CN114662090A - File processing method, device, storage medium and system - Google Patents

File processing method, device, storage medium and system Download PDF

Info

Publication number
CN114662090A
CN114662090A CN202210177652.7A CN202210177652A CN114662090A CN 114662090 A CN114662090 A CN 114662090A CN 202210177652 A CN202210177652 A CN 202210177652A CN 114662090 A CN114662090 A CN 114662090A
Authority
CN
China
Prior art keywords
target
file
target file
control strategy
control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210177652.7A
Other languages
Chinese (zh)
Inventor
马林
雷涛
白彦庚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Alibaba China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd filed Critical Alibaba China Co Ltd
Priority to CN202210177652.7A priority Critical patent/CN114662090A/en
Publication of CN114662090A publication Critical patent/CN114662090A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a file processing method, a file processing device, a storage medium and a file processing system. Wherein, the method comprises the following steps: judging the security attribute of the target file to obtain a judgment result; when the safety attribute is determined to not meet the preset condition through the judgment result, isolating the target file into the sandbox environment; in a sandbox environment, a target control strategy matched with a target file is obtained, and authority control is conducted on the target file based on the target control strategy. The invention solves the technical problems of insufficient system support, poor processing effect and low flexibility of a method for processing the risk file by using a process injection sandbox or a system sandbox in the related technology.

Description

File processing method, device, storage medium and system
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a file processing method, apparatus, storage medium, and system.
Background
Unknown software may exist in software used by a user within a computer operating system, such as: rogue software, lemonavirus, back door network virus, trojan programs, etc. Once running on a computer, such unknown software may be uncontrollable and even cause serious adverse effects. In this regard, security decisions must be made on unknown software before it can be run. For unknown software which cannot determine the safety, a sandbox container isolation operation method is generally used for processing.
In the related art, there are two main sandbox schemes for processing unknown software as follows.
The first method comprises the following steps: sandboxing schemes based on process injection. Injecting the target process in the sandbox, and processing a specific system application programming interface in the target process by using a HOOK function (HOOK), thereby realizing authority control and access redirection of the target process. This solution relies on lightweight environment and simple redirection operation, however, it has the disadvantages: the injection operation reduces the system stability; there is a risk and the processing is poor (the target process may find and bypass the sandbox environment through HOOK detection).
And the second method comprises the following steps: windows Hyper-V based sandbox scheme. With the addition of support to sandboxes in Windows10 Build 18305 and later professional versions of operating systems, users can run unknown programs in the system sandboxes. This solution is robust, however, it has the drawback that: the requirements of all system versions cannot be met, and the support is insufficient; the customization of the sandbox strategy cannot be realized, and the flexibility is low.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a file processing method, a file processing device, a storage medium and a file processing system, which are used for at least solving the technical problems of insufficient system support, poor processing effect and low flexibility of a method for processing a risk file by injecting a process into a sandbox or a system sandbox in the related art.
According to an aspect of an embodiment of the present invention, there is provided a file processing method including: judging the security attribute of the target file to obtain a judgment result; when the safety attribute is determined to not meet the preset condition through the judgment result, isolating the target file into the sandbox environment; and in the sandbox environment, acquiring a target control strategy matched with the target file, and performing authority control on the target file based on the target control strategy.
According to another aspect of the embodiments of the present invention, there is also provided a file processing method, including: receiving a target file from a client; judging the security attribute of the target file to obtain a judgment result, isolating the target file into a sandbox environment when the security attribute is determined to not meet the preset condition according to the judgment result, acquiring a target control strategy matched with the target file in the sandbox environment, and performing authority control on the target file based on the target control strategy; and returning a notification message to the client, wherein the notification message is used for notifying that the target file is isolated to the sandbox environment and carrying out authority control according to the target control strategy.
According to another aspect of the embodiments of the present invention, there is also provided a file processing apparatus including: the judging module is used for judging the security attribute of the target file to obtain a judging result; the isolation module is used for isolating the target file into the sandbox environment when the safety attribute is determined to not meet the preset condition through the judgment result; and the processing module is used for acquiring a target control strategy matched with the target file in the sandbox environment and carrying out authority control on the target file based on the target control strategy.
According to another aspect of the embodiments of the present invention, there is also provided a storage medium, where the storage medium includes a stored program, and when the program runs, the apparatus on which the storage medium is located is controlled to execute any one of the file processing methods.
According to another aspect of the embodiments of the present invention, there is also provided a file processing system including: a processor; and a memory, connected to the processor, for providing instructions to the processor for processing the following processing steps: judging the security attribute of the target file to obtain a judgment result; when the safety attribute is determined to not meet the preset condition through the judgment result, isolating the target file into the sandbox environment; and in the sandbox environment, acquiring a target control strategy matched with the target file, and performing authority control on the target file based on the target control strategy.
In the embodiment of the invention, firstly, the security attribute of the target file is judged to obtain the judgment result, then determining whether the security attribute meets the preset condition according to the determination result, isolating the target file into the sandbox environment when the security attribute does not meet the preset condition according to the determination result, further, in the sandbox environment, a target control strategy matched with the target file is obtained, and the authority of the target file is controlled based on the target control strategy, so that the purposes of isolating and controlling the authority of the file through the sandbox scheme are achieved, thereby realizing the technical effects of reducing the use risk of the target file and improving the system safety by a flexible and stable scheme, and further, the technical problems of insufficient system support, poor processing effect and low flexibility of the method for processing the risk files by using the process injection sandbox or the system sandbox in the related technology are solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 shows a hardware configuration block diagram of a computer terminal (or mobile device) for implementing a file processing method;
FIG. 2 is a flow diagram of a method of file processing according to an embodiment of the invention;
FIG. 3 is a schematic diagram of an alternative process for processing unknown files in accordance with an embodiment of the present invention;
FIG. 4 is a flow diagram of another method of file processing according to an embodiment of the invention;
fig. 5 is a schematic diagram of file processing performed at a cloud server according to an embodiment of the present invention;
FIG. 6 is a schematic structural diagram of a document processing apparatus according to an embodiment of the present invention;
FIG. 7 is a schematic configuration diagram of another document processing apparatus according to an embodiment of the present invention;
FIG. 8 is a schematic configuration diagram of another document processing apparatus according to an embodiment of the present invention;
fig. 9 is a block diagram of another computer terminal according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, some terms or terms appearing in the description of the embodiments of the present invention are applicable to the following explanations:
and (4) malicious programs: it refers to an unknown program, which has no legal signature, or has unknown behavior, or has known malicious behavior (e.g. file stealing, screen capturing, user information stealing, etc.).
And (4) sandboxing: refers to a virtual container in a computer that provides an isolated environment for running programs. Sandboxing is a security mechanism in the field of computer security.
Example 1
There is also provided, in accordance with an embodiment of the present invention, a file processing method embodiment, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than here.
The method provided by the first embodiment of the present invention may be executed in a mobile terminal, a computer terminal, or a similar computing device. Fig. 1 shows a hardware configuration block diagram of a computer terminal (or mobile device) for implementing a file processing method. As shown in fig. 1, the computer terminal 10 (or mobile device 10) may include one or more (shown as 102a, 102b, … …, 102 n) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 104 for storing data, and a transmission device 106 for communication functions. Besides, the method can also comprise the following steps: a display, a keyboard, a cursor control device (such as a mouse), an input/output interface (I/O interface), a Universal Serial BUS (USB) port (which may be included as one of the ports of the BUS), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors 102 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the invention, the data processing circuit acts as a processor control (e.g. selection of variable resistance termination paths connected to the interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the file processing method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, so as to implement the file processing method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).
It should be noted here that in some alternative embodiments, the computer device (or mobile device) shown in fig. 1 described above may include hardware elements (including circuitry), software elements (including computer code stored on a computer-readable medium), or a combination of both hardware and software elements. It should be noted that fig. 1 is only one example of a particular specific example and is intended to illustrate the types of components that may be present in the computer device (or mobile device) described above.
Under the above operating environment, the present invention provides a file processing method as shown in fig. 2. Fig. 2 is a flowchart of a file processing method according to an embodiment of the present invention, as shown in fig. 2, the file processing method includes:
step S202, judging the security attribute of the target file to obtain a judgment result;
step S204, when the safety attribute is determined to not meet the preset condition through the judgment result, isolating the target file into a sandbox environment;
step S206, in the sandbox environment, a target control strategy matched with the target file is obtained, and authority control is conducted on the target file based on the target control strategy.
Alternatively, in the above embodiment, the target file may be an unknown file, program, tool, or the like downloaded by the user from the network, or may be an attack tool obtained by the user when the user is attacked by an attack technique such as "phishing mail", "water puddle attack", or the like.
Optionally, in the above embodiments, the target file may be secure, malicious, or risky. The security attributes of the target file may be used to characterize whether the target file is secure. The security attributes may be determined by the name, type, size, content, etc. of the target file.
Optionally, in the above embodiment, the determination result of the security attribute may be a result of determining the security attribute of the target file according to a preset security determination rule. For example: in a practical application scenario, the result may include: safety, low risk, medium risk, high risk, inability to make decisions, etc.
Optionally, in the above embodiment, the preset condition may be used to determine whether to isolate the target file into the sandbox environment. For example: in a certain practical application scenario, the preset condition may be "the file determined to be safe does not need to be isolated", or "the file determined to be safe and low-risk does not need to be isolated", or "the file determined to be safe does not need to be isolated, and the file determined to be at risk (including low-risk, medium-risk, and high-risk) is directly deleted", and the like.
Optionally, in the above embodiment, the target management policy may be used to manage the authority of the target file in the sandbox environment. The target management and control policy is matched with the target file, and may be a management and control policy preset for the target file by a user, or a management and control policy automatically generated for the target file by the system according to preset management and control policy rules. In the sandbox environment, a target control policy matched with the target file may be acquired, and the authority of the target file may be controlled based on the target control policy.
It should be noted that the sandbox environment may be a secure environment in which the sandbox provides a limited environment for program execution in the computer. For example: the sandbox can provide a disk and a memory space which are recycled after being used for the program to run and use, and limits the code access, the network access and other authorities granted to the program in the sandbox environment. All changes made to the running program in the sandbox do not cause any loss to the operating system.
In the embodiment of the invention, firstly, the security attribute of the target file is judged to obtain the judgment result, then determining whether the security attribute meets the preset condition according to the determination result, isolating the target file into the sandbox environment when the security attribute does not meet the preset condition according to the determination result, further, in the sandbox environment, a target control strategy matched with the target file is obtained, and the authority of the target file is controlled based on the target control strategy, so that the purposes of isolating and controlling the authority of the file through the sandbox scheme are achieved, thereby realizing the technical effects of reducing the use risk of the target file and improving the system safety by a flexible and stable scheme, and further, the technical problems of insufficient system support, poor processing effect and low flexibility of the method for processing the risk files by using the process injection sandbox or the system sandbox in the related technology are solved.
Alternatively, the file processing method provided by the invention can be applied to any application scene related to computer security using office networks, internal networks and production networks in the fields of health, language, society, science, art and the like, but is not limited to the application scene.
In particular, in application scenarios involving computer security, a secure environment is typically set up, such as: internal networks, isolated devices, etc. However, unknown programs or unknown files may be encountered in the secure environment, and for this reason, the processing method provided by the prior art is delayed (for example, the security attribute of the unknown program or unknown file cannot be determined in time), that is, the unknown program or unknown file can still perform malicious activities in the secure environment set by the user. One of the benefits of the method provided by the embodiment of the present invention may be to solve the above problems.
In an alternative embodiment, in step S202, the security attribute is determined to obtain a determination result, and the method includes the following steps:
step S221, judging whether the target file belongs to a preset white list or a preset black list based on the security attribute;
step S222, when the target file belongs to a preset white list or a preset black list, determining that the safety attribute meets a preset condition as a judgment result;
in step S223, when the target file does not belong to the preset white list or the preset black list, it is determined that the security attribute does not satisfy the preset condition as a result of the determination.
Optionally, in the above embodiment, the preset white list may be a preset file list regarded as a secure file; the preset blacklist may be a preset list of files considered as risk files. The preset white list and the preset black list may be file lists specified based on various attributes of files.
For example: in a certain practical application scenario, the condition for determining that the file belongs to the preset white list may include at least one of the following: the file names are one or more specified file names; the file type is one or more specified file types; the file size belongs to one or more specified thresholds; any one of the plurality of specified contents is not contained in the file contents.
For example: in a certain practical application scenario, the condition for determining that the file belongs to the preset blacklist may include at least one of the following: the file names are one or more specified file names; the file type is one or more specified file types; the file size belongs to one or more specified thresholds; the file content includes any one of a plurality of specified contents.
Optionally, in the above embodiment, the preset condition may be "based on the security attribute of the target file, it can be determined that the target file belongs to a preset white list or a preset black list". Therefore, when the target file is determined to belong to the preset white list or the preset black list, the corresponding determination result is that the security attribute of the target file meets the preset condition; and when the target file is judged to belong to neither the preset white list nor the preset black list, the corresponding judgment result is that the security attribute of the target file does not meet the preset condition.
It should be noted that, as a result of the determination, the security attribute of the target file satisfies a preset condition, which indicates that the security of the target file is known (may include security and risk). And judging that the security attribute of the target file does not meet the preset condition, which indicates that the security of the target file is unknown, wherein the target file with unknown security must be isolated to run in a sandbox environment to avoid risks.
Fig. 3 is a schematic diagram of an alternative process for processing an unknown file according to an embodiment of the present invention, and as shown in fig. 3, the file determination system may include a white list determination system and a black list determination system. The file determination system is used for performing black and white determination on the file to be executed (determining whether the file to be executed belongs to a white list or a black list, wherein the white list and the black list can be preset by a user).
Still as shown in fig. 3, in the case that the file determination system cannot perform black and white determination on the file to be executed (for example, the file to be executed does not belong to the white list or the black list, or it is difficult to determine whether the file to be executed belongs to the white list or the black list), the file determination system may input the file to be executed into the sandbox system. The sandbox system performs authority control on the file to be executed in the sandbox environment.
In an optional embodiment, the file processing method further comprises the following method steps:
step S208, pulling a plurality of candidate management and control strategies from the cloud server;
step S210, analyzing a plurality of candidate management and control strategies to obtain an analysis result;
step S212, storing the analysis result to a storage area associated with the sandbox environment.
Optionally, in the above embodiment, the candidate management policies may be stored in a plurality of management policies of the cloud server for managing file permissions. The candidate management and control policies may be generated in advance by the system and stored in the cloud server, or may be pre-specified by a technician and uploaded to the cloud server.
Optionally, in the above embodiment, the candidate management and control policies are pulled from the cloud server to the local device. The local device may analyze the plurality of candidate management and control policies, and then obtain an analysis result. And storing the analysis result to a storage area associated with the sandbox environment so as to take the analysis result in the sandbox environment.
Still as shown in fig. 3, in a sandbox system, cloud policy pull may be performed. The cloud policy pull may include policy pull and policy integration. The policy pull may be to obtain a latest version of each of the plurality of rights management policies from the cloud server. The policy integration may be to integrate a plurality of rights management and control policies pulled from the cloud server according to a preset integration rule. The preset integration rule may be used to integrate a plurality of policies into a specified order or a specified format.
Still as shown in FIG. 3, in a sandbox system, policy resolution may be performed. The policy resolution may include resolving each of a plurality of rights management policies. The analyzing of one authority management policy may be analyzing the authority management policy into a plurality of corresponding management and control commands.
Still as shown in FIG. 3, in a sandbox system, policy storage may occur. The policy storage may be a storage area that stores a plurality of management commands (corresponding to the above analysis result) corresponding to each of the plurality of rights management policies to the sandbox system. The policy storage may also be a storage area that stores a plurality of rights management policies and a plurality of management commands (corresponding to the above analysis result) corresponding to each of the rights management policies in the sandbox system.
In addition, as also shown in FIG. 3, in a sandbox system, policy validity verification may also be performed. Specifically, after the policies are stored, the legitimacy of the plurality of authority control policies stored in the storage area in the sandbox system is verified according to a preset legitimacy verification rule. The preset validity verification rule may be specified in advance by a technician according to an actual application scenario.
Particularly, when the legitimacy of the policy is verified, the legal authority control policy stored in the storage area can be reserved, and the illegal authority control policy stored in the storage area can be deleted.
In an optional embodiment, in step S206, obtaining a target management and control policy matched with a target file includes the following steps:
step S261, index information of the target file is obtained;
step S262, based on the index information of the target file, a target management and control policy matched with the index information is obtained from the analysis result stored in the storage area.
Alternatively, in the above embodiment, the index information of the target file may be information for matching the regulation policy for the target file. The obtaining of the index information of the target file may be selecting at least one field from a plurality of fields corresponding to the target file. For example, the index information of the target file may be a file name, a file type, and the like of the target file. For another example, when the target file is an unknown program, the index information may be a process name corresponding to the unknown program.
Optionally, in the above embodiment, based on the index information of the target file, the target management and control policy matching the index information may be acquired from the parsing result stored in the storage area. The storage area is associated with a sandbox environment, and the analysis result corresponds to the analysis corresponding to the candidate management and control policies. The target governance policy may be a governance policy to be executed on the target file in a sandbox environment.
Still as shown in FIG. 3, in a sandbox system, policy matching may be performed. When the target file is an unknown program, a process name (corresponding to the index information) corresponding to the unknown program may be obtained as an index, and an authority management policy to be used (corresponding to the target management policy) may be matched for the unknown program.
Specifically, the matching process may include: accessing a storage area in the sandbox system, and acquiring a plurality of authority control policies stored in the storage area and a plurality of control commands (equivalent to the analysis result) corresponding to each authority control policy; and determining the authority control strategy corresponding to the unknown program according to the process name corresponding to the unknown program.
In an optional embodiment, the file processing method further comprises the following method steps:
step S214, when it is determined that the target management and control policy matched with the index information is not found in the parsing result, determining the default management and control policy as the target management and control policy.
Optionally, in the above embodiment, the default management and control policy may be a management and control policy that is pre-specified by a technician according to an actual application scenario.
Optionally, in the embodiment, when a target management and control policy that matches the index information of the target file cannot be found from the parsing result, it is described that the policy matching for the target file fails, and at this time, the default management and control policy may be determined as the target management and control policy for the target file. The target governance policy may be a governance policy to be executed on the target file in a sandbox environment.
Optionally, when the index information of the target file is null, policy matching cannot be performed on the target file, and at this time, the default management and control policy may also be determined as the target management and control policy of the target file.
In addition, the cloud server can also issue a specific control strategy for a specific file or program in the sandbox environment. For example: aiming at unknown programs a.exe in the sandbox environment, the control strategy issued by the cloud server is that the desktop file cannot be read and the file cannot be written into the desktop. The policy system will parse and store the governing policy on the local device.
In an optional embodiment, in step S206, performing rights management on the target file based on the target management policy, including at least one of the following method steps:
step S263, performing file authority control on the target file based on the target control strategy;
step S264, process authority control is carried out on the target file based on the target control strategy;
step S265, performing registry authority control on the target file based on the target control strategy;
and step S266, performing network access authority control on the target file based on the target control strategy.
Optionally, in the above embodiment, the target management policy may be a management policy to be executed on the target file in a sandbox environment. In the sandbox environment, the right management of the target file based on the target management policy may include at least one of: file authority control, process authority control, registry authority control and network access authority control.
Specifically, the file authority management may be to manage the operable authority of the target file to some or all of the files in the local file system (including reading or changing the content of the file). The process authority control may be to control the process corresponding to the target file and the authority of the process occupying system resources. The registry authority management may be the authority to manage access to the target file and modify the registry. The network access right management may be a right (which may include allowing access, partially restricting access, fully restricting access, etc.) that manages the access of a target file to a network (which may include an office network, an intranet, a production network, etc.).
Still as shown in FIG. 3, the sandboxed system may also include a process creation agent module. After the policy system determines the right management and control policy to be used for the target file, the process creation agent module may create a process for the target file, and run the target file.
Still as shown in fig. 3, in a sandbox system, rights management may also be performed. The authority control can include file authority control, process authority control, registry authority control and network authority control.
Still taking the unknown program a.exe as an example, the sandbox system creates a corresponding process for the unknown program a.exe, and then the permission management module manages and controls the permission of the unknown program a.exe according to the management and control policy of the unknown program a.exe. The control strategy is that "the desktop file cannot be read and the file cannot be written into the desktop", and then when the sandbox system finds that the process corresponding to the unknown program a.exe has a read-write action on the desktop file, the permission control module performs corresponding permission control to limit the action.
It is easily noted that according to the method provided by the embodiment of the present invention, in a case that a result of a security determination on an unknown file or an unknown program is unknown, a sandbox system may be used to keep the unknown file or the unknown program in an isolated state, so as to protect the security of the system. The isolation state includes file isolation, process isolation, session isolation, network access restriction, and the like.
It is easy to note that, according to the method provided by the embodiment of the present invention, the management and control policy used by the sandbox system is pulled from the cloud server, and the management and control policy can be customized for a complex usage environment and uploaded to the cloud server for use by the sandbox system, so as to implement privilege control on a specific program, and the privilege control has a fine granularity (for example, the privilege control can be performed for a file path, for a specific IP address, and the like). Therefore, one of the beneficial effects of the embodiment of the invention is as follows: the sandbox management and control strategy customization can be realized, and the flexibility is high.
It is easy to note that, compared with the methods provided by the related art, the method provided by the embodiment of the present invention has no injection behavior, and therefore, one of the beneficial effects of the embodiment of the present invention is: the running stability of the program in the sandbox is good, and the program is difficult to detect the sandbox environment.
An embodiment of the present invention further provides a file processing method, where the file processing method is executed on a cloud server, fig. 4 is a flowchart of another file processing method according to an embodiment of the present invention, and as shown in fig. 4, the file processing method includes:
step S402, receiving a target file from a client;
step S404, judging the security attribute of the target file to obtain a judgment result, isolating the target file into a sandbox environment when the security attribute does not meet the preset condition according to the judgment result, acquiring a target control strategy matched with the target file in the sandbox environment, and performing authority control on the target file based on the target control strategy;
step S406, a notification message is returned to the client, wherein the notification message is used for notifying that the target file is isolated to the sandbox environment and performing authority control according to the target control strategy.
Optionally, fig. 5 is a schematic diagram of file processing performed in a cloud server according to an embodiment of the present invention, and as shown in fig. 5, a client uploads a target file to the cloud server; the cloud server judges the security attribute of the target file to obtain a judgment result, when the security attribute is determined to not meet the preset condition through the judgment result, the target file is isolated to a sandbox environment, a target management and control strategy matched with the target file is obtained in the sandbox environment, and authority management and control are conducted on the target file based on the target management and control strategy. And then, the cloud server feeds back a notification message to the client, wherein the notification message is used for notifying that the target file is isolated to the sandbox environment and performing authority control according to a target control strategy. The final notification message is provided to the user through the graphical user interface of the client.
It should be noted that the file processing method provided in the embodiment of the present invention may be applied to, but not limited to, any actual application scenario involving computer security in the fields of health, language, society, science, art, and the like, where an office network, an internal network, and a production network are used, and whether sandbox environment isolation is performed is determined according to a target file security attribute determination result uploaded by a client in an interaction manner between a SaaS server and the client, and when the sandbox environment isolation is performed, authority management and control are performed on a target file by using a corresponding target management and control policy, and a notification message is generated and returned to the client to provide to a user.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
According to an embodiment of the present invention, there is also provided an apparatus for implementing the above-mentioned document processing method, and fig. 6 is a schematic structural diagram of a document processing apparatus according to an embodiment of the present invention, and as shown in fig. 6, the apparatus includes: a decision block 601, an isolation block 602, a processing block 603, wherein,
the determination module 601 is configured to determine the security attribute of the target file to obtain a determination result; the isolation module 602 is configured to isolate the target file into the sandbox environment when it is determined that the security attribute does not meet the preset condition according to the determination result; the processing module 603 is configured to obtain a target management and control policy matched with the target file in the sandbox environment, and perform authority management and control on the target file based on the target management and control policy.
Optionally, the determining module 601 is further configured to: judging whether the target file belongs to a preset white list or a preset black list or not based on the security attribute; when the target file belongs to a preset white list or a preset black list, determining that the safety attribute meets a preset condition as a judgment result; and when the target file does not belong to the preset white list and the preset black list, determining that the safety attribute does not meet the preset condition as a judgment result.
Optionally, fig. 7 is a schematic structural diagram of another document processing apparatus according to an embodiment of the present invention, and as shown in fig. 7, the apparatus includes, in addition to all modules shown in fig. 6: the analysis module 604 is configured to pull a plurality of candidate management and control policies from the cloud server; analyzing the candidate control strategies to obtain an analysis result; and storing the analysis result to a storage area associated with the sandbox environment.
Optionally, the processing module 603 is further configured to: acquiring index information of a target file; and acquiring a target management and control strategy matched with the index information from the analysis result stored in the storage area based on the index information of the target file.
Optionally, fig. 8 is a schematic structural diagram of another document processing apparatus according to an embodiment of the present invention, and as shown in fig. 8, the apparatus includes, in addition to all modules shown in fig. 7: the determining module 605 is configured to determine the default management and control policy as the target management and control policy when it is determined that the target management and control policy matched with the index information is not found in the parsing result.
Optionally, the processing module 603 is further configured to: performing file authority control on the target file based on the target control strategy; carrying out process authority control on the target file based on the target control strategy; performing registry authority control on the target file based on the target control strategy; and performing network access authority control on the target file based on the target control strategy.
It should be noted here that the determination module 601, the isolation module 602, and the processing module 603 correspond to steps S202 to S206 in embodiment 1, and the three modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the first embodiment. It should be noted that the modules described above as part of the apparatus may be run in the computer terminal 10 provided in the first embodiment.
In the embodiment of the invention, firstly, the security attribute of the target file is judged to obtain the judgment result, then determining whether the security attribute meets the preset condition according to the determination result, isolating the target file into the sandbox environment when the security attribute does not meet the preset condition according to the determination result, further, in the sandbox environment, a target control strategy matched with the target file is obtained, and the authority of the target file is controlled based on the target control strategy, so that the purposes of isolating and controlling the authority of the file through the sandbox scheme are achieved, thereby realizing the technical effects of reducing the use risk of the target file and improving the system safety by a flexible and stable scheme, and further, the technical problems of insufficient system support, poor processing effect and low flexibility of the method for processing the risk files by using the process injection sandbox or the system sandbox in the related technology are solved.
It should be noted that, reference may be made to the relevant description in embodiment 1 for a preferred implementation of this embodiment, and details are not described here again.
Example 3
There is also provided, in accordance with an embodiment of the present invention, an embodiment of an electronic device, which may be any one of a group of computing devices. The electronic device includes: a processor and a memory, wherein:
a memory coupled to the processor for providing instructions to the processor for processing the following processing steps: judging the security attribute of the target file to obtain a judgment result; when the safety attribute is determined to not meet the preset condition through the judgment result, isolating the target file into the sandbox environment; and in the sandbox environment, acquiring a target control strategy matched with the target file, and performing authority control on the target file based on the target control strategy.
In the embodiment of the invention, firstly, the security attribute of the target file is judged to obtain the judgment result, then determining whether the security attribute meets the preset condition according to the determination result, isolating the target file into the sandbox environment when the security attribute does not meet the preset condition according to the determination result, further, in the sandbox environment, a target control strategy matched with the target file is obtained, and the authority of the target file is controlled based on the target control strategy, so that the purposes of isolating and controlling the authority of the file through the sandbox scheme are achieved, thereby realizing the technical effects of reducing the use risk of the target file and improving the system safety by a flexible and stable scheme, and further, the technical problems of insufficient system support, poor processing effect and low flexibility of the method for processing the risk files by using the process injection sandbox or the system sandbox in the related technology are solved.
It should be noted that, reference may be made to the relevant description in embodiment 1 for a preferred implementation of this embodiment, and details are not described here again.
Example 4
The embodiment of the invention can provide a computer terminal which can be any computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.
Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.
In this embodiment, the computer terminal may execute the program code of the following steps in the file processing method: judging the security attribute of the target file to obtain a judgment result; when the safety attribute is determined to not meet the preset condition through the judgment result, isolating the target file into the sandbox environment; and in the sandbox environment, acquiring a target control strategy matched with the target file, and performing authority control on the target file based on the target control strategy.
Optionally, fig. 9 is a block diagram of another computer terminal according to an embodiment of the present invention, and as shown in fig. 9, the computer terminal may include: one or more (only one of which is shown) processors 122, memory 124, and peripherals interface 126.
The memory may be configured to store software programs and modules, such as program instructions/modules corresponding to the file processing method and apparatus in the embodiments of the present invention, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory, so as to implement the file processing method. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory remotely located from the processor, which may be connected to the computer terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: judging the security attribute of the target file to obtain a judgment result; when the safety attribute is determined to not meet the preset condition through the judgment result, isolating the target file into the sandbox environment; and in the sandbox environment, acquiring a target control strategy matched with the target file, and performing authority control on the target file based on the target control strategy.
Optionally, the processor may further execute the program code of the following steps: judging whether the target file belongs to a preset white list or a preset black list or not based on the security attribute; when the target file belongs to a preset white list or a preset black list, determining that the safety attribute meets a preset condition according to a judgment result; and when the target file does not belong to the preset white list and the preset black list, determining that the safety attribute does not meet the preset condition as a judgment result.
Optionally, the processor may further execute the program code of the following steps: pulling a plurality of candidate management and control strategies from a cloud server; analyzing the candidate control strategies to obtain an analysis result; and storing the analysis result to a storage area associated with the sandbox environment.
Optionally, the processor may further execute the program code of the following steps: acquiring index information of a target file; and acquiring a target management and control strategy matched with the index information from the analysis result stored in the storage area based on the index information of the target file.
Optionally, the processor may further execute the program code of the following steps: and when the target control strategy matched with the index information is not found in the analysis result, determining the default control strategy as the target control strategy.
Optionally, the processor may further execute the program code of the following steps: performing file authority control on the target file based on the target control strategy; carrying out process authority control on the target file based on the target control strategy; performing registry authority control on the target file based on the target control strategy; and performing network access authority control on the target file based on the target control strategy.
The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: receiving a target file from a client; judging the security attribute of the target file to obtain a judgment result, isolating the target file into a sandbox environment when the security attribute is determined to not meet the preset condition according to the judgment result, acquiring a target control strategy matched with the target file in the sandbox environment, and performing authority control on the target file based on the target control strategy; and returning a notification message to the client, wherein the notification message is used for notifying that the target file is isolated to the sandbox environment and carrying out authority control according to the target control strategy.
In the embodiment of the invention, firstly, the security attribute of the target file is judged to obtain the judgment result, then determining whether the security attribute meets the preset condition according to the determination result, isolating the target file into the sandbox environment when the security attribute does not meet the preset condition according to the determination result, further, in the sandbox environment, a target control strategy matched with the target file is obtained, and the authority of the target file is controlled based on the target control strategy, so that the purposes of isolating and controlling the authority of the file through the sandbox scheme are achieved, thereby realizing the technical effects of reducing the use risk of the target file and improving the system safety by a flexible and stable scheme, and further, the technical problems of insufficient system support, poor processing effect and low flexibility of the method for processing the risk files by using the process injection sandbox or the system sandbox in the related technology are solved.
It can be understood by those skilled in the art that the structure shown in fig. 9 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 9 does not limit the structure of the electronic device. For example, the computer terminal may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 9, or have a different configuration than shown in FIG. 9.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
According to an embodiment of the present invention, there is also provided an embodiment of a storage medium. Optionally, in this embodiment, the storage medium may be configured to store the program code executed by the file processing method provided in embodiment 1.
Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: judging the security attribute of the target file to obtain a judgment result; when the safety attribute is determined to not meet the preset condition through the judgment result, isolating the target file into the sandbox environment; and in the sandbox environment, acquiring a target control strategy matched with the target file, and performing authority control on the target file based on the target control strategy.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: judging whether the target file belongs to a preset white list or a preset black list or not based on the security attribute; when the target file belongs to a preset white list or a preset black list, determining that the safety attribute meets a preset condition as a judgment result; and when the target file does not belong to the preset white list and the preset black list, determining that the safety attribute does not meet the preset condition as a judgment result.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: pulling a plurality of candidate management and control strategies from a cloud server; analyzing the candidate control strategies to obtain an analysis result; and storing the analysis result to a storage area associated with the sandbox environment.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: acquiring index information of a target file; and acquiring a target management and control strategy matched with the index information from the analysis result stored in the storage area based on the index information of the target file.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: and when the target control strategy matched with the index information is not found in the analysis result, determining the default control strategy as the target control strategy.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: performing file authority control on the target file based on the target control strategy; performing process authority control on the target file based on the target control strategy; performing registry authority control on the target file based on the target control strategy; and performing network access authority control on the target file based on the target control strategy.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: receiving a target file from a client; judging the security attribute of the target file to obtain a judgment result, isolating the target file into a sandbox environment when the security attribute is determined to not meet the preset condition according to the judgment result, acquiring a target control strategy matched with the target file in the sandbox environment, and performing authority control on the target file based on the target control strategy; and returning a notification message to the client, wherein the notification message is used for notifying that the target file is isolated to the sandbox environment and performing authority control according to the target control strategy.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided by the present invention, it should be understood that the disclosed technical contents can be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A file processing method, comprising:
judging the security attribute of the target file to obtain a judgment result;
when the safety attribute is determined to not meet the preset condition through the judgment result, isolating the target file into a sandbox environment;
and in the sandbox environment, acquiring a target control strategy matched with the target file, and performing authority control on the target file based on the target control strategy.
2. The file processing method according to claim 1, wherein the determining the security attribute and obtaining the determination result comprises:
judging whether the target file belongs to a preset white list or a preset black list or not based on the security attribute;
when the target file belongs to the preset white list or the preset black list, determining that the safety attribute meets the preset condition according to the judgment result;
and when the target file does not belong to the preset white list and the preset black list, determining that the safety attribute does not meet the preset condition according to the judgment result.
3. The document processing method according to claim 1, further comprising:
pulling a plurality of candidate management and control strategies from a cloud server;
analyzing the candidate control strategies to obtain an analysis result;
and storing the analysis result to a storage area associated with the sandbox environment.
4. The file processing method according to claim 3, wherein obtaining the target management and control policy matched with the target file comprises:
acquiring index information of the target file;
and acquiring the target management and control strategy matched with the index information from the analysis result stored in the storage area based on the index information of the target file.
5. The document processing method according to claim 4, further comprising:
and when the target control strategy matched with the index information is not found in the analysis result, determining a default control strategy as the target control strategy.
6. The file processing method according to claim 1, wherein performing rights management on the target file based on the target management policy includes at least one of:
performing file authority control on the target file based on the target control strategy;
performing process authority control on the target file based on the target control strategy;
performing registry authority control on the target file based on the target control strategy;
and performing network access authority control on the target file based on the target control strategy.
7. A file processing method, comprising:
receiving a target file from a client;
judging the security attribute of the target file to obtain a judgment result, isolating the target file into a sandbox environment when the security attribute is determined to not meet a preset condition according to the judgment result, acquiring a target control strategy matched with the target file in the sandbox environment, and performing authority control on the target file based on the target control strategy;
and returning a notification message to the client, wherein the notification message is used for notifying that the target file is isolated to the sandbox environment and performing authority control according to the target control strategy.
8. A document processing apparatus, characterized by comprising:
the judging module is used for judging the security attribute of the target file to obtain a judging result;
the isolation module is used for isolating the target file into a sandbox environment when the safety attribute is determined to not meet the preset condition according to the judgment result;
and the processing module is used for acquiring a target control strategy matched with the target file in the sandbox environment and carrying out authority control on the target file based on the target control strategy.
9. A storage medium, characterized in that the storage medium includes a stored program, wherein, when the program runs, a device in which the storage medium is located is controlled to execute the file processing method according to any one of claims 1 to 7.
10. A document processing system, comprising:
a processor; and
a memory coupled to the processor for providing instructions to the processor for processing the following processing steps:
step 1, judging the security attribute of a target file to obtain a judgment result;
step 2, when the safety attribute is determined to not meet the preset condition through the judgment result, isolating the target file into a sandbox environment;
and 3, acquiring a target control strategy matched with the target file in the sandbox environment, and performing authority control on the target file based on the target control strategy.
CN202210177652.7A 2022-02-24 2022-02-24 File processing method, device, storage medium and system Pending CN114662090A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210177652.7A CN114662090A (en) 2022-02-24 2022-02-24 File processing method, device, storage medium and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210177652.7A CN114662090A (en) 2022-02-24 2022-02-24 File processing method, device, storage medium and system

Publications (1)

Publication Number Publication Date
CN114662090A true CN114662090A (en) 2022-06-24

Family

ID=82027737

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210177652.7A Pending CN114662090A (en) 2022-02-24 2022-02-24 File processing method, device, storage medium and system

Country Status (1)

Country Link
CN (1) CN114662090A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115510429A (en) * 2022-11-21 2022-12-23 统信软件技术有限公司 Sandbox application access right control method, computing device and readable storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115510429A (en) * 2022-11-21 2022-12-23 统信软件技术有限公司 Sandbox application access right control method, computing device and readable storage medium
CN115510429B (en) * 2022-11-21 2023-04-14 统信软件技术有限公司 Sandbox application access right control method, computing device and readable storage medium

Similar Documents

Publication Publication Date Title
US10834061B2 (en) Perimeter enforcement of encryption rules
US10924517B2 (en) Processing network traffic based on assessed security weaknesses
CN109510849B (en) Cloud-storage account authentication method and device
US10628597B2 (en) Just-in-time encryption
US20210334359A1 (en) Mobile device policy enforcement
US10686827B2 (en) Intermediate encryption for exposed content
US10263966B2 (en) Perimeter enforcement of encryption rules
CN103403669B (en) App is made to become safe method and the method preventing app damage equipment
CA3113673C (en) Systems and methods for consistent enforcement policy across different saas applications via embedded browser
US10476894B2 (en) Evaluating installers and installer payloads
CN109889517B (en) Data processing method, permission data set creating device and electronic equipment
CN111159691B (en) Dynamic credibility verification method and system for application program
US11233805B2 (en) Centralized security assessments of scripts in network environments
US20220004623A1 (en) Managed isolated workspace on a user device
WO2022078366A1 (en) Application protection method and apparatus, device and medium
US11232198B2 (en) Dynamic visualization of scripts based on centralized security assessments
CN114662090A (en) File processing method, device, storage medium and system
CN109756527B (en) Data sharing method, device and system
Kern et al. Using RBAC to enforce the principle of least privilege in industrial remote maintenance sessions
US20230214533A1 (en) Computer-implemented systems and methods for application identification and authentication
CN117807568B (en) Installation permission control method and device based on Linux operating system, electronic equipment and storage medium
US20220129564A1 (en) Centralized security analysis and management of source code in network environments
Hrestak et al. Improving the android smartphone security against various malware threats
CN113297595A (en) Method and device for processing right-offering, storage medium and electronic equipment
CN115080983A (en) Kernel function hiding method and device, terminal device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination