WO2022100660A1 - Behavior control method, apparatus, electronic device, and storage medium - Google Patents
Behavior control method, apparatus, electronic device, and storage medium Download PDFInfo
- Publication number
- WO2022100660A1 WO2022100660A1 PCT/CN2021/130041 CN2021130041W WO2022100660A1 WO 2022100660 A1 WO2022100660 A1 WO 2022100660A1 CN 2021130041 W CN2021130041 W CN 2021130041W WO 2022100660 A1 WO2022100660 A1 WO 2022100660A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- behavior
- instruction
- program
- execution sequence
- authorized
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 84
- 230000008569 process Effects 0.000 claims abstract description 31
- 230000006399 behavior Effects 0.000 claims description 298
- 238000004590 computer program Methods 0.000 claims description 11
- 230000009471 action Effects 0.000 claims description 10
- 230000006870 function Effects 0.000 description 26
- 239000000243 solution Substances 0.000 description 18
- 230000007246 mechanism Effects 0.000 description 8
- 238000013507 mapping Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000001960 triggered effect Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Definitions
- the present application relates to the field of computer technology, and in particular, to a behavior control method, apparatus, electronic device, and storage medium.
- MAC Mandatory Access Control
- the "subject” can be a user and/or a process, and the object refers to various objects that need to be protected, such as files, directories, network ports, memory, IO devices, and so on.
- a process is the smallest unit that restricts permissions to "subjects". It is conceivable that even if only a specific process A is allowed to operate on a specific protected object B, according to the existing technology, a group of "attack" codes can be injected into a specific process A with operation rights, thereby Implement the attack on the protected object B.
- embodiments of the present application provide a behavior control method, apparatus, electronic device, and storage medium.
- the embodiment of the first aspect of the present application provides a behavior control method, including:
- the instruction whitelist library is used to store instruction data corresponding to authorized actions.
- the instruction data includes: an instruction execution sequence; the instruction execution sequence is used to describe the offset address and the calling sequence of each level in the API calling sequence;
- the matching of the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library includes:
- the instruction execution sequence of the target behavior is matched with the instruction execution sequence in the instruction whitelist library.
- the instruction data further includes: behavior type and/or API information
- the matching of the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library further includes:
- the instruction data further includes: a program name and a program version number
- the matching of the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library further includes:
- the program name and version number of the program to which the target behavior belongs is determined according to the information of the process to which the target behavior belongs, and the instruction whitelist library is determined according to the program name and version number.
- the matching of the first instruction execution sequence of the target behavior with the instruction execution sequence in the instruction whitelist library includes:
- the offset addresses of each layer in the instruction execution sequence of the target behavior are matched with the offset addresses of each layer in the instruction execution sequence in the instruction whitelist library in order according to the level, until they match The number of layers reaches the preset matching layer number.
- the acquiring the instruction data corresponding to the target behavior includes:
- the instruction execution sequence when the target behavior occurs is restored according to the stack data.
- the method also includes:
- the determining of the instruction data corresponding to the authorized behavior in the program includes:
- the instruction data corresponding to the authorized behavior in the program is determined.
- determining the instruction execution sequence corresponding to the authorized behavior in the program according to the instruction execution sequence for calling the first API including:
- a part of the instruction execution sequence for calling the first API is taken as an instruction execution sequence corresponding to the authorized behavior in the program.
- An embodiment of the second aspect of the present application provides a behavior control device, including:
- an instruction data acquisition module configured to acquire instruction data corresponding to the target behavior when the target behavior occurs
- a matching module configured to match the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library, and determine whether the target behavior is authorized according to the matching result;
- the instruction whitelist library is used to store instruction data corresponding to authorized actions.
- Embodiments of a third aspect of the present application provide an electronic device, including a memory, a processor, and a computer program stored in the memory and running on the processor, where the processor implements the first aspect of the present application when the processor executes the program The steps of the behavior control method described in the embodiment.
- Embodiments of the fourth aspect of the present application provide a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of the behavior control method described in the embodiments of the first aspect of the present application .
- Embodiments of the fifth aspect of the present application provide a computer program product, where the computer program product includes computer-executable instructions, and when the instructions are executed, the instructions are used to implement the steps of the behavior control method according to the embodiments of the first aspect of the present application .
- the behavior control method, device, electronic device, and storage medium provided by the embodiments of the present application generate instruction data corresponding to the target behavior, match it with the data in the instruction whitelist library, and determine whether the target behavior is legal according to the matching result, thereby
- the behavior control is implemented at the code instruction level, which is more secure than the existing process-based behavior control methods.
- FIG. 2 is a schematic diagram of a behavior control device provided by an embodiment of the present application.
- FIG. 3 is a schematic diagram of a physical structure of an electronic device involved in an embodiment of the present application.
- notepad.exe the object is a.txt
- the behavior is "file open”
- the permission to open a.txt is given to notepad.exe.
- the security policy execution component in the MAC system will detect the permissions of the subject and the object. If the object is a.txt, the subject must be notepad.exe, and the file opened behavior will be allowed, otherwise it will be denied.
- the embodiments of the present application provide a method for implementing behavior control at the code instruction level.
- FIG. 1 is a flowchart of a behavior control method provided by an embodiment of the present application. As shown in FIG. 1 , the behavior control method provided by an embodiment of the present application includes:
- Step 101 When the target behavior occurs, acquire instruction data corresponding to the target behavior.
- the target behavior refers to the behavior that needs to be controlled.
- Control over the target behavior may either allow or prohibit the execution of the target behavior.
- an action is implemented by one instruction or multiple instructions.
- the data related to the instruction set is called the instruction data corresponding to the target behavior.
- the instruction data includes an instruction execution sequence.
- the instruction execution sequence is used to describe the offset address and calling sequence of each level in the API (Application Programming Interface) calling sequence.
- the API call sequence may have different depths depending on the program, function, and branch.
- the Local_A function calls the Local_B function
- the Local_B function calls the Local_C function
- the Local_C function calls the system API CreateFileW to open a file.
- the API call sequence is a three-tier call.
- the offset of the instructions in the memory corresponding to the API call sequence of each layer relative to the program base address is different.
- the offset address of each layer in the API call sequence records the relative value of the instructions in the memory corresponding to the API call sequence of each layer. offset from the program base address.
- the offset of the instruction of the Local_A function in memory relative to the program base address is 010000 (for illustration purposes only, the real address offset can be different), and the instruction of the Local_B function in the memory is relative to the program.
- the offset of the base address is 020000
- the offset of the instruction of the Local_C function in the memory relative to the base address of the program is 030000
- the offset of the instruction of CreateFileW in the memory relative to the base address of the program is 040000.
- These offset addresses are generally represented by hexadecimal numbers, and are arranged in the order of execution, such as forming a sequence such as 010000020000030000040000.
- the order of the offset addresses of each level in the API call sequence in the instruction execution sequence reflects the call order.
- the offsets of the instructions in the memory relative to the program base address may be different.
- the CreateFileW call instruction in the execution sequence of the NPCommand instruction in notepad.exe and the CreateFileW call instruction in the execution sequence of the UpdateEncoding instruction can implement the file opening operation.
- the CreateFileW call instruction in the execution sequence of the NPCommand instruction is the previous instruction at offset 0x2323; the CreateFileW call instruction in the execution sequence of the UpdateEncoding instruction is the previous instruction at the offset 0x1300. It can be seen that even if it is the same CreateFileW call instruction, there may be different address offsets.
- the instruction data further includes behavior type and/or API information.
- Behavior type refers to the type of target behavior.
- typical behavior types are opening a file, deleting a file, saving a file, modifying a file, etc.
- API information refers to the information of the API called when the target behavior is executed.
- API is a set of definitions, procedures and protocols. It is the interface between the program and the operating system and the only way for the program to obtain the services of the operating system.
- the behavior of the program usually needs to be implemented by calling the system API.
- the system API CreateFileW is called to create or open a file
- the system API CreateProcess is called to create a process
- the system API LoadLibrary is called to load a module.
- the API information in the instruction data needs to describe the name of the API called when the target behavior is executed.
- the instruction data corresponding to the target behavior may be legal (authorized) or illegal (unauthorized).
- whether the target behavior is allowed to be executed is determined by checking the instruction data corresponding to the target behavior.
- the occurrence of the target behavior can be known by intercepting the target behavior.
- the interception of the target behavior may adopt the behavior interception function in the existing MAC mechanism, such as through any one of the following technologies: a file system filter driver, a system callback interface, and a HOOK technology.
- the instruction data related to the target behavior in the program is specific, except for these specific instruction data, other instruction data have nothing to do with the target behavior.
- the first group is derived from NPCommand, and after a series of calls in the middle, the system API CreateFileW is finally called to realize the file opening operation;
- the second group originates from UpdateEncoding. After a series of calls, the system API CreateFileW is finally called to implement the file opening operation.
- notepad.exe is used to open the file
- the instruction execution sequence in the memory must be one of the above two instruction execution sequences, and any invocation of other instruction execution sequences that generate a "file open" operation is illegal.
- this step after it is determined that the target behavior occurs, the instruction data corresponding to the target behavior needs to be further obtained, so as to realize the control of the target behavior in the subsequent steps.
- the behavior type of the target behavior can be known when the target behavior is intercepted. How to achieve the interception of the target behavior has been fully explained in the previous description, so it will not be repeated here.
- mapping relationship between the behavior and the API called by the behavior is fixed and exhaustive, after the type of the target behavior is determined, the API information of the target behavior can be obtained through the mapping relationship between the behavior and the API.
- the instruction execution sequence corresponding to the target behavior can be obtained through stack data.
- Stack is a kind of dynamic memory with special data structure in computer system.
- the operating system maintains a stack memory space for each thread, and the function call information of the thread is stored in the stack memory space, including: the return address and parameters of the function call.
- the stack data of the thread corresponding to the target behavior can be obtained, and then the instruction execution sequence when the target behavior occurs is restored according to the stack data. How to restore the instruction execution sequence when the target behavior occurs according to the stack data is the common knowledge of those skilled in the art, and therefore will not be repeated here.
- the instruction data of the target behavior includes: program name, version number, behavior type, API information, and instruction execution sequence.
- the program name refers to the name of the program to which the target behavior belongs. For example, the aforementioned behavior of opening the text file "a.txt" is triggered by a program named notepad.exe, and the program name in the instruction data is notepad.exe.
- the version number refers to the version number of the program to which the target behavior belongs.
- Applications usually have multiple iterative updates. In order to distinguish different versions of applications, a version number is set for the application. For example, the application notepad.exe has multiple versions such as 1.0, 2.0, 3.0, etc. If the target behavior only appears in the version after 2.0, the version number of the instruction data only includes the version number after 2.0 (such as 2.0, 3.0).
- the program name and version number of the program described in the target behavior can be obtained through the prior art, and the obtaining process thereof will not be described in detail in this embodiment of the present application.
- Step 102 Match the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library, and determine whether the target behavior is authorized according to the matching result.
- the instruction whitelist library is used to store instruction data corresponding to authorized actions.
- the authorized behavior refers to the behavior that is allowed to perform.
- the API that needs to be called to achieve a specific function ie, the execution result of the behavior
- a specific function ie, the execution result of the behavior
- the mapping relationship between a specific function and the API to be called is fixed and exhaustive, rather than randomly changeable. Therefore, in this embodiment of the present application, the mapping relationship between the authorized behavior and the instruction execution sequence to be invoked is stored by means of an instruction whitelist library.
- the instruction data includes: an instruction execution sequence.
- the instruction execution sequence is used to describe the offset address and call sequence of each level in the API call sequence.
- the instruction data further includes: behavior type and API information.
- Behavior type refers to the type of behavior that is authorized. For example, typical behavior types are opening a file, deleting a file, saving a file, modifying a file, etc.
- API information refers to the information of the API called when the authorized behavior is executed.
- the instruction data includes: program name, version number, behavior type, API information, and instruction execution sequence.
- a common storage method is: all authorized behavior data (behavior type, API information, instruction execution sequence) in programs with the same program name and version number are stored in an instruction whitelist library.
- the programs include: programs with different names, programs with the same name but different version numbers) will have their own corresponding instruction whitelist libraries.
- the instruction data of authorized actions in different programs may also be stored in one instruction whitelist library.
- the instruction whitelist library is preset, and the data in the instruction whitelist library can be directly used. In other embodiments of the present application, the generation process of the instruction whitelist library will be described.
- the instruction data according to the target behavior can be compared with the instruction whitelist library.
- the data in the list library is matched.
- matching the instruction data of the target behavior with the instruction data in the instruction whitelist library includes:
- the instruction execution sequence of the target behavior is matched with the instruction execution sequence in the instruction whitelist library.
- the matching operation needs to be performed according to the preset matching order.
- the preset matching sequence may be in the opposite direction to the calling sequence, or may be in the same direction as the calling sequence.
- the Local_A function calls the Local_B function
- the Local_B function calls the Local_C function
- the Local_C function calls the system API CreateFileW to open a file
- the calling order is Local_A—Local_B—Local_C—CreateFileW.
- the sequence of matching operations is CreateFileW—Local_C—Local_B—Local_A.
- the number of matching layers may be set according to actual needs (eg, specific application scenarios). For example, if the order of the matching operation is CreateFileW—Local_C—Local_B—Local_A, if only one layer of matching is performed, then only the instruction offset address of the CreateFileW layer needs to be compared; Whether the instruction offset address of the CreateFileW layer and the instruction offset address of the Local_C layer are consistent; if three layers of matching are required, the instruction offset address of the CreateFileW layer and the instruction offset address of the Local_C layer need to be compared at the same time. Whether the shift address and the instruction offset address of the Local_B layer are consistent. And so on, until the number of layers of hierarchical matching reaches the preset number of matching layers.
- the matching is successful, it is considered that the instruction data corresponding to the target behavior is successfully matched with the data in the preset instruction whitelist library. On the contrary, if the matching fails, it is considered that the instruction data corresponding to the target behavior fails to match with the data in the preset instruction whitelist library.
- matching the instruction data corresponding to the target behavior with data in a preset instruction whitelist library further comprising:
- the instruction execution sequence and the behavior type and/or API information need to be matched at the same time.
- the API information of the target behavior is matched with the API information in the instruction whitelist library for the second time;
- the instruction execution sequence of the target behavior is matched with the instruction execution sequence in the instruction whitelist library for a third time.
- the program name and version number of the program to which the target behavior belongs is determined according to the information of the process to which the target behavior belongs, and the instruction whitelist library is determined according to the program name and version number.
- the instruction whitelist library needs to be determined according to the program name and version number of the program to which the target behavior belongs.
- the first behavior type of the target behavior is matched with the second behavior type in the instruction whitelist library for the first time;
- the API information of the target behavior is matched with the API information in the instruction whitelist library for the second time;
- the third instruction execution sequence of the target behavior is matched with the instruction execution sequence in the instruction whitelist library.
- the matching result After the matching result is obtained, it can be determined whether the target behavior is allowed according to the matching result. If the match is successful, it means that the instruction data corresponding to the target behavior has been authorized in advance, and the target behavior is legal and can be executed normally. If the match fails, it means that the instruction data corresponding to the target behavior has not been authorized in advance, and the target behavior may be illegal and will prevent it from being executed.
- the behavior control method provided by the embodiment of the present application generates the instruction data corresponding to the target behavior, then matches it with the data in the instruction whitelist library, and determines whether the target behavior is legal according to the matching result, thereby realizing behavior control at the code instruction level , which is more secure than the existing process-based behavior control methods.
- the method further includes:
- the instruction whitelist library is generated.
- the authorized behavior refers to the behavior that is allowed to be executed. In a program, generally only a small number of instruction execution sequences are allowed to achieve the authorized behavior.
- the first group is derived from NPCommand, and after a series of calls in the middle, the system API CreateFileW is finally called to realize the file opening operation;
- the second group originates from UpdateEncoding. After a series of calls, the system API CreateFileW is finally called to implement the file opening operation.
- the first API corresponding to the authorized behavior is determined.
- APIs corresponding to the authorized behavior can be implemented by calling the system API OpenFile or calling the system API CreateFileW. Therefore, in this step, the API corresponding to the authorized behavior needs to be determined, and this API is recorded as the first API.
- the first API can be obtained through the mapping relationship between the behavior and the API.
- mapping relationship between the behavior and the API called by the behavior can be stored in a table.
- the table is searched according to the behavior type of the authorized behavior, and the obtained search result is the first API.
- an instruction execution sequence for calling the first API can be determined by using a disassembly engine.
- the instruction execution sequence for calling the first API determines whether the authorized behavior in the program is authorized.
- the instruction execution sequence for calling the API can have multiple layers.
- the Local_A function calls the Local_B function
- the Local_B function calls the Local_C function
- the Local_C function calls the system API CreateFileW to open a file.
- the instruction execution sequence that calls the system API CreateFileW has three levels.
- the entire instruction execution sequence for calling the first API may be used as a program
- the instruction execution sequence corresponding to the authorized behavior in the program can also be used as a part of the instruction execution sequence for calling the first API as the instruction execution sequence corresponding to the authorized behavior in the program.
- the complete command execution sequence for calling the system API CreateFileW is: Local_A—Local_B—Local_C—CreateFileW.
- the entire instruction execution sequence can be used as the instruction execution sequence corresponding to the authorized behavior in the program, or a part of the instruction execution sequence, such as Local_B—Local_C—CreateFileW, can be used as the instruction execution sequence corresponding to the authorized behavior in the program. sequence.
- how many layers are specifically selected from the instruction execution sequence calling the first API can be determined according to actual needs. In theory, even if only one layer is selected, most normal calls and abnormal calls can be identified. Of course, the more layers you select, the harder it is to forge, and the fewer layers you select, the easier it is to forge.
- the instruction data corresponding to the authorized behavior in the program is determined.
- the behavior control method determines the instruction data corresponding to the authorized behavior in the program by analyzing the program and the dynamic library used by the program; according to the instruction data corresponding to the authorized behavior, the instruction white
- the list library according to the instruction whitelist library, can perform matching operations on the instruction data corresponding to the target behavior, and determine whether the target behavior is legal according to the matching result, so as to realize behavior control at the code instruction level, which is more than the existing process-based behavior control.
- the method is more secure.
- the method further includes:
- the authority of the process to which the target behavior belongs and the authority of the object to be processed by the target behavior are checked.
- the process to which the target behavior belongs corresponds to the program, that is, the subject in the MAC mechanism; the object to be processed by the target behavior corresponds to the file, that is, the object in the MAC mechanism.
- the authority of the process to which the target behavior belongs and the authority of the object to be processed by the target behavior may be verified first, and only after the verification is passed, will the corresponding target behavior be further verified.
- the instruction execution sequence is checked.
- the behavior control method provided by the embodiments of the present application can filter obvious illegal behaviors by verifying the rights of the process to which the target behavior belongs and the rights of the objects to be processed by the target behavior, which helps to reduce the resource load on the computer system.
- FIG. 2 is a schematic diagram of a behavior control apparatus provided by an embodiment of the present application.
- the behavior control apparatus provided by an embodiment of the present application includes:
- an instruction data acquisition module 201 configured to acquire instruction data corresponding to the target behavior when the target behavior occurs;
- the matching module 202 is configured to match the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library, and determine whether the target behavior is authorized according to the matching result; wherein,
- the instruction whitelist library is used to store instruction data corresponding to authorized actions.
- the behavior control device provided by the embodiment of the present application generates the instruction data corresponding to the target behavior, then matches it with the data in the instruction whitelist library, and determines whether the target behavior is legal according to the matching result, thereby realizing behavior control at the code instruction level , which is more secure than the existing process-based behavior control device.
- FIG. 3 is a schematic diagram of the physical structure of an electronic device involved in an embodiment of the application.
- the electronic device may include: a processor (processor) 310, a communications interface (Communications Interface) 320, a memory (memory) 330 and The communication bus 340, wherein the processor 310, the communication interface 320, and the memory 330 complete the communication with each other through the communication bus 340.
- the processor 310 may invoke logic instructions in the memory 330 to perform the following methods:
- the instruction whitelist library is used to store instruction data corresponding to authorized actions.
- the above-mentioned logic instructions in the memory 330 may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as an independent product.
- the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution.
- the computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application.
- the aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .
- an embodiment of the present application further provides a non-transitory computer-readable storage medium, on which a computer program is stored, and the computer program is implemented when executed by a processor to execute the methods provided by the foregoing embodiments, for example, including:
- the instruction whitelist library is used to store instruction data corresponding to authorized actions.
- the device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.
- each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware.
- the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments or some parts of the embodiments.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Stored Programmes (AREA)
Abstract
A behavior control method, an apparatus, an electronic device, and a storage medium. The method comprises: when a target behavior occurs, obtaining instruction data corresponding to the target behavior (101); performing matching on the instruction data corresponding to the target behavior with data within a preconfigured instruction white list library, and determining whether the target behavior is authorized according to a matching result (102); wherein the instruction white list library is used for storing instruction data corresponding to authorized behavior. By means of generating instruction data corresponding to a target behavior, performing matching of said data with data in an instruction white list library, and determining whether the target behavior is legitimate according to a matching result, the behavior control method, the apparatus, the electronic device, and the storage medium thereby implement behavior control at a code instruction level, which is more secure than an existing process-based behavior control method.
Description
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本申请要求于2020年11月13日提交的申请号为202011272230.5,名称为“行为控制方法、装置、电子设备及存储介质”的中国专利申请的优先权,其通过引用方式全部并入本文。This application claims the priority of the Chinese Patent Application No. 202011272230.5, filed on November 13, 2020, and entitled "Behavior Control Method, Apparatus, Electronic Device, and Storage Medium", which is incorporated herein by reference in its entirety.
本申请涉及计算机技术领域,尤其涉及一种行为控制方法、装置、电子设备及存储介质。The present application relates to the field of computer technology, and in particular, to a behavior control method, apparatus, electronic device, and storage medium.
强制访问控制(Mandatory Access Control,MAC)是一种由计算机操作系统约束的访问控制,目标是限制“主体”对“客体”执行某种行为的能力。其中,“主体”可以是用户和/或进程,客体是指各类需要被保护的对象,如文件、目录、网络端口、内存、IO设备等。Mandatory Access Control (MAC) is an access control constrained by a computer operating system, with the goal of restricting the ability of a "subject" to perform a certain behavior on an "object". The "subject" can be a user and/or a process, and the object refers to various objects that need to be protected, such as files, directories, network ports, memory, IO devices, and so on.
根据现有的MAC机制,进程是对“主体”进行权限约束的最小单元。可以想象,即使只允许某一特定的进程A才能对某一特定的被保护对象B进行操作,依据现有技术,也能够将一组“攻击”代码注入具有操作权限的特定进程A中,从而实现对被保护对象B的攻击。According to the existing MAC mechanism, a process is the smallest unit that restricts permissions to "subjects". It is conceivable that even if only a specific process A is allowed to operate on a specific protected object B, according to the existing technology, a group of "attack" codes can be injected into a specific process A with operation rights, thereby Implement the attack on the protected object B.
因此,现有技术中基于MAC机制所实现的行为控制方法存在一定的安全隐患。Therefore, the behavior control method implemented based on the MAC mechanism in the prior art has certain security risks.
发明内容SUMMARY OF THE INVENTION
针对现有技术中存在的问题,本申请实施例提供一种行为控制方法、装置、电子设备及存储介质。In view of the problems existing in the prior art, embodiments of the present application provide a behavior control method, apparatus, electronic device, and storage medium.
本申请第一方面实施例提供一种行为控制方法,包括:The embodiment of the first aspect of the present application provides a behavior control method, including:
在目标行为发生时,获取所述目标行为所对应的指令数据;When the target behavior occurs, obtain instruction data corresponding to the target behavior;
将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,根据匹配结果确定所述目标行为是否被授权;其中,Match the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library, and determine whether the target behavior is authorized according to the matching result; wherein,
所述指令白名单库用于存储被授权行为所对应的指令数据。The instruction whitelist library is used to store instruction data corresponding to authorized actions.
上述技术方案中,所述指令数据包括:指令执行序列;所述指令执行序列用于描述API调用序列中各层级的偏移地址及调用顺序;In the above technical solution, the instruction data includes: an instruction execution sequence; the instruction execution sequence is used to describe the offset address and the calling sequence of each level in the API calling sequence;
相应地,所述将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,包括:Correspondingly, the matching of the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library includes:
将所述目标行为的指令执行序列与指令白名单库中的指令执行序列进行匹配。The instruction execution sequence of the target behavior is matched with the instruction execution sequence in the instruction whitelist library.
上述技术方案中,所述指令数据还包括:行为类型和/或API信息;In the above technical solution, the instruction data further includes: behavior type and/or API information;
相应地,所述将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,还包括:Correspondingly, the matching of the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library further includes:
将所述目标行为的行为类型与所述指令白名单库中的行为类型进行匹配;matching the behavior type of the target behavior with the behavior type in the instruction whitelist library;
和/或,and / or,
将所述目标行为的API信息与所述指令白名单库中的API信息进行匹配。Matching the API information of the target behavior with the API information in the instruction whitelist library.
上述技术方案中,所述指令数据还包括:程序名称以及程序版本号;In the above technical solution, the instruction data further includes: a program name and a program version number;
相应地,所述将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,还包括:Correspondingly, the matching of the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library further includes:
根据目标行为所属进程的信息确定目标行为所属程序的程序名称与版本号,根据所述程序名称与版本号确定指令白名单库。The program name and version number of the program to which the target behavior belongs is determined according to the information of the process to which the target behavior belongs, and the instruction whitelist library is determined according to the program name and version number.
上述技术方案中,所述将所述目标行为的第一指令执行序列与指令白名单库中的指令执行序列进行匹配,包括:In the above technical solution, the matching of the first instruction execution sequence of the target behavior with the instruction execution sequence in the instruction whitelist library includes:
按照预先设定的匹配顺序,将所述目标行为的指令执行序列中各层的偏移地址与指令白名单库中的指令执行序列中各层的偏移地址按照层级依次进行匹配,直至已匹配的层级数量达到预先设置的匹配层数。According to the preset matching order, the offset addresses of each layer in the instruction execution sequence of the target behavior are matched with the offset addresses of each layer in the instruction execution sequence in the instruction whitelist library in order according to the level, until they match The number of layers reaches the preset matching layer number.
上述技术方案中,所述获取所述目标行为所对应的指令数据,包括:In the above technical solution, the acquiring the instruction data corresponding to the target behavior includes:
获取所述目标行为所对应的线程的栈数据;Obtain the stack data of the thread corresponding to the target behavior;
根据所述栈数据还原所述目标行为发生时的指令执行序列。The instruction execution sequence when the target behavior occurs is restored according to the stack data.
上述技术方案中,方法还包括:In the above technical scheme, the method also includes:
对程序以及其所使用的动态库进行分析,确定所述程序中与被授权行 为相对应的指令数据;Analyze the program and the dynamic library used by it, and determine the instruction data corresponding to the authorized behavior in the program;
根据被授权行为相对应的指令数据,生成指令白名单库。Generate an instruction whitelist library according to the instruction data corresponding to the authorized behavior.
上述技术方案中,所述确定所述程序中与被授权行为相对应的指令数据,包括:In the above technical solution, the determining of the instruction data corresponding to the authorized behavior in the program includes:
确定与所述被授权行为相对应的第一API;determining the first API corresponding to the authorized behavior;
确定用于调用所述第一API的指令执行序列;determining an instruction execution sequence for calling the first API;
根据所述用于调用所述第一API的指令执行序列,确定所述程序中与被授权行为相对应的指令执行序列;According to the instruction execution sequence for calling the first API, determine the instruction execution sequence corresponding to the authorized behavior in the program;
根据所述程序中与被授权行为相对应的指令执行序列,确定所述程序中与被授权行为相对应的指令数据。According to the instruction execution sequence corresponding to the authorized behavior in the program, the instruction data corresponding to the authorized behavior in the program is determined.
上述技术方案中,所述根据所述用于调用所述第一API的指令执行序列,确定所述程序中与被授权行为相对应的指令执行序列,包括:In the above technical solution, determining the instruction execution sequence corresponding to the authorized behavior in the program according to the instruction execution sequence for calling the first API, including:
将所述用于调用所述第一API的指令执行序列的全部作为程序中与被授权行为相对应的指令执行序列;Taking all the instruction execution sequences for calling the first API as the instruction execution sequences corresponding to the authorized behavior in the program;
或,将所述用于调用所述第一API的指令执行序列的一部分作为程序中与被授权行为相对应的指令执行序列。Or, a part of the instruction execution sequence for calling the first API is taken as an instruction execution sequence corresponding to the authorized behavior in the program.
本申请第二方面实施例提供一种行为控制装置,包括:An embodiment of the second aspect of the present application provides a behavior control device, including:
指令数据获取模块,用于在目标行为发生时,获取所述目标行为所对应的指令数据;an instruction data acquisition module, configured to acquire instruction data corresponding to the target behavior when the target behavior occurs;
匹配模块,用于将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,根据匹配结果确定所述目标行为是否被授权;其中,a matching module, configured to match the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library, and determine whether the target behavior is authorized according to the matching result; wherein,
所述指令白名单库用于存储被授权行为所对应的指令数据。The instruction whitelist library is used to store instruction data corresponding to authorized actions.
本申请第三方面实施例提供一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如本申请第一方面实施例所述行为控制方法的步骤。Embodiments of a third aspect of the present application provide an electronic device, including a memory, a processor, and a computer program stored in the memory and running on the processor, where the processor implements the first aspect of the present application when the processor executes the program The steps of the behavior control method described in the embodiment.
本申请第四方面实施例提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如本申请第一方面实施例所述行为控制方法的步骤。Embodiments of the fourth aspect of the present application provide a non-transitory computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of the behavior control method described in the embodiments of the first aspect of the present application .
本申请第五方面实施例提供一种计算机程序产品,所述计算机程序产 品包括计算机可执行指令,所述指令在被执行时用于实现如本申请第一方面实施例所述行为控制方法的步骤。Embodiments of the fifth aspect of the present application provide a computer program product, where the computer program product includes computer-executable instructions, and when the instructions are executed, the instructions are used to implement the steps of the behavior control method according to the embodiments of the first aspect of the present application .
本申请实施例提供的行为控制方法、装置、电子设备及存储介质通过生成目标行为所对应的指令数据,将其与指令白名单库中的数据进行匹配,根据匹配结果确定目标行为是否合法,从而在代码指令层次实现行为控制,较现有的基于进程的行为控制方法安全性更高。The behavior control method, device, electronic device, and storage medium provided by the embodiments of the present application generate instruction data corresponding to the target behavior, match it with the data in the instruction whitelist library, and determine whether the target behavior is legal according to the matching result, thereby The behavior control is implemented at the code instruction level, which is more secure than the existing process-based behavior control methods.
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following will briefly introduce the accompanying drawings used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.
图1为本申请实施例提供的行为控制方法的流程图;1 is a flowchart of a behavior control method provided by an embodiment of the present application;
图2为本申请实施例提供的行为控制装置的示意图;2 is a schematic diagram of a behavior control device provided by an embodiment of the present application;
图3为本申请实施例所涉及的电子设备的实体结构示意图。FIG. 3 is a schematic diagram of a physical structure of an electronic device involved in an embodiment of the present application.
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be described clearly and completely below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments It is a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative work fall within the protection scope of the present application.
为了便于理解本申请实施例提供的行为控制方法,下面结合一个具体的场景对现有技术中基于MAC机制所实现的行为控制方法进行说明。In order to facilitate understanding of the behavior control method provided by the embodiments of the present application, the behavior control method implemented based on the MAC mechanism in the prior art is described below with reference to a specific scenario.
假设有这样一个场景:在一个文本文件“a.txt”(扩展名为.txt的纯文本文档)中存储了重要的信息;为了保护这些重要的信息,对该文件设定了访问权限,只允许作为系统文本编辑器的记事本程序(notepad.exe)可以打开这个文本文件。Suppose there is such a scenario: important information is stored in a text file "a.txt" (a plain text document with an extension of .txt); in order to protect these important information, access rights are set to the file, only Allows the Notepad program (notepad.exe), which is the system text editor, to open this text file.
所对应的规则为:只有notepad.exe可以打开a.txt。The corresponding rule is: only notepad.exe can open a.txt.
其中,主体是notepad.exe,客体是a.txt,行为是“文件打开”,而可以打开a.txt的权限被赋予了notepad.exe。Among them, the subject is notepad.exe, the object is a.txt, the behavior is "file open", and the permission to open a.txt is given to notepad.exe.
然后,每当有“文件打开”这个行为发生时,MAC系统中的安全策略执行组件就会对主客体的权限进行检测,如果客体是a.txt,那主体必须是notepad.exe,打开文件的行为才会被允许,否则将被拒绝。Then, whenever the "file open" behavior occurs, the security policy execution component in the MAC system will detect the permissions of the subject and the object. If the object is a.txt, the subject must be notepad.exe, and the file opened behavior will be allowed, otherwise it will be denied.
从整个过程中可以看出,“指令”并未参于到实际的规则判断之中,判断的仅仅是“进程”是否是“notepad.exe”,但实质上“打开文件”这个行为是由一组指令触发的,进程仅仅是一个容器。It can be seen from the whole process that the "instruction" is not involved in the actual rule judgment, and the judgment is only whether the "process" is "notepad.exe", but in essence the behavior of "opening a file" is determined by a Triggered by group directives, a process is just a container.
在现有技术中存在着多种方法可以将一组指令放到任意进程中去执行,从而绕过基于进程识别的权限管控,例如以下方式中的任意一种:There are various methods in the prior art to put a set of instructions into any process to execute, thereby bypassing the process identification-based permission control, such as any of the following methods:
a、进程中有漏洞,可导致任意远程代码执行;a. There is a vulnerability in the process that can lead to arbitrary remote code execution;
b、通过线程注入的方式,注入一段代码到目标进程内执行;b. Inject a piece of code into the target process for execution by thread injection;
c、加载一个模块到目标进程内并执行模块内的代码。c. Load a module into the target process and execute the code in the module.
从上述场景的描述中可以看出,现有技术中基于MAC机制所实现的行为控制方法存在安全漏洞,并不能万无一失地实现对行为的控制。只有进入到代码指令识别的层次,才能真正的区分行为的发生真的是由notepad.exe触发,还是由一段非notepad.exe的异常指令触发。It can be seen from the description of the above scenario that the behavior control method implemented based on the MAC mechanism in the prior art has security loopholes, and cannot implement control of the behavior in a foolproof manner. Only by entering the level of code instruction recognition can we truly distinguish whether the occurrence of the behavior is really triggered by notepad.exe or triggered by an abnormal instruction other than notepad.exe.
为此,本申请实施例提供了一种在代码指令层次实现行为控制的方法。To this end, the embodiments of the present application provide a method for implementing behavior control at the code instruction level.
图1为本申请实施例提供的行为控制方法的流程图,如图1所示,本申请实施例提供的行为控制方法,包括:FIG. 1 is a flowchart of a behavior control method provided by an embodiment of the present application. As shown in FIG. 1 , the behavior control method provided by an embodiment of the present application includes:
步骤101、在目标行为发生时,获取所述目标行为所对应的指令数据。Step 101: When the target behavior occurs, acquire instruction data corresponding to the target behavior.
在本申请实施例中,目标行为是指需要被控制的行为。例如,前述的对文本文件“a.txt”的“打开文件”的行为。对目标行为的控制既有可能是允许执行目标行为,也有可能是禁止执行目标行为。In this embodiment of the present application, the target behavior refers to the behavior that needs to be controlled. For example, the aforementioned behavior of "open file" for the text file "a.txt". Control over the target behavior may either allow or prohibit the execution of the target behavior.
在计算机操作系统中,一个行为由一条指令或多条指令实现。在本申请实施例中,若某一指令集合用于实现目标行为,则将与该指令集合相关的数据称为目标行为所对应的指令数据。In a computer operating system, an action is implemented by one instruction or multiple instructions. In the embodiment of the present application, if a certain instruction set is used to realize the target behavior, the data related to the instruction set is called the instruction data corresponding to the target behavior.
在本申请实施例中,所述指令数据包括指令执行序列。In this embodiment of the present application, the instruction data includes an instruction execution sequence.
指令执行序列用于描述API(Application Programming Interface,应用 程序接口)调用序列中各层级的偏移地址及调用顺序。API调用序列按程序的不同、功能的不同、分支的不同,可能会有不同的层深。例如,Local_A函数调用Local_B函数、Local_B函数调用Local_C函数、Local_C函数调用系统API CreateFileW来打开一个文件。在这个例子中,API调用序列为三层调用。各层API调用序列所对应的内存中的指令相对于程序基地址的偏移是不一样的,API调用序列中各层级的偏移地址记录了各层API调用序列所对应的内存中的指令相对于程序基地址的偏移。例如,Local_A函数在内存中的指令相对于程序基地址的偏移量为010000(仅为示例说明之用,真实的地址偏移量可以与之不同),Local_B函数在内存中的指令相对于程序基地址的偏移量为020000,Local_C函数在内存中的指令相对于程序基地址的偏移量为030000,CreateFileW在内存中的指令相对于程序基地址的偏移量为040000。这些偏移地址一般用十六进制的数字表示,并按照执行的先后顺序依次排列,如形成诸如010000020000030000040000的序列。API调用序列中各层级的偏移地址在指令执行序列中的顺序反映了调用顺序。The instruction execution sequence is used to describe the offset address and calling sequence of each level in the API (Application Programming Interface) calling sequence. The API call sequence may have different depths depending on the program, function, and branch. For example, the Local_A function calls the Local_B function, the Local_B function calls the Local_C function, and the Local_C function calls the system API CreateFileW to open a file. In this example, the API call sequence is a three-tier call. The offset of the instructions in the memory corresponding to the API call sequence of each layer relative to the program base address is different. The offset address of each layer in the API call sequence records the relative value of the instructions in the memory corresponding to the API call sequence of each layer. offset from the program base address. For example, the offset of the instruction of the Local_A function in memory relative to the program base address is 010000 (for illustration purposes only, the real address offset can be different), and the instruction of the Local_B function in the memory is relative to the program. The offset of the base address is 020000, the offset of the instruction of the Local_C function in the memory relative to the base address of the program is 030000, and the offset of the instruction of CreateFileW in the memory relative to the base address of the program is 040000. These offset addresses are generally represented by hexadecimal numbers, and are arranged in the order of execution, such as forming a sequence such as 010000020000030000040000. The order of the offset addresses of each level in the API call sequence in the instruction execution sequence reflects the call order.
需要说明的是,同一类型的系统API,其在内存中的指令相对于程序基地址的偏移量有可能是不一样的。例如,notepad.exe中源于NPCommand指令执行序列中的CreateFileW调用指令,与源于UpdateEncoding指令执行序列中的CreateFileW调用指令均可实现文件打开操作。但源于NPCommand指令执行序列中的CreateFileW调用指令是在偏移0x2323处的上一条指令;源于UpdateEncoding指令执行序列中的CreateFileW调用指令是在偏移0x1300处的上一条指令。由此可见,即使同样是CreateFileW调用指令,也可能会有不同的地址偏移量。It should be noted that, for the same type of system API, the offsets of the instructions in the memory relative to the program base address may be different. For example, the CreateFileW call instruction in the execution sequence of the NPCommand instruction in notepad.exe and the CreateFileW call instruction in the execution sequence of the UpdateEncoding instruction can implement the file opening operation. However, the CreateFileW call instruction in the execution sequence of the NPCommand instruction is the previous instruction at offset 0x2323; the CreateFileW call instruction in the execution sequence of the UpdateEncoding instruction is the previous instruction at the offset 0x1300. It can be seen that even if it is the same CreateFileW call instruction, there may be different address offsets.
在本申请的其他实施例中,所述指令数据还包括行为类型和/或API信息。In other embodiments of the present application, the instruction data further includes behavior type and/or API information.
行为类型是指目标行为的类型。例如,典型的行为类型有打开文件、删除文件、保存文件、修改文件等。Behavior type refers to the type of target behavior. For example, typical behavior types are opening a file, deleting a file, saving a file, modifying a file, etc.
API信息是指目标行为在执行时所调用的API的信息。API是一组定义、程序及协议的集合,它是程序与操作系统之间的接口,是程序能取得操作系统服务的唯一途径。程序的行为通常需要调用系统API来实现,例 如,在windows系统中,调用系统API CreateFileW创建或打开文件、调用系统API CreateProcess来创建进程、调用系统API LoadLibrary来加载模块。各个行为所对应的API的具体类型存在差异,因此指令数据中的API信息需要描述目标行为在执行时所调用的API的名称。API information refers to the information of the API called when the target behavior is executed. API is a set of definitions, procedures and protocols. It is the interface between the program and the operating system and the only way for the program to obtain the services of the operating system. The behavior of the program usually needs to be implemented by calling the system API. For example, in the Windows system, the system API CreateFileW is called to create or open a file, the system API CreateProcess is called to create a process, and the system API LoadLibrary is called to load a module. There are differences in the specific types of APIs corresponding to each behavior, so the API information in the instruction data needs to describe the name of the API called when the target behavior is executed.
目标行为所对应的指令数据可能是合法的(得到授权),也可能是非法的(未得到授权)。在本申请实施例的后续步骤中,通过对目标行为所对应的指令数据的校验来确定目标行为是否被允许执行。The instruction data corresponding to the target behavior may be legal (authorized) or illegal (unauthorized). In the subsequent steps of the embodiment of the present application, whether the target behavior is allowed to be executed is determined by checking the instruction data corresponding to the target behavior.
在与目标行为相关的进程触发所述目标行为时,通过对目标行为的拦截能够获知目标行为的发生。所述对目标行为的拦截可以采用现有MAC机制中的行为拦截功能,如通过以下技术中的任意一种实现:文件系统过滤驱动、系统回调接口、HOOK技术。When a process related to the target behavior triggers the target behavior, the occurrence of the target behavior can be known by intercepting the target behavior. The interception of the target behavior may adopt the behavior interception function in the existing MAC mechanism, such as through any one of the following technologies: a file system filter driver, a system callback interface, and a HOOK technology.
通过对程序代码的分析可以知道,程序中与目标行为相关的指令数据是特定的,除了这些特定的指令数据外,其他的指令数据都与目标行为无关。Through the analysis of the program code, it can be known that the instruction data related to the target behavior in the program is specific, except for these specific instruction data, other instruction data have nothing to do with the target behavior.
以指令执行序列为例,通过对notepad.exe程序进行分析可以知道,“打开文件”的行为在notepad.exe中有两组指令执行序列来实现:Taking the instruction execution sequence as an example, by analyzing the notepad.exe program, we can know that the behavior of "opening a file" is realized by two sets of instruction execution sequences in notepad.exe:
第一组源于NPCommand,中间经一系列调用,最终调用系统API CreateFileW来实现文件打开操作;The first group is derived from NPCommand, and after a series of calls in the middle, the system API CreateFileW is finally called to realize the file opening operation;
第二组源于UpdateEncoding,中间经过一系列调用,最终调用系统API CreateFileW来实现文件打开操作。The second group originates from UpdateEncoding. After a series of calls, the system API CreateFileW is finally called to implement the file opening operation.
除此之外,在notepad.exe中再无任何有关“打开文件”相关的指令存在。In addition, there is no more "open file" related instructions in notepad.exe.
也就是说,如果采用notepad.exe打开文件,那么内存中的指令执行序列必然是以上两条指令执行序列之一,任何产生“文件打开”操作的其它指令执行序列的调用都是非法的。That is to say, if notepad.exe is used to open the file, the instruction execution sequence in the memory must be one of the above two instruction execution sequences, and any invocation of other instruction execution sequences that generate a "file open" operation is illegal.
基于上述特点,在本步骤中,确定目标行为发生后,需要进一步获取目标行为所对应的指令数据,以在后续步骤中实现对目标行为的控制。Based on the above characteristics, in this step, after it is determined that the target behavior occurs, the instruction data corresponding to the target behavior needs to be further obtained, so as to realize the control of the target behavior in the subsequent steps.
具体的说,在对目标行为的拦截时可以知道目标行为的行为类型。在之前的描述中已经对如何实现目标行为的拦截做了充分说明,因此不在此处重复。Specifically, the behavior type of the target behavior can be known when the target behavior is intercepted. How to achieve the interception of the target behavior has been fully explained in the previous description, so it will not be repeated here.
由于行为与行为所调用的API之间的映射关系是固定且可穷举的,因此在确定目标行为的类型后,通过行为与API之间的映射关系能够得到目标行为的API信息。Since the mapping relationship between the behavior and the API called by the behavior is fixed and exhaustive, after the type of the target behavior is determined, the API information of the target behavior can be obtained through the mapping relationship between the behavior and the API.
在本申请实施例中,可通过栈数据获取目标行为所对应的指令执行序列。In this embodiment of the present application, the instruction execution sequence corresponding to the target behavior can be obtained through stack data.
“栈”是计算机系统中的一种具有特殊数据结构的动态内存。操作系统为每一个线程都维护了一个栈内存空间,在栈内存空间内保存的是此线程的函数调用信息,包括:函数调用的返回地址及参数。"Stack" is a kind of dynamic memory with special data structure in computer system. The operating system maintains a stack memory space for each thread, and the function call information of the thread is stored in the stack memory space, including: the return address and parameters of the function call.
由于函数调用信息在“栈”中按照先后顺序依次存放,因此基于栈数据可以还原任一线程的函数调用序列。Since the function call information is stored sequentially in the "stack", the function call sequence of any thread can be restored based on the stack data.
基于“栈”的前述特性,可以获得目标行为所对应的线程的栈数据,然后依据栈数据还原目标行为发生时的指令执行序列。如何依据栈数据还原目标行为发生时的指令执行序列是本领域技术人员的公知常识,因此不在此处做重复说明。Based on the aforementioned characteristics of the "stack", the stack data of the thread corresponding to the target behavior can be obtained, and then the instruction execution sequence when the target behavior occurs is restored according to the stack data. How to restore the instruction execution sequence when the target behavior occurs according to the stack data is the common knowledge of those skilled in the art, and therefore will not be repeated here.
由于在不同的程序中,同类型的行为所对应的指令数据可能存在差异。因此,在另一个实施例中,目标行为的指令数据包括:程序名称、版本号、行为类型、API信息、指令执行序列。Because in different programs, the instruction data corresponding to the same type of behavior may be different. Therefore, in another embodiment, the instruction data of the target behavior includes: program name, version number, behavior type, API information, and instruction execution sequence.
其中,程序名称是指目标行为所属程序的名称。例如,前述打开文本文件“a.txt”的行为是由名称为notepad.exe的程序触发的,则指令数据中的程序名称就是notepad.exe。The program name refers to the name of the program to which the target behavior belongs. For example, the aforementioned behavior of opening the text file "a.txt" is triggered by a program named notepad.exe, and the program name in the instruction data is notepad.exe.
版本号是指目标行为所属的程序的版本号。应用程序通常会有多次迭代更新,为了区分不同版本的应用程序,会为应用程序设置版本号。例如,应用程序notepad.exe有1.0、2.0、3.0等多个版本,若目标行为只在2.0之后的版本出现,则指令数据的版本号中只包含2.0之后的版本号(如2.0、3.0)。The version number refers to the version number of the program to which the target behavior belongs. Applications usually have multiple iterative updates. In order to distinguish different versions of applications, a version number is set for the application. For example, the application notepad.exe has multiple versions such as 1.0, 2.0, 3.0, etc. If the target behavior only appears in the version after 2.0, the version number of the instruction data only includes the version number after 2.0 (such as 2.0, 3.0).
目标行为所述程序的程序名称以及版本号可通过现有技术获取,在本申请实施例中不对其获取过程做详细描述。The program name and version number of the program described in the target behavior can be obtained through the prior art, and the obtaining process thereof will not be described in detail in this embodiment of the present application.
行为类型、API信息以及指令执行序列在之前的描述中已经有详细的说明,因此不在此处重复。The behavior type, API information, and instruction execution sequence have been explained in detail in the previous description, so they will not be repeated here.
通过前述的程序名称、版本号、行为类型、API信息、指令执行序列, 可以精确地描述目标行为所对应的指令数据。Through the aforementioned program name, version number, behavior type, API information, and instruction execution sequence, the instruction data corresponding to the target behavior can be accurately described.
步骤102、将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,根据匹配结果确定所述目标行为是否被授权。Step 102: Match the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library, and determine whether the target behavior is authorized according to the matching result.
在本申请实施例中,指令白名单库用于存储被授权行为所对应的指令数据。其中,被授权行为是指被允许执行的行为。In this embodiment of the present application, the instruction whitelist library is used to store instruction data corresponding to authorized actions. Among them, the authorized behavior refers to the behavior that is allowed to perform.
在不同的操作系统中,实现特定功能(即行为的执行结果)需要调用的API是固定不变的,这是由操作系统提供的标准接口规范所决定的。特定功能与所要调用的API之间的映射关系是固定且可穷举的,而非可随机变化的。因此,在本申请实施例中,将被授权的行为及其所要调用的指令执行序列之间的映射关系通过指令白名单库的方式予以存储。In different operating systems, the API that needs to be called to achieve a specific function (ie, the execution result of the behavior) is fixed, which is determined by the standard interface specification provided by the operating system. The mapping relationship between a specific function and the API to be called is fixed and exhaustive, rather than randomly changeable. Therefore, in this embodiment of the present application, the mapping relationship between the authorized behavior and the instruction execution sequence to be invoked is stored by means of an instruction whitelist library.
具体的说,在一个实施例中,指令数据包括:指令执行序列。Specifically, in one embodiment, the instruction data includes: an instruction execution sequence.
指令执行序列用于描述API调用序列中各层级的偏移地址及调用顺序。The instruction execution sequence is used to describe the offset address and call sequence of each level in the API call sequence.
在本申请另一个实施例中,指令数据还包括:行为类型及API信息。In another embodiment of the present application, the instruction data further includes: behavior type and API information.
行为类型是指被授权的行为的类型。例如,典型的行为类型有打开文件、删除文件、保存文件、修改文件等。Behavior type refers to the type of behavior that is authorized. For example, typical behavior types are opening a file, deleting a file, saving a file, modifying a file, etc.
API信息是指被授权的行为在执行时所调用的API的信息。API information refers to the information of the API called when the authorized behavior is executed.
关于行为类型、API信息以及指令执行序列的详细内容在之前的描述中已经有较为充分的说明,因此不在此处重复。The details about the behavior type, API information, and instruction execution sequence have been fully explained in the previous description, so they will not be repeated here.
在本申请的另一个实施例中,指令数据包括:程序名称、版本号、行为类型、API信息、指令执行序列。In another embodiment of the present application, the instruction data includes: program name, version number, behavior type, API information, and instruction execution sequence.
被授权行为的指令数据在存储时,可以有多种存储方式。一种常见的存储方式是:程序名称及版本号均相同的程序内的所有被授权行为的数据(行为类型、API信息、指令执行序列)存储在一个指令白名单库中,不同的程序(不同的程序包含:名称不同的程序,名称相同但版本号不同的程序)会有各自对应的指令白名单库。在其他实施例中,也可以将不同程序内的被授权行为的指令数据都存储在一个指令白名单库中。When the instruction data of the authorized behavior is stored, there can be various storage methods. A common storage method is: all authorized behavior data (behavior type, API information, instruction execution sequence) in programs with the same program name and version number are stored in an instruction whitelist library. The programs include: programs with different names, programs with the same name but different version numbers) will have their own corresponding instruction whitelist libraries. In other embodiments, the instruction data of authorized actions in different programs may also be stored in one instruction whitelist library.
在本申请实施例中,指令白名单库是预先设置的,可直接使用指令白名单库中的数据。在本申请的其他实施例中,将对指令白名单库的生成过程进行说明。In this embodiment of the present application, the instruction whitelist library is preset, and the data in the instruction whitelist library can be directly used. In other embodiments of the present application, the generation process of the instruction whitelist library will be described.
当程序名称及版本号均相同的程序内的所有被授权行为的指令数据存储在一个指令白名单库中,且所述指令白名单库已经确定时,根据目标行为的指令数据就可以与指令白名单库中的数据进行匹配。When the instruction data of all authorized behaviors in the program with the same program name and version number are stored in an instruction whitelist library, and the instruction whitelist library has been determined, the instruction data according to the target behavior can be compared with the instruction whitelist library. The data in the list library is matched.
如在一个实施例中,将所述目标行为的指令数据与指令白名单库中的指令数据进行匹配,包括:In one embodiment, matching the instruction data of the target behavior with the instruction data in the instruction whitelist library includes:
将所述目标行为的指令执行序列与指令白名单库中的指令执行序列进行匹配。The instruction execution sequence of the target behavior is matched with the instruction execution sequence in the instruction whitelist library.
其中,在将目标行为的指令执行序列中各层级的偏移地址与指令白名单库中的指令执行序列中各层级的偏移地址进行匹配时,需要按照预先设定的匹配顺序进行匹配操作。所述预先设定的匹配顺序可以与调用顺序反方向,也可以与调用顺序同方向。Wherein, when the offset address of each level in the instruction execution sequence of the target behavior is matched with the offset address of each level in the instruction execution sequence in the instruction whitelist library, the matching operation needs to be performed according to the preset matching order. The preset matching sequence may be in the opposite direction to the calling sequence, or may be in the same direction as the calling sequence.
以匹配顺序与调用顺序反方向为例,在Local_A函数调用Local_B函数、Local_B函数调用Local_C函数、Local_C函数调用系统API CreateFileW来打开一个文件的例子中,调用顺序为Local_A—Local_B—Local_C—CreateFileW。而匹配操作的顺序则为CreateFileW—Local_C—Local_B—Local_A。Taking the matching order and calling order as an example, in the example where the Local_A function calls the Local_B function, the Local_B function calls the Local_C function, and the Local_C function calls the system API CreateFileW to open a file, the calling order is Local_A—Local_B—Local_C—CreateFileW. The sequence of matching operations is CreateFileW—Local_C—Local_B—Local_A.
作为一种可选的实现方式,偏移地址做匹配时,可以根据实际需要(如具体的应用场景)设置匹配层数。例如,若匹配操作的顺序为CreateFileW—Local_C—Local_B—Local_A,若只做一层匹配,那么只需要比较CreateFileW这一层的指令偏移地址是否一致;若需要做二层匹配,那么需要同时比较CreateFileW这一层的指令偏移地址以及Local_C这一层的指令偏移地址是否一致;若需要做三层匹配,那么需要同时比较CreateFileW这一层的指令偏移地址、Local_C这一层的指令偏移地址以及Local_B这一层的指令偏移地址是否一致。依次类推,直至分层匹配的层数达到预先设置的匹配层数。As an optional implementation manner, when the offset address is matched, the number of matching layers may be set according to actual needs (eg, specific application scenarios). For example, if the order of the matching operation is CreateFileW—Local_C—Local_B—Local_A, if only one layer of matching is performed, then only the instruction offset address of the CreateFileW layer needs to be compared; Whether the instruction offset address of the CreateFileW layer and the instruction offset address of the Local_C layer are consistent; if three layers of matching are required, the instruction offset address of the CreateFileW layer and the instruction offset address of the Local_C layer need to be compared at the same time. Whether the shift address and the instruction offset address of the Local_B layer are consistent. And so on, until the number of layers of hierarchical matching reaches the preset number of matching layers.
若匹配成功,认为目标行为所对应的指令数据与预先设置的指令白名单库中的数据匹配成功。反之,若匹配失败,就认为目标行为所对应的指令数据与预先设置的指令白名单库中的数据匹配失败。If the matching is successful, it is considered that the instruction data corresponding to the target behavior is successfully matched with the data in the preset instruction whitelist library. On the contrary, if the matching fails, it is considered that the instruction data corresponding to the target behavior fails to match with the data in the preset instruction whitelist library.
在另一个实施例中,将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,还包括:In another embodiment, matching the instruction data corresponding to the target behavior with data in a preset instruction whitelist library, further comprising:
将所述目标行为的行为类型与所述指令白名单库中的行为类型进行匹配;matching the behavior type of the target behavior with the behavior type in the instruction whitelist library;
和/或,and / or,
将所述目标行为的API信息与所述指令白名单库中的API信息进行匹配。Matching the API information of the target behavior with the API information in the instruction whitelist library.
也就是说,在该实施例中,需要同时对指令执行序列以及行为类型和/或API信息进行匹配。That is, in this embodiment, the instruction execution sequence and the behavior type and/or API information need to be matched at the same time.
以需要同时对指令执行序列、行为类型以及API信息进行匹配为例,具体包括:Take the need to match the instruction execution sequence, behavior type, and API information at the same time as an example, including:
将所述目标行为的行为类型与所述指令白名单库中的行为类型进行第一次匹配;matching the behavior type of the target behavior with the behavior type in the instruction whitelist library for the first time;
当所述第一次匹配成功后,将所述目标行为的API信息与所述指令白名单库中的API信息进行第二次匹配;After the first matching is successful, the API information of the target behavior is matched with the API information in the instruction whitelist library for the second time;
当所述第二次匹配成功后,将所述目标行为的指令执行序列与指令白名单库中的指令执行序列进行第三次匹配。After the second matching is successful, the instruction execution sequence of the target behavior is matched with the instruction execution sequence in the instruction whitelist library for a third time.
只有前述三次匹配全部匹配成功,才认为目标行为所对应的指令数据与预先设置的指令白名单库中的数据匹配成功。反之,只要有任意一项的匹配失败,就认为目标行为所对应的指令数据与预先设置的指令白名单库中的数据匹配失败。Only when all the above three matches are successfully matched, it is considered that the instruction data corresponding to the target behavior is successfully matched with the data in the preset instruction whitelist library. Conversely, as long as any item fails to match, it is considered that the instruction data corresponding to the target behavior fails to match the data in the preset instruction whitelist library.
当程序名称及版本号均相同的程序内的所有被授权行为的指令数据(行为类型、API信息、指令执行序列中)存储在一个指令白名单库中,且所述指令白名单库尚未确定时,需要根据目标行为所属程序的程序名称、版本号、目标行为的行为类型、API信息以及指令执行序列中就可以与指令白名单库中的数据进行匹配。When the instruction data (behavior type, API information, instruction execution sequence) of all authorized behaviors in the program with the same program name and version number are stored in an instruction whitelist library, and the instruction whitelist library has not yet been determined , it needs to be matched with the data in the instruction whitelist library according to the program name, version number, behavior type, API information and instruction execution sequence of the program to which the target behavior belongs.
具体包括:Specifically include:
首先,根据目标行为所属进程的信息确定目标行为所属程序的程序名称与版本号,根据所述程序名称与版本号确定指令白名单库。First, the program name and version number of the program to which the target behavior belongs is determined according to the information of the process to which the target behavior belongs, and the instruction whitelist library is determined according to the program name and version number.
由于不同的程序会有各自对应的指令白名单库,因此需要根据目标行为所属程序的程序名称与版本号确定指令白名单库。Since different programs have their own corresponding instruction whitelist libraries, the instruction whitelist library needs to be determined according to the program name and version number of the program to which the target behavior belongs.
接着,将所述目标行为的第一行为类型与所述指令白名单库中的第二 行为类型进行第一次匹配;Then, the first behavior type of the target behavior is matched with the second behavior type in the instruction whitelist library for the first time;
当所述第一次匹配成功后,将所述目标行为的API信息与所述指令白名单库中的API信息进行第二次匹配;After the first matching is successful, the API information of the target behavior is matched with the API information in the instruction whitelist library for the second time;
当所述第二次匹配成功后,将所述目标行为的第指令执行序列与指令白名单库中的指令执行序列进行第三次匹配。After the second matching is successful, the third instruction execution sequence of the target behavior is matched with the instruction execution sequence in the instruction whitelist library.
上述的第一次匹配、第二次匹配以及第三次匹配的实现过程在之前的描述中已经有详细说明,因此不在此处重复。The implementation processes of the above-mentioned first matching, second matching and third matching have been described in detail in the previous description, and therefore are not repeated here.
在得到匹配结果后,根据匹配结果可以确定目标行为是否被允许。如果匹配成功,则说明目标行为所对应的指令数据事先已经得到授权,该目标行为是合法的行为,可以正常执行。如果匹配失败,则说明目标行为所对应的指令数据事先并未得到授权,该目标行为可能是非法的行为,将阻止其被执行。After the matching result is obtained, it can be determined whether the target behavior is allowed according to the matching result. If the match is successful, it means that the instruction data corresponding to the target behavior has been authorized in advance, and the target behavior is legal and can be executed normally. If the match fails, it means that the instruction data corresponding to the target behavior has not been authorized in advance, and the target behavior may be illegal and will prevent it from being executed.
本申请实施例提供的行为控制方法通过生成目标行为所对应的指令数据,然后将其与指令白名单库中的数据进行匹配,根据匹配结果确定目标行为是否合法,从而在代码指令层次实现行为控制,较现有的基于进程的行为控制方法安全性更高。The behavior control method provided by the embodiment of the present application generates the instruction data corresponding to the target behavior, then matches it with the data in the instruction whitelist library, and determines whether the target behavior is legal according to the matching result, thereby realizing behavior control at the code instruction level , which is more secure than the existing process-based behavior control methods.
基于上述任一实施例,在本申请实施例中,方法还包括:Based on any of the foregoing embodiments, in this embodiment of the present application, the method further includes:
对程序以及其所使用的动态库进行分析,确定所述程序中与被授权行为相对应的指令数据;Analyze the program and the dynamic library used by it, and determine the instruction data corresponding to the authorized behavior in the program;
根据被授权行为相对应的数据,生成指令白名单库。According to the data corresponding to the authorized behavior, the instruction whitelist library is generated.
在本申请实施例中,被授权行为是指被允许执行的行为。在程序中,一般只允许少量指令执行序列实现被授权行为。In the embodiments of the present application, the authorized behavior refers to the behavior that is allowed to be executed. In a program, generally only a small number of instruction execution sequences are allowed to achieve the authorized behavior.
例如,通过对notepad.exe的代码进行分析可以知道,“打开文件”的行为在notepad.exe中有两组指令执行序列来实现:For example, by analyzing the code of notepad.exe, we can know that the behavior of "opening a file" is implemented in notepad.exe by two sets of instruction execution sequences:
第一组源于NPCommand,中间经一系列调用,最终调用系统API CreateFileW来实现文件打开操作;The first group is derived from NPCommand, and after a series of calls in the middle, the system API CreateFileW is finally called to realize the file opening operation;
第二组源于UpdateEncoding,中间经过一系列调用,最终调用系统API CreateFileW来实现文件打开操作。The second group originates from UpdateEncoding. After a series of calls, the system API CreateFileW is finally called to implement the file opening operation.
除了这两组指令执行序列外,notepad.exe中的其余指令不能执行“打开文件”的行为。In addition to these two sets of instruction execution sequences, the remaining instructions in notepad.exe cannot perform the "open file" behavior.
因此,在本申请实施例中,需要确定程序中与被授权行为相对应的指令数据。具体的说,Therefore, in this embodiment of the present application, it is necessary to determine the instruction data corresponding to the authorized behavior in the program. Specifically,
首先,确定与被授权行为相对应的第一API。First, the first API corresponding to the authorized behavior is determined.
与被授权行为相对应的API可以有一个,也可以有多个,例如,“打开文件”的行为,既可以调用系统API OpenFile来实现,也可以调用系统API CreateFileW来实现。因此,在本步骤中需要确定与被授权行为相对应的API,将这一API记为第一API。There can be one or more APIs corresponding to the authorized behavior. For example, the behavior of "opening a file" can be implemented by calling the system API OpenFile or calling the system API CreateFileW. Therefore, in this step, the API corresponding to the authorized behavior needs to be determined, and this API is recorded as the first API.
由于行为与行为所调用的API之间的映射关系是固定且可穷举的,因此在确定被授权行为的类型后,通过行为与API之间的映射关系能够得到所述第一API。Since the mapping relationship between the behavior and the API called by the behavior is fixed and exhaustive, after determining the type of the authorized behavior, the first API can be obtained through the mapping relationship between the behavior and the API.
例如,可将行为与行为所调用的API之间的映射关系通过表格的方式予以存储。在确定第一API时,根据被授权行为的行为类型查找表格,所得到的查找结果即为第一API。For example, the mapping relationship between the behavior and the API called by the behavior can be stored in a table. When determining the first API, the table is searched according to the behavior type of the authorized behavior, and the obtained search result is the first API.
接着,确定用于调用所述第一API的指令执行序列。Next, an instruction execution sequence for calling the first API is determined.
在本申请实施例中,可通过反汇编引擎,确定用于调用所述第一API的指令执行序列。In this embodiment of the present application, an instruction execution sequence for calling the first API can be determined by using a disassembly engine.
再接着,根据用于调用所述第一API的指令执行序列,确定所述程序中与被授权行为相对应的指令执行序列。Next, according to the instruction execution sequence for calling the first API, the instruction execution sequence corresponding to the authorized behavior in the program is determined.
调用API的指令执行序列可以有多层,如Local_A函数调用Local_B函数,Local_B函数调用Local_C函数,Local_C函数调用系统API CreateFileW来打开一个文件。在这个例子中,调用系统API CreateFileW的指令执行序列有三层。The instruction execution sequence for calling the API can have multiple layers. For example, the Local_A function calls the Local_B function, the Local_B function calls the Local_C function, and the Local_C function calls the system API CreateFileW to open a file. In this example, the instruction execution sequence that calls the system API CreateFileW has three levels.
在根据调用所述第一API的指令执行序列,确定所述程序中与被授权行为相对应的指令执行序列的过程中,可以将用于调用所述第一API的指令执行序列的全部作为程序中与被授权行为相对应的指令执行序列,也可以将用于调用所述第一API的指令执行序列的一部分作为程序中与被授权行为相对应的指令执行序列。In the process of determining the instruction execution sequence corresponding to the authorized behavior in the program according to the instruction execution sequence for calling the first API, the entire instruction execution sequence for calling the first API may be used as a program The instruction execution sequence corresponding to the authorized behavior in the program can also be used as a part of the instruction execution sequence for calling the first API as the instruction execution sequence corresponding to the authorized behavior in the program.
例如,完整的调用系统API CreateFileW的指令执行序列为:Local_A—Local_B—Local_C—CreateFileW。可以将这整个指令执行序列作为程序中与被授权行为相对应的指令执行序列,也可以将该指令执行序 列的一部分,如Local_B—Local_C—CreateFileW,作为程序中与被授权行为相对应的指令执行序列。For example, the complete command execution sequence for calling the system API CreateFileW is: Local_A—Local_B—Local_C—CreateFileW. The entire instruction execution sequence can be used as the instruction execution sequence corresponding to the authorized behavior in the program, or a part of the instruction execution sequence, such as Local_B—Local_C—CreateFileW, can be used as the instruction execution sequence corresponding to the authorized behavior in the program. sequence.
在确定所述程序中与被授权行为相对应的指令执行序列时,具体从调用所述第一API的指令执行序列选取多少层可以根据实际需要确定。理论上来说,哪怕只选取一层,也可以识别出绝大多数的正常调用与异常调用。当然,选取的层数越多,就越难以被伪造,选取的层数越少,伪造就越容易。When determining the instruction execution sequence corresponding to the authorized behavior in the program, how many layers are specifically selected from the instruction execution sequence calling the first API can be determined according to actual needs. In theory, even if only one layer is selected, most normal calls and abnormal calls can be identified. Of course, the more layers you select, the harder it is to forge, and the fewer layers you select, the easier it is to forge.
最后,根据所述程序中与被授权行为相对应的指令执行序列,确定所述程序中与被授权行为相对应的指令数据。Finally, according to the instruction execution sequence corresponding to the authorized behavior in the program, the instruction data corresponding to the authorized behavior in the program is determined.
在确定程序中与被授权行为相对应的指令执行序列后,再获得被授权行为所属程序的程序名称、版本号、行为类型以及API信息等数据,就能够确定所述程序中与被授权行为相对应的指令数据,进而生成指令白名单库。After determining the instruction execution sequence corresponding to the authorized behavior in the program, and then obtaining the program name, version number, behavior type, and API information of the program to which the authorized behavior belongs, it can be determined that the program in the program is related to the authorized behavior. Corresponding instruction data, and then generate an instruction whitelist library.
本申请实施例提供的行为控制方法通过对程序以及其所使用的动态库进行分析,确定所述程序中与被授权行为相对应的指令数据;根据被授权行为相对应的指令数据,生成指令白名单库,根据所述指令白名单库可对目标行为所对应的指令数据进行匹配操作,根据匹配结果确定目标行为是否合法,从而在代码指令层次实现行为控制,较现有的基于进程的行为控制方法安全性更高。The behavior control method provided by the embodiment of the present application determines the instruction data corresponding to the authorized behavior in the program by analyzing the program and the dynamic library used by the program; according to the instruction data corresponding to the authorized behavior, the instruction white The list library, according to the instruction whitelist library, can perform matching operations on the instruction data corresponding to the target behavior, and determine whether the target behavior is legal according to the matching result, so as to realize behavior control at the code instruction level, which is more than the existing process-based behavior control. The method is more secure.
基于上述任一实施例,在本申请实施例中,方法还包括:Based on any of the foregoing embodiments, in this embodiment of the present application, the method further includes:
对所述目标行为所属进程的权限以及所述目标行为所要处理对象的权限进行校验。The authority of the process to which the target behavior belongs and the authority of the object to be processed by the target behavior are checked.
目标行为所属进程对应于程序,即MAC机制中的主体;目标行为所要处理对象对应于文件,即MAC机制中的客体。The process to which the target behavior belongs corresponds to the program, that is, the subject in the MAC mechanism; the object to be processed by the target behavior corresponds to the file, that is, the object in the MAC mechanism.
在目标行为所对应的指令数据进行校验前,可以首先对所述目标行为所属进程的权限以及所述目标行为所要处理对象的权限进行校验,只有通过校验才会进一步对目标行为所对应的指令执行序列进行校验。Before the verification of the instruction data corresponding to the target behavior, the authority of the process to which the target behavior belongs and the authority of the object to be processed by the target behavior may be verified first, and only after the verification is passed, will the corresponding target behavior be further verified. The instruction execution sequence is checked.
如何校验目标行为所属进程的权限以及目标行为所要处理对象的权限,在MAC机制中已经有详细的说明,因此不在本申请实施例中做详细说明。How to verify the authority of the process to which the target behavior belongs and the authority of the object to be processed by the target behavior has been described in detail in the MAC mechanism, and therefore will not be described in detail in this embodiment of the present application.
本申请实施例提供的行为控制方法通过对目标行为所属进程的权限以及所述目标行为所要处理对象的权限进行校验,可以过滤明显的非法行为,有助于减轻对计算机系统的资源负载。The behavior control method provided by the embodiments of the present application can filter obvious illegal behaviors by verifying the rights of the process to which the target behavior belongs and the rights of the objects to be processed by the target behavior, which helps to reduce the resource load on the computer system.
基于上述任一实施例,图2为本申请实施例提供的行为控制装置的示意图,如图2所示,本申请实施例提供的行为控制装置,包括:Based on any of the foregoing embodiments, FIG. 2 is a schematic diagram of a behavior control apparatus provided by an embodiment of the present application. As shown in FIG. 2 , the behavior control apparatus provided by an embodiment of the present application includes:
指令数据获取模块201,用于在目标行为发生时,获取所述目标行为所对应的指令数据;an instruction data acquisition module 201, configured to acquire instruction data corresponding to the target behavior when the target behavior occurs;
匹配模块202,用于将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,根据匹配结果确定所述目标行为是否被授权;其中,The matching module 202 is configured to match the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library, and determine whether the target behavior is authorized according to the matching result; wherein,
所述指令白名单库用于存储被授权行为所对应的指令数据。The instruction whitelist library is used to store instruction data corresponding to authorized actions.
本申请实施例提供的行为控制装置通过生成目标行为所对应的指令数据,然后将其与指令白名单库中的数据进行匹配,根据匹配结果确定目标行为是否合法,从而在代码指令层次实现行为控制,较现有的基于进程的行为控制装置安全性更高。The behavior control device provided by the embodiment of the present application generates the instruction data corresponding to the target behavior, then matches it with the data in the instruction whitelist library, and determines whether the target behavior is legal according to the matching result, thereby realizing behavior control at the code instruction level , which is more secure than the existing process-based behavior control device.
图3为本申请实施例所涉及的电子设备的实体结构示意图,如图3所示,该电子设备可以包括:处理器(processor)310、通信接口(Communications Interface)320、存储器(memory)330和通信总线340,其中,处理器310,通信接口320,存储器330通过通信总线340完成相互间的通信。处理器310可以调用存储器330中的逻辑指令,以执行如下方法:FIG. 3 is a schematic diagram of the physical structure of an electronic device involved in an embodiment of the application. As shown in FIG. 3 , the electronic device may include: a processor (processor) 310, a communications interface (Communications Interface) 320, a memory (memory) 330 and The communication bus 340, wherein the processor 310, the communication interface 320, and the memory 330 complete the communication with each other through the communication bus 340. The processor 310 may invoke logic instructions in the memory 330 to perform the following methods:
在目标行为发生时,获取所述目标行为所对应的指令数据;When the target behavior occurs, obtain instruction data corresponding to the target behavior;
将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,根据匹配结果确定所述目标行为是否被授权;其中,Match the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library, and determine whether the target behavior is authorized according to the matching result; wherein,
所述指令白名单库用于存储被授权行为所对应的指令数据。The instruction whitelist library is used to store instruction data corresponding to authorized actions.
此外,上述的存储器330中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个 实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the above-mentioned logic instructions in the memory 330 may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as an independent product. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .
另一方面,本申请实施例还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述各实施例提供的方法,例如包括:On the other hand, an embodiment of the present application further provides a non-transitory computer-readable storage medium, on which a computer program is stored, and the computer program is implemented when executed by a processor to execute the methods provided by the foregoing embodiments, for example, including:
在目标行为发生时,获取所述目标行为所对应的指令数据;When the target behavior occurs, obtain instruction data corresponding to the target behavior;
将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,根据匹配结果确定所述目标行为是否被授权;其中,Match the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library, and determine whether the target behavior is authorized according to the matching result; wherein,
所述指令白名单库用于存储被授权行为所对应的指令数据。The instruction whitelist library is used to store instruction data corresponding to authorized actions.
以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The device embodiments described above are only illustrative, wherein the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on this understanding, the above-mentioned technical solutions can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic A disc, an optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the methods described in various embodiments or some parts of the embodiments.
最后应说明的是:以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be The technical solutions described in the foregoing embodiments are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions in the embodiments of the present application.
Claims (13)
- 一种行为控制方法,其特征在于,包括:A behavior control method, characterized in that, comprising:在目标行为发生时,获取所述目标行为所对应的指令数据;When the target behavior occurs, obtain instruction data corresponding to the target behavior;将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,根据匹配结果确定所述目标行为是否被授权;其中,Match the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library, and determine whether the target behavior is authorized according to the matching result; wherein,所述指令白名单库用于存储被授权行为所对应的指令数据。The instruction whitelist library is used to store instruction data corresponding to authorized actions.
- 根据权利要求1所述的行为控制方法,其特征在于,所述指令数据包括:指令执行序列;所述指令执行序列用于描述API调用序列中各层级的偏移地址及调用顺序;The behavior control method according to claim 1, wherein the instruction data comprises: an instruction execution sequence; the instruction execution sequence is used to describe the offset address and the calling sequence of each level in the API calling sequence;相应地,所述将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,包括:Correspondingly, the matching of the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library includes:将所述目标行为的指令执行序列与指令白名单库中的指令执行序列进行匹配。The instruction execution sequence of the target behavior is matched with the instruction execution sequence in the instruction whitelist library.
- 根据权利要求2所述的行为控制方法,其特征在于,所述指令数据还包括:行为类型和/或API信息;The behavior control method according to claim 2, wherein the instruction data further comprises: behavior type and/or API information;相应地,所述将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,还包括:Correspondingly, the matching of the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library further includes:将所述目标行为的行为类型与所述指令白名单库中的行为类型进行匹配;matching the behavior type of the target behavior with the behavior type in the instruction whitelist library;和/或,and / or,将所述目标行为的API信息与所述指令白名单库中的API信息进行匹配。Matching the API information of the target behavior with the API information in the instruction whitelist library.
- 根据权利要求3所述的行为控制方法,其特征在于,所述指令数据还包括:程序名称以及程序版本号;The behavior control method according to claim 3, wherein the instruction data further comprises: a program name and a program version number;相应地,所述将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,还包括:Correspondingly, the matching of the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library further includes:根据目标行为所属进程的信息确定目标行为所属程序的程序名称与版本号,根据所述程序名称与版本号确定指令白名单库。The program name and version number of the program to which the target behavior belongs is determined according to the information of the process to which the target behavior belongs, and the instruction whitelist library is determined according to the program name and version number.
- 根据权利要求2所述的行为控制方法,其特征在于,所述将所述目标行为的指令执行序列与指令白名单库中的指令执行序列进行匹配,包 括:The behavior control method according to claim 2, wherein the instruction execution sequence of the target behavior is matched with the instruction execution sequence in the instruction whitelist library, including:按照预先设定的匹配顺序,将所述目标行为的指令执行序列中各层的偏移地址与指令白名单库中的指令执行序列中各层的偏移地址按照层级依次进行匹配,直至已匹配的层级数量达到预先设置的匹配层数。According to the preset matching order, the offset addresses of each layer in the instruction execution sequence of the target behavior are matched with the offset addresses of each layer in the instruction execution sequence in the instruction whitelist library in order according to the level, until they match The number of layers reaches the preset matching layer number.
- 根据权利要求2所述的行为控制方法,其特征在于,所述获取所述目标行为所对应的指令数据,包括:The behavior control method according to claim 2, wherein the acquiring the instruction data corresponding to the target behavior comprises:获取所述目标行为所对应的线程的栈数据;Obtain the stack data of the thread corresponding to the target behavior;根据所述栈数据还原所述目标行为发生时的指令执行序列。The instruction execution sequence when the target behavior occurs is restored according to the stack data.
- 根据权利要求1至6任一项所述的行为控制方法,其特征在于,所述方法还包括:The behavior control method according to any one of claims 1 to 6, wherein the method further comprises:对程序以及其所使用的动态库进行分析,确定所述程序中与被授权行为相对应的指令数据;Analyze the program and the dynamic library used by it, and determine the instruction data corresponding to the authorized behavior in the program;根据被授权行为相对应的指令数据,生成指令白名单库。Generate an instruction whitelist library according to the instruction data corresponding to the authorized behavior.
- 根据权利要求7所述的行为控制方法,其特征在于,所述确定所述程序中与被授权行为相对应的指令数据,包括:The behavior control method according to claim 7, wherein the determining the instruction data corresponding to the authorized behavior in the program comprises:确定与所述被授权行为相对应的第一API;determining the first API corresponding to the authorized behavior;确定用于调用所述第一API的指令执行序列;determining an instruction execution sequence for calling the first API;根据所述用于调用所述第一API的指令执行序列,确定所述程序中与被授权行为相对应的指令执行序列;According to the instruction execution sequence for calling the first API, determine the instruction execution sequence corresponding to the authorized behavior in the program;根据所述程序中与被授权行为相对应的指令执行序列,确定所述程序中与被授权行为相对应的指令数据。According to the instruction execution sequence corresponding to the authorized behavior in the program, the instruction data corresponding to the authorized behavior in the program is determined.
- 根据权利要求8所述的行为控制方法,其特征在于,所述根据所述用于调用所述第一API的指令执行序列,确定所述程序中与被授权行为相对应的指令执行序列,包括:The behavior control method according to claim 8, wherein, according to the instruction execution sequence for calling the first API, determining the instruction execution sequence corresponding to the authorized behavior in the program, comprising: :将所述用于调用所述第一API的指令执行序列的全部作为程序中与被授权行为相对应的指令执行序列;Taking all the instruction execution sequences for calling the first API as the instruction execution sequences corresponding to the authorized behavior in the program;或,将所述用于调用所述第一API的指令执行序列的一部分作为程序中与被授权行为相对应的指令执行序列。Or, a part of the instruction execution sequence for calling the first API is taken as an instruction execution sequence corresponding to the authorized behavior in the program.
- 一种行为控制装置,其特征在于,包括:A behavior control device, characterized in that it includes:指令数据获取模块,用于在目标行为发生时,获取所述目标行为所对 应的指令数据;The instruction data acquisition module is used to acquire the instruction data corresponding to the target behavior when the target behavior occurs;匹配模块,用于将所述目标行为所对应的指令数据与预先设置的指令白名单库中的数据进行匹配,根据匹配结果确定所述目标行为是否被授权;其中,A matching module, configured to match the instruction data corresponding to the target behavior with the data in the preset instruction whitelist library, and determine whether the target behavior is authorized according to the matching result; wherein,所述指令白名单库用于存储被授权行为所对应的指令数据。The instruction whitelist library is used to store instruction data corresponding to authorized actions.
- 一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现如权利要求1至9任一项所述行为控制方法的步骤。An electronic device, comprising a memory, a processor and a computer program stored on the memory and running on the processor, characterized in that, when the processor executes the program, the program as claimed in any one of claims 1 to 9 is implemented. Describe the steps of the behavior control method.
- 一种非暂态计算机可读存储介质,其上存储有计算机程序,其特征在于,该计算机程序被处理器执行时实现如权利要求1至9任一项所述行为控制方法的步骤。A non-transitory computer-readable storage medium on which a computer program is stored, characterized in that, when the computer program is executed by a processor, the steps of the behavior control method according to any one of claims 1 to 9 are implemented.
- 一种计算机程序产品,所述计算机程序产品包括计算机可执行指令,其特征在于,所述指令在被执行时用于实现如权利要求1至9任一项所述行为控制方法的步骤。A computer program product comprising computer-executable instructions, characterized in that, when executed, the instructions are used to implement the steps of the behavior control method according to any one of claims 1 to 9.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011272230.5 | 2020-11-13 | ||
CN202011272230.5A CN114491506A (en) | 2020-11-13 | 2020-11-13 | Behavior control method and device, electronic equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022100660A1 true WO2022100660A1 (en) | 2022-05-19 |
Family
ID=81490937
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/130041 WO2022100660A1 (en) | 2020-11-13 | 2021-11-11 | Behavior control method, apparatus, electronic device, and storage medium |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN114491506A (en) |
WO (1) | WO2022100660A1 (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103020527A (en) * | 2012-12-21 | 2013-04-03 | 北京奇虎科技有限公司 | Method, device and system for actively intercepting malicious programs |
CN103279706A (en) * | 2013-06-07 | 2013-09-04 | 北京奇虎科技有限公司 | Method and device for intercepting installation of Android application program in mobile terminal |
CN109508536A (en) * | 2017-09-15 | 2019-03-22 | 华为技术有限公司 | A kind of detection method and device alterring program stream attack |
CN109726548A (en) * | 2018-12-29 | 2019-05-07 | 360企业安全技术(珠海)有限公司 | Processing method, server, system and the storage medium of application behavior |
US20200175155A1 (en) * | 2018-12-03 | 2020-06-04 | Ebay Inc. | System level function based access control for smart contract execution on a blockchain |
CN112395593A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Instruction execution sequence monitoring method and device, storage medium and computer equipment |
CN112817822A (en) * | 2021-02-05 | 2021-05-18 | 深圳市思迪信息技术股份有限公司 | APP behavior monitoring method and device, terminal and storage medium |
-
2020
- 2020-11-13 CN CN202011272230.5A patent/CN114491506A/en active Pending
-
2021
- 2021-11-11 WO PCT/CN2021/130041 patent/WO2022100660A1/en active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103020527A (en) * | 2012-12-21 | 2013-04-03 | 北京奇虎科技有限公司 | Method, device and system for actively intercepting malicious programs |
CN103279706A (en) * | 2013-06-07 | 2013-09-04 | 北京奇虎科技有限公司 | Method and device for intercepting installation of Android application program in mobile terminal |
CN109508536A (en) * | 2017-09-15 | 2019-03-22 | 华为技术有限公司 | A kind of detection method and device alterring program stream attack |
US20200175155A1 (en) * | 2018-12-03 | 2020-06-04 | Ebay Inc. | System level function based access control for smart contract execution on a blockchain |
CN109726548A (en) * | 2018-12-29 | 2019-05-07 | 360企业安全技术(珠海)有限公司 | Processing method, server, system and the storage medium of application behavior |
CN112395593A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Instruction execution sequence monitoring method and device, storage medium and computer equipment |
CN112817822A (en) * | 2021-02-05 | 2021-05-18 | 深圳市思迪信息技术股份有限公司 | APP behavior monitoring method and device, terminal and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN114491506A (en) | 2022-05-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7743260B2 (en) | Firewall+storage apparatus, method and system | |
US8881137B2 (en) | Creating a relatively unique environment for computing platforms | |
US6253324B1 (en) | Server verification of requesting clients | |
US8474032B2 (en) | Firewall+ storage apparatus, method and system | |
JP4975127B2 (en) | Apparatus for providing tamper evidence to executable code stored on removable media | |
US11706220B2 (en) | Securing application behavior in serverless computing | |
US10339307B2 (en) | Intrusion detection system in a device comprising a first operating system and a second operating system | |
Eriksson et al. | Hardening the security analysis of browser extensions | |
CN115221524B (en) | Service data protection method, device, equipment and storage medium | |
US20060053492A1 (en) | Software tracking protection system | |
US20190114439A1 (en) | Method and system for protecting a computer file from a possible encryption performed by malicious code | |
US9800585B2 (en) | Restricting access by services deployed on an application server | |
WO2022100660A1 (en) | Behavior control method, apparatus, electronic device, and storage medium | |
CN112507302B (en) | Calling party identity authentication method and device based on execution of cryptographic module | |
Yakut et al. | A digital forensics analysis for detection of the modified covid-19 mobile application | |
KR101956725B1 (en) | A system for server access control using permitted execution files and dynamic library files | |
KR20220097037A (en) | Data leak prevention system | |
CN112733091A (en) | Control method and device for accessing external equipment by application program | |
KR102618922B1 (en) | Apparatus and method for Preventing SW reverse engineering of embedded system | |
CN113836542B (en) | Trusted white list matching method, system and device | |
Kim et al. | Self‐Controllable Mobile App Protection Scheme Based on Binary Code Splitting | |
Caruso | Forensic Analysis of Mobile Spyware: Investigating Security, Vulnerabilities, and Detection Challenges in Android and iOS Platforms | |
CN117786658A (en) | Unauthorized application determination method, electronic device, and computer-readable medium | |
RU2606883C2 (en) | System and method of opening files created by vulnerable applications | |
CN114491543A (en) | Analysis method for newly appeared malicious codes |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21891180 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21891180 Country of ref document: EP Kind code of ref document: A1 |