in the target file object), otherwise, intercepting the file access request, so that the operating system cannot respond to the file access request; in summary, in the technical solution provided in the embodiment of the present invention, by limiting the range of the file object accessible by the application program, the intruder cannot access other file objects that are not in the range of the file object accessible by the current application program, and thus, the application program is prevented from continuing to intrude into the operating system through the application program after being controlled by the intruder, and the security of the operating system can be improved.
2. In one embodiment of the invention, by setting the file access rule linked list, a worker only needs to fill the corresponding relation between the application program and the file object into the file access rule linked list, and after intercepting the file access request, the control release or interception of the intercepted file access request can be realized according to the file access rule linked list on the premise of not changing the original authority configuration information of the operating system; meanwhile, the file access rule linked list only stores the corresponding relation between the application program and the file object, and the detailed path of each file object does not need to be written into the file access rule linked list, so that the user experience is better.
3. In a preferred embodiment of the invention, the intercepted number of file access requests of a corresponding target application program intercepted in a detection period with a set time length is recorded, when the intercepted number is greater than a preset standard parameter, the target application program is represented to have a possible bug and is controlled by an intruder, correspondingly, alarm information is generated and sent to an external alarm system, so that the external alarm system gives an alarm; the staff can be reminded to carry out corresponding processing aiming at the target application program in time.
4. In one embodiment of the invention, aiming at the same application program, a plurality of authority dimensions corresponding to the current application program can be reasonably set according to the safety degree of the working state of the operating system, and when the operating system is in different working states, the file object access range of the current application program is limited through different authority dimensions.
5. In one embodiment of the invention, the corresponding application program can only be started by a specified user logging in the operating system by setting the user starting rule corresponding to the application program, so that an intruder is prevented from logging in the operating system through the intercepted user account and starting the corresponding application program without authorization to threaten the safety of the operating system.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the inclusion of an element by the phrase "comprising a" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it is to be noted that: the above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (10)
1. An application management method, comprising:
presetting a file access rule of at least one first application program;
intercepting a file access request initiated by the at least one first application program after the operating system runs the at least one first application program;
analyzing the file access request to determine a target application program and a target file object corresponding to the file access request;
judging whether the target application program can access the target file object according to the file access rule, if so, releasing the file access request so that the operating system responds to the file access request; otherwise, intercepting the file access request.
2. The application management method according to claim 1,
after the intercepting the file access request, further comprising:
recording the intercepted number of file access requests corresponding to the target application program intercepted in a detection period with a set time length, generating alarm information when the intercepted number is larger than a preset standard parameter, and sending the alarm information to an external alarm system so as to enable the external alarm system to alarm.
3. The application management method according to claim 1,
the presetting of the file access rule of at least one first application program comprises the following steps: presetting a file access rule linked list, wherein the file access rule linked list is used for storing the corresponding relation between the at least one first application program and the at least one file object;
the determining whether the target application program can access the target file object according to the file access rule includes: and inquiring the file access rule linked list, and judging whether the file access rule linked list has a corresponding relation between the target application program and the target file object.
4. The application management method according to claim 1,
the presetting of the file access rule of at least one first application program comprises the following steps: presetting at least two permission dimensions corresponding to at least one first application program respectively; wherein each authority dimension corresponds to at least one working state of the operating system respectively;
the determining whether the target application program can access the target file object according to the file access rule includes:
acquiring operating parameters of the operating system;
determining at least one target working state of the operating system according to the operating parameters;
determining a target permission dimension corresponding to the target application program when the operating system is in the at least one target working state;
and judging whether the target application program can access the target access object or not according to the target authority dimension.
5. The application management method according to claim 4,
the at least one operating state of the operating system includes one or more of the following operating states:
the terminal equipment for installing the operating system is communicated with an external network, the terminal equipment for installing the operating system is not communicated with the external network, and the number of times that the target application program accesses the system file of the operating system in a detection period of a set time length is larger than a preset threshold value.
6. The application management method according to any one of claims 1 to 5,
further comprising: presetting a user starting rule of at least one second application program;
intercepting an operation instruction corresponding to the at least one second application program;
acquiring user information of a login user who has logged in the operating system at the current moment;
determining whether the at least one second application program comprises at least one first application program which can be started by the login user according to the user information and the user starting rule, and if so, releasing the running instruction to enable the operating system to run the at least one first application program; otherwise, intercepting the operation instruction.
7. An application management apparatus, comprising:
the setting module is used for presetting a file access rule of at least one first application program;
the file layer filtering module is used for intercepting a file access request initiated by the at least one first application program after the operating system runs the at least one first application program;
the analysis module is used for analyzing the file access request to determine a target application program and a target file object corresponding to the file access request;
the first processing module is used for judging whether the target application program can access the target file object according to the file access rule, and if so, releasing the file access request so that the operating system can respond to the file access request; otherwise, intercepting the file access request.
8. The application management device according to claim 7,
further comprising: the alarm processing module is used for recording the intercepted number of file access requests corresponding to the target application program intercepted in a detection period with a set time length, generating alarm information when the intercepted number is larger than a preset standard parameter, and sending the alarm information to an external alarm system so as to enable the external alarm system to alarm;
and/or the presence of a gas in the gas,
the setting module is used for presetting a file access rule linked list, wherein the file access rule linked list is used for storing the corresponding relation between the at least one first application program and the at least one file object;
the first processing module is configured to query the file access rule linked list, and determine whether a corresponding relationship between the target application program and the target file object exists in the file access rule linked list.
9. The application management device according to claim 7,
the setting module is used for presetting at least two permission dimensions corresponding to at least one first application program respectively; wherein each authority dimension corresponds to at least one working state of the operating system respectively;
the first processing module comprises:
the acquisition subunit is used for acquiring the operating parameters of the operating system;
the first determining subunit is used for determining at least one target working state of the operating system according to the operating parameters;
the second determining subunit is configured to determine a target permission dimension corresponding to the target application program when the operating system is in the at least one target operating state;
and the processing subunit is used for judging whether the target application program can access the target access object according to the target authority dimension.
10. The application management apparatus according to any one of claims 6 to 9,
the setting module is further used for presetting a user starting rule of at least one second application program;
further comprising: the device comprises an application layer filtering module, an acquisition module and a second processing module; wherein,
the application layer filtering module is used for intercepting an operation instruction corresponding to the at least one second application program;
the acquisition module is used for acquiring the user information of the login user who has logged in the operating system at the current moment;
the second processing module is configured to determine, according to the user information and the user start rule, whether the at least one second application includes at least one first application that can be started by the login user, and if so, release the running instruction, so that the operating system runs the at least one first application; otherwise, intercepting the operation instruction.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610701670.5A CN106339629A (en) | 2016-08-22 | 2016-08-22 | Application management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610701670.5A CN106339629A (en) | 2016-08-22 | 2016-08-22 | Application management method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106339629A true CN106339629A (en) | 2017-01-18 |
Family
ID=57825309
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610701670.5A Pending CN106339629A (en) | 2016-08-22 | 2016-08-22 | Application management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106339629A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107302536A (en) * | 2017-06-29 | 2017-10-27 | 郑州云海信息技术有限公司 | Method for managing security, device, medium and the storage control of cloud computing platform |
| CN109241769A (en) * | 2018-08-09 | 2019-01-18 | 福州瑞芯微电子股份有限公司 | A kind of electronic equipment personal secrets method for early warning and system |
| CN109784073A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Data access method and device, storage medium, computer equipment |
| CN110532121A (en) * | 2019-08-20 | 2019-12-03 | 新华三大数据技术有限公司 | Business module localization method and device |
| CN111079135A (en) * | 2019-11-27 | 2020-04-28 | 浪潮商用机器有限公司 | Kernel access method, device and medium |
| CN111159735A (en) * | 2019-12-24 | 2020-05-15 | 珠海荣邦智能科技有限公司 | Data access method and device for application program |
| CN111582922A (en) * | 2020-04-27 | 2020-08-25 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting cheating behaviors and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101655892A (en) * | 2009-09-22 | 2010-02-24 | 成都市华为赛门铁克科技有限公司 | Mobile terminal and access control method |
| CN103246834A (en) * | 2012-02-07 | 2013-08-14 | 联想(北京)有限公司 | Control method and electronic device |
-
2016
- 2016-08-22 CN CN201610701670.5A patent/CN106339629A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101655892A (en) * | 2009-09-22 | 2010-02-24 | 成都市华为赛门铁克科技有限公司 | Mobile terminal and access control method |
| CN103246834A (en) * | 2012-02-07 | 2013-08-14 | 联想(北京)有限公司 | Control method and electronic device |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107302536A (en) * | 2017-06-29 | 2017-10-27 | 郑州云海信息技术有限公司 | Method for managing security, device, medium and the storage control of cloud computing platform |
| CN109241769A (en) * | 2018-08-09 | 2019-01-18 | 福州瑞芯微电子股份有限公司 | A kind of electronic equipment personal secrets method for early warning and system |
| CN109784073A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Data access method and device, storage medium, computer equipment |
| CN110532121A (en) * | 2019-08-20 | 2019-12-03 | 新华三大数据技术有限公司 | Business module localization method and device |
| CN110532121B (en) * | 2019-08-20 | 2022-08-26 | 新华三大数据技术有限公司 | Service module positioning method and device |
| CN111079135A (en) * | 2019-11-27 | 2020-04-28 | 浪潮商用机器有限公司 | Kernel access method, device and medium |
| CN111159735A (en) * | 2019-12-24 | 2020-05-15 | 珠海荣邦智能科技有限公司 | Data access method and device for application program |
| CN111582922A (en) * | 2020-04-27 | 2020-08-25 | 支付宝(杭州)信息技术有限公司 | Method and device for detecting cheating behaviors and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10893068B1 (en) | Ransomware file modification prevention technique | |
| US10154066B1 (en) | Context-aware compromise assessment | |
| CN106339629A (en) | Application management method and device | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| EP3223159B1 (en) | Log information generation device and recording medium, and log information extraction device and recording medium | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| CN114003943B (en) | Safe double-control management platform for computer room trusteeship management | |
| CN108234400B (en) | Attack behavior determination method and device and situation awareness system | |
| US20230231885A1 (en) | Multi-perspective security context per actor | |
| Park et al. | Performance evaluation of open-source endpoint detection and response combining google rapid response and osquery for threat detection | |
| Gnatyuk et al. | Cloud-Based Cyber Incidents Response System and Software Tools | |
| WO2021121382A1 (en) | Security management of an autonomous vehicle | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN109977644B (en) | Hierarchical authority management method under Android platform | |
| CN116708033B (en) | Terminal security detection method and device, electronic equipment and storage medium | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN104955043A (en) | Intelligent terminal safety protection system | |
| CN110958236A (en) | Dynamic authorization method of operation and maintenance auditing system based on risk factor insight | |
| US11983272B2 (en) | Method and system for detecting and preventing application privilege escalation attacks | |
| CN113596600B (en) | Security management method, device, equipment and storage medium for live broadcast embedded program | |
| CN106485104B (en) | Automatic restoration method, device and system for terminal security policy | |
| CN104866761B (en) | A kind of high security Android intelligent terminal | |
| CN114491661A (en) | Log tamper-proofing method and system based on block chain | |
| CN107302536A (en) | Method for managing security, device, medium and the storage control of cloud computing platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Wusong Industrial Park, Wuzhong Development District of Suzhou City, Jiangsu province 215100 Wusong Road No. 818 Applicant after: Tide Financial Information Technology Co Ltd Address before: Wuzhong Economic Development Zone in Suzhou City, Jiangsu Province, the River Street 215104 tower rhyme Road No. 178 Building 2 layer 1 Applicant before: Tide (Suzhou) Financial Technology Service Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170118 |