CN107506648B - Method, device and system for searching application vulnerability - Google Patents

Method, device and system for searching application vulnerability Download PDF

Info

Publication number
CN107506648B
CN107506648B CN201710666451.2A CN201710666451A CN107506648B CN 107506648 B CN107506648 B CN 107506648B CN 201710666451 A CN201710666451 A CN 201710666451A CN 107506648 B CN107506648 B CN 107506648B
Authority
CN
China
Prior art keywords
attack
attack surface
application
intrusion detection
network intrusion
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710666451.2A
Other languages
Chinese (zh)
Other versions
CN107506648A (en
Inventor
王加水
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced New Technologies Co Ltd
Advantageous New Technologies Co Ltd
Original Assignee
Advanced New Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Advanced New Technologies Co Ltd filed Critical Advanced New Technologies Co Ltd
Priority to CN201710666451.2A priority Critical patent/CN107506648B/en
Publication of CN107506648A publication Critical patent/CN107506648A/en
Application granted granted Critical
Publication of CN107506648B publication Critical patent/CN107506648B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Abstract

The embodiment of the application discloses a method, a device and a system for searching application bugs, wherein the method comprises the following steps: determining an attack surface of the application according to the static program detection information and the running environment detection information of the application; acquiring monitoring data corresponding to an attack surface of the application in operation; and determining an attack face with possible bugs in the applied attack face according to the monitoring data corresponding to the attack face and the network intrusion detection rule corresponding to the attack face, wherein the network intrusion detection rule of the attack face is a rule which is configured for the attack face and is used for network intrusion detection.

Description

Method, device and system for searching application vulnerability
Technical Field
The present application relates to the field of computer software technologies, and in particular, to a method, an apparatus, and a system for searching for an application vulnerability.
Background
An application vulnerability, which refers to a defect that can weaken the security of an application; the application attack plane refers to a point in an application environment where data can be input or extracted by an unauthorized user (attacker) and attacked.
In the application vulnerability mining process, the attack surface describes the position of a security vulnerability possibly existing in the code and yet to be mined. For example, in a browser-based attack, http protocol, html page, loading plug-in, and the like all constitute an attack surface of a browser. And a proper application attack surface is searched, so that an important role is played in application vulnerability mining.
At present, the commonly used mode is to determine the attack surface through manual audit and search application bugs, and the efficiency is poor.
Disclosure of Invention
The embodiment of the application aims to provide a method, a device and a system for searching application vulnerabilities so as to realize quick search of the application vulnerabilities.
In order to solve the above technical problem, the embodiment of the present application is implemented as follows:
in a first aspect, a method for searching for an application vulnerability is provided, where the method includes:
determining an attack surface of the application according to the static program detection information and the running environment detection information of the application;
acquiring monitoring data corresponding to an attack surface of the application in operation;
and determining an attack face with possible bugs in the applied attack face according to the monitoring data corresponding to the attack face and the network intrusion detection rule corresponding to the attack face, wherein the network intrusion detection rule of the attack face is a rule which is configured for the attack face and is used for network intrusion detection.
In a second aspect, an apparatus for finding an application vulnerability is provided, the apparatus including:
the determining unit is used for determining the attack surface of the application according to the static program detection information and the running environment detection information of the application;
the acquisition unit is used for acquiring the monitoring data corresponding to the attack surface when the application runs;
the determining unit further determines an attack face, in which a vulnerability may exist, in the applied attack face according to the monitoring data corresponding to the attack face and the network intrusion detection rule corresponding to the attack face, where the network intrusion detection rule of the attack face is a rule configured for network intrusion detection for the attack face.
In a third aspect, an electronic device is provided, which includes:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
determining an attack surface of the application according to the static program detection information and the running environment detection information of the application;
acquiring monitoring data corresponding to an attack surface of the application in operation;
and determining an attack face with possible bugs in the applied attack face according to the monitoring data corresponding to the attack face and the network intrusion detection rule corresponding to the attack face, wherein the network intrusion detection rule of the attack face is a rule which is configured for the attack face and is used for network intrusion detection.
In a fourth aspect, a computer-readable storage medium is presented, the computer-readable storage medium storing one or more programs that, when executed by an electronic device that includes a plurality of application programs, cause the electronic device to:
determining an attack surface of the application according to the static program detection information and the running environment detection information of the application;
acquiring monitoring data corresponding to an attack surface of the application in operation;
and determining an attack face with possible bugs in the applied attack face according to the monitoring data corresponding to the attack face and the network intrusion detection rule corresponding to the attack face, wherein the network intrusion detection rule of the attack face is a rule which is configured for the attack face and is used for network intrusion detection.
As can be seen from the technical solutions provided in the embodiments of the present application, the embodiments of the present application have at least one of the following technical effects:
the attack face possibly having the vulnerability is determined through the monitoring data of the applied attack face and the network intrusion detection rule corresponding to the applied attack face, so that the mining efficiency of the application vulnerability can be effectively improved in an auxiliary mode.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.
FIG. 1 is an interaction flow diagram for finding application vulnerabilities according to an embodiment of the present application.
FIG. 2 is a flowchart of a method for finding an application vulnerability according to an embodiment of the present application.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Fig. 4 is a schematic structural diagram of an application vulnerability discovery apparatus according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides a method, a device and a system for searching application bugs.
In order to make those skilled in the art better understand the technical solutions in the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
To facilitate understanding of the embodiments of the present application, several elements that will be introduced in the description of the embodiments of the present application are first introduced herein.
Attack surface: the code used to describe the code of the application that an attacker can execute and attack describes the location of security holes that may not have been discovered in the code of the application. The main attributes of the attack surface may include attack vectors, obtained permissions, memory security, complexity, etc. The attack surface can be classified into a remote attack surface, a client side attack surface, a physical adjacent attack surface and the like.
Attack vector: the user interaction and the authentication condition required by the attack surface are represented, and the influence result of finding any security vulnerability in the given attack surface is limited. Some attack surfaces need physical contact to start a complete attack, and some attack surfaces need social engineering to trick a user into clicking a link.
The obtained authority: representing the rights required by the attack surface. Some codes behind the attack surface can run with extremely high authority, such as kernel codes and the like; the code behind some attack surfaces may then run in a sandbox with limited rights.
Memory security: applications written in different languages have different levels of memory security, for example, applications written in c-system languages have more security holes than applications written in non-c-system languages.
Complexity: in general, the more complex the code, the more vulnerable the protocol is to vulnerabilities.
Fig. 1 is a system block diagram of an attack surface extraction prejudgment system according to an embodiment of the present application. As shown in fig. 1, the attack surface extraction prejudging system may include: the system comprises four functional modules of a starter, a rule center, a prejudgment device and a hook device.
Wherein, the starter: generally, in the running process of an application, interaction with a process may exist, or different functions are embodied due to environment configuration, and a starter is used for collecting static and running information of the application as much as possible, so that certain specific network intrusion detection rules in a rule center take effect when the running environment of the application changes.
The rule center: and configuring a network intrusion detection rule through known vulnerability points possibly existing in the attack surface, uniformly managing the network intrusion detection rule through a rule center, and issuing the rule to a prejudgment device for intelligent analysis.
A Hook device: some monitoring of the common system calls or sensitive classes of applications is required. Different attack planes of an application will generally correspond to different Hook machines. And the attack surface corresponding to the functional point of the application can be described through the Hook device. The Hook device is linked with the prejudging device, the prejudging device determines which aspects of monitoring information are needed, and the Hook device provides the monitoring information in real time.
A prejudgment device: and pre-judging the attack surface condition through the linkage of the rule center and the Hook device with each function, outputting the final application attack surface condition, and forming an attack surface preliminary study and judgment report.
The method of the present embodiment will be described below with reference to fig. 1.
FIG. 2 is a flowchart of a method for finding an application vulnerability according to an embodiment of the present application. The method of fig. 2 may include:
s201, determining the attack surface of the application according to the static program detection information and the running environment detection information of the application.
It should be understood that through the analysis of the static program detection information and the running environment detection information of the application, the attack plane information in the application can be obtained.
In the attack surface extraction prejudging system shown in fig. 1, before the prejudging device prejudges according to the data collected by the hook device, which attack surfaces exist in the application need to be determined, and the corresponding hook device monitoring data is called according to the attack surfaces.
It should be appreciated that based on the static program detection information of the application, a portion of the attack plane information of the application may be determined.
For example, if a browser plug-in is present in an application, it may be determined that a browser attack surface exists for the application. Modern Web browsers support HTML, Javascript, and rich Web applications as the most powerful client application representatives. Some underlying protocols are supported in addition to rendering and executing application logic. Such as FTP, HTTP. These are implemented in an incredible amount of background code, and each component has an attack surface. The attack surface of the browser can be attacked by methods such as induction clicking, water pits and the like.
For another example, for a web-driven mobile application, there is also a corresponding attack surface, and the attack surface exposed by each web-driven mobile application is different.
For another example, many existing applications are embedded with an advertisement network, and since the advertisement network is embedded with an embedded browser engine (WebView), a browser attack exists for the applications, but generally only a man-in-the-middle attack is performed on a human vector. Moreover, unlike traditional browser attacks, such components expose additional attack surfaces that can be remotely broken using Java-type reflective attacks. In addition, the advertising framework may pose a significant threat to privacy.
Of course, other attack plane information of the application may also be determined according to the static program detection information of the application, which is not described in detail herein.
In addition, during the running process of an application, the interaction with a process may exist, or different functions may be embodied because of environment configuration. And according to the interactive information of the application and the process or the function embodiment of the application in operation, determining part of attack plane information of the application.
For example, applications often need to interact with external devices while running.
The application may interact with the external device based on a network protocol. Taking the Android system as an example, the Android system includes the implementation of protocols such as IP, TCP, UDP, ICMP, and the like. If the available buffer overflow loophole appears in the processing process of the IP packet, the loophole becomes the most serious security loophole, and any code in the kernel can be executed remotely.
In addition, the communication technology adopted when the application interacts with the external device is often the attack surface. By taking Android devices as examples, the Android devices all support various radio frequency-based wireless technologies, almost all support bluetooth, wifi and GPS, and more recently also support NFC (near field communication), each wireless technology has a specific frequency, and is extremely vulnerable to a large number of attacks, including active attacks and passive attacks. Active attacks include blocking, spoofing, man-in-the-middle (MitM), and the like. Since wifi and cellular networks are used to access the entire internet, a very rich face of attack can be reached.
Of course, it should be understood that before determining the attack plane in the application, static program detection information for the application, as well as running environment detection information for the application, may also be obtained. In the attack plane extraction anticipation system shown in fig. 1, static program detection information of the application and running environment detection information of the application may be acquired through a starter. In order to determine the attack surface of the application more comprehensively and accurately, it is generally required to acquire the static program detection information of the application and the running environment detection information of the application as much as possible. Of course, in a specific application, the cost of acquiring the data volume and the performance improvement range need to be considered.
S202, acquiring monitoring data corresponding to the attack surface of the application in operation.
Optionally, as an embodiment, when acquiring the monitoring data corresponding to the attack surface, the monitoring data corresponding to the application may be determined according to the type of the attack surface.
Specifically, step S202 may be implemented as: and acquiring monitoring data corresponding to the type of the first attack surface according to the type of the first attack surface in the application.
For example, assuming that the attack surface is an attack surface of 80 ports and http, in the embodiment of the present application, data that passes through 80 ports in data received by an application may be monitored to obtain information of the data received by 80 ports.
Of course, it should be understood that, according to the type of the first attack surface in the application, acquiring the monitoring data corresponding to the type of the first attack surface may specifically be implemented as:
determining a hook device corresponding to a first attack surface according to the type of the first attack surface in the application, wherein the hook device is used for intercepting data received by the application on the first attack surface;
and acquiring the monitoring data corresponding to the first attack surface by the application according to the hook device corresponding to the first attack surface.
In the attack surface extraction prejudging system shown in fig. 1, after the prejudging device determines the attack surface, a hook device corresponding to the attack surface can also be determined.
It should be understood that different attack surface types need to collect data required for vulnerability detection of the attack surface by calling different hook machines.
Optionally, as an embodiment, when acquiring the monitoring data corresponding to the attack plane, the monitoring data corresponding to the application may be determined according to the type of the attack plane or the network intrusion detection rule corresponding to the attack plane.
Also take the attack surface of the previous 80 ports and http as an example, assume that the network intrusion detection rule of the attack surface includes the following contents: http attach, the data received by the application through the 80 port may be monitored to obtain information of the data received by the 80 port.
Of course, it should be understood that, in addition to using a hook device to acquire data, in the embodiment of the present application, monitoring data corresponding to the attack surface may also be captured by a sniffer of a snort tool. The Snort tool captures network data packets through a data link layer of a 5-layer structure of a network TCP/IP, a network card needs to be set to be in a hybrid mode during packet capture, data packets are captured from a network by adopting a libpcap function or a winpcap function according to different operating systems, and then the captured data packets are sent to a packet decoder for decoding. Data packets in the network may be in the form of ethernet packets, token ring packets, TCP/IP packets, 802.11 packets, and the like. In which the packet decoder decodes it into a Snort-aware unified format.
S203, according to the monitoring data corresponding to the attack surface and the network intrusion detection rule corresponding to the attack surface, determining the attack surface with possible bugs in the applied attack surface, wherein the network intrusion detection rule of the attack surface is a rule for network intrusion detection configured for the attack surface.
In the attack surface extraction prejudgment system shown in fig. 1, the prejudgment device can determine whether the attack surface has a vulnerability or not according to the matching relationship between the data acquired by the Hook device and the rule corresponding to the rule center through the linkage of the rule center and the Hook device of each function, and output the final attack surface application condition to form an attack surface preliminary study and judgment report.
In the embodiment of the application, the attack face possibly having the vulnerability is determined through the monitoring data of the applied attack face and the network intrusion detection rule corresponding to the applied attack face, so that the mining efficiency of the application vulnerability can be effectively improved in an auxiliary manner.
Optionally, as an embodiment, before step S203, the method may further include:
and determining a network intrusion detection rule corresponding to the attack surface of the application according to the type of the attack surface of the application.
It should be appreciated that a variety of tools may be employed in configuring network intrusion detection rules. One common tool is the snort tool. In the embodiment of the application, the network intrusion detection rule of the attack plane can be configured through the network intrusion detection system of the snort tool.
For example, assuming that according to a certain attack surface type, it can be determined whether the length of the TCP packet flowing into 202.12.1.0 is greater than 3000B, and when detecting a TCP packet greater than 3000B, a warning is issued, the corresponding network intrusion detection rule can be configured as follows by using the snort tool: alert tcp any-202.12.1.0/2480 (msg: "misc large tcp packet"; dsize: > 3000;).
Of course, it should be understood that only the basic syntax of the network intrusion detection rule can be determined according to the type of the attack plane, and the content of the network intrusion detection rule needs to be adjusted according to specific needs. For example, if the network segment to be detected is 202.12.2.0 and the size of the TCP packet is limited to 4000B, the network intrusion detection rule should be adaptively adjusted.
In the embodiment of the application, whether the attack surface has a bug or not is determined by configuring the network intrusion detection rule corresponding to the attack surface type and analyzing the monitoring data corresponding to the attack surface.
Optionally, as another embodiment, before step S203, the method may further include:
and acquiring a network intrusion detection rule corresponding to the applied attack face from a network intrusion detection rule database according to the applied attack face, wherein the network intrusion detection rule database is used for storing a mapping relation between the attack face and the trained network intrusion detection rule.
It should be understood that the applications to which the same type of attack surface belongs may be different, but their corresponding network intrusion detection rules are substantially the same or similar. Therefore, in the embodiment of the application, the rules with better network intrusion detection effect and the mapping relation between the attack surfaces corresponding to the rules can be stored in a network intrusion detection rule database, and when the application needs to perform network intrusion detection, the network intrusion detection rules corresponding to the attack surfaces of the application are called from the network intrusion detection rule database and loaded into the applied intrusion detection rules.
Of course, it should be understood that step S203 may be specifically implemented as: and if the monitoring data of the first attack surface in the application accords with the data characteristics of the vulnerability specified by the network intrusion detection rule of the first attack surface, determining the first attack surface of the application as the attack surface with the possibility of the vulnerability.
Or taking a snort tool as an example, after the snort tool obtains data acquired and processed by a sniffer in the snort tool, or obtains data acquired by a hook device in the embodiment of the application, the data can be preprocessed through a preprocessing plug-in. The function of the preprocessing plug-in is to operate before the rule matching misuse detection, and complete the functions of TIP fragment recombination, http decoding, telnet decoding and the like. The preprocessing comprises the steps of reassembling the fragmentable data packets, processing some obvious errors and the like. The preprocessing process is mainly completed by plug-ins, such as the Http preprocessor completes the normalization of Http request decoding, the Frag2 transaction processor completes the assembly of data packets, the Stream4 preprocessor is used to make Snort state, the port scan preprocessor can detect the capability of port scan, etc.
After analyzing each rule of the obtained data packet, the network intrusion detection system of the Snort tool can adopt response mechanisms such as Activation (alarming and starting another Dynamic rule chain), Dynamic (calling by other rule packets), Alert (alarming), Pass (ignoring), Log (not alarming but recording network flow) and the like according to the rule chain. For example, for the foregoing rule: and when the network intrusion detection system of the Snort tool detects that the length of a TCP packet flowing into the segment 202.12.1.0 exceeds 3000B, an alarm can be sent out to indicate that the attack surface corresponding to the rule possibly has a vulnerability.
It should be understood that in the rules configured by the network intrusion detection system of the snort tool, the rule syntax thereof relates to various elements of the type, content, length, header, and the like of the protocol. When the rule file is processed, the rule information can be stored by using a three-dimensional linked list so as to be matched with a following data packet and generate a response. The processing capacity of rule detection needs to be determined according to the number of rules, the machine performance of running Snort tools, network load and other factors.
In the snort tool, the detected data packet needs to output the rule matching result in various forms, and the output form can be output to an alert file, other log files, a database UNIX domain or Socket and the like. In the embodiment of the application, the possible bugs in the attack surface of the application can be analyzed and determined according to the file of the data.
Of course, it should be understood that, in the embodiment of the present application, the number of vulnerabilities that may exist in the attack plane of the application may also be determined according to the monitoring data corresponding to the attack plane and the network intrusion detection rule corresponding to the attack plane.
For example, in a network intrusion detection system of a snort tool, the number of possible vulnerabilities in an attack plane corresponding to a rule can be determined by analyzing the log in which the rule takes effect and according to the content, the type and the like of the log. The risk level of the attack face being invaded can be determined to a certain extent by determining the number of the possible vulnerabilities of the attack face. Of course, it should be understood that the risk level of the attack plane with the large number of vulnerabilities is not necessarily higher than the risk level of the attack plane with the small number of vulnerabilities. The risk level of the attack surface also needs to consider the possibility of exploiting the vulnerability, the harm brought by the vulnerability after exploitation, and the like.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application. Referring to fig. 3, at a hardware level, the electronic device includes a processor, and optionally further includes an internal bus, a network interface, and a memory. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory, such as at least 1 disk Memory. Of course, the electronic device may also include hardware required for other services.
The processor, the network interface, and the memory may be connected to each other via an internal bus, which may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 3, but this does not indicate only one bus or one type of bus.
And the memory is used for storing programs. In particular, the program may include program code comprising computer operating instructions. The memory may include both memory and non-volatile storage and provides instructions and data to the processor.
The processor reads the corresponding computer program from the nonvolatile memory to the memory and then runs the computer program to form the application vulnerability finding device on the logic level. The processor is used for executing the program stored in the memory and is specifically used for executing the following operations:
determining an attack surface of the application according to the static program detection information and the running environment detection information of the application;
acquiring monitoring data corresponding to an attack surface of the application in operation;
and determining an attack face with possible bugs in the applied attack face according to the monitoring data corresponding to the attack face and the network intrusion detection rule corresponding to the attack face, wherein the network intrusion detection rule of the attack face is a rule which is configured for the attack face and is used for network intrusion detection.
The method executed by the application vulnerability discovery apparatus according to the embodiment shown in fig. 3 of the present application may be applied to or implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
The electronic device may further execute the method shown in fig. 2, and implement the function of the attack plane extraction prejudging system in the embodiment shown in fig. 1, or the function of the vulnerability finding device in the embodiment shown in fig. 2, which is not described herein again in this embodiment of the present application.
Of course, besides the software implementation, the electronic device of the present application does not exclude other implementations, such as a logic device or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or a logic device.
Embodiments of the present application also provide a computer-readable storage medium storing one or more programs, where the one or more programs include instructions, which when executed by a portable electronic device including a plurality of application programs, enable the portable electronic device to perform the method of the embodiment shown in fig. 2, and are specifically configured to:
determining an attack surface of the application according to the static program detection information and the running environment detection information of the application;
acquiring monitoring data corresponding to an attack surface of the application in operation;
and determining an attack face with possible bugs in the applied attack face according to the monitoring data corresponding to the attack face and the network intrusion detection rule corresponding to the attack face, wherein the network intrusion detection rule of the attack face is a rule which is configured for the attack face and is used for network intrusion detection.
Fig. 4 is a schematic structural diagram of an application vulnerability discovery apparatus 400 according to an embodiment of the present application. Referring to fig. 4, in a software implementation, the application vulnerability discovery apparatus 400 may include: a determination unit 410 and an acquisition unit 420, wherein,
the determining unit 410 determines an attack surface of the application according to the static program detection information and the running environment detection information of the application;
an obtaining unit 420, which obtains monitoring data corresponding to the attack surface when the application runs;
the determining unit 410 further determines an attack plane, in which a vulnerability may exist, in the applied attack plane according to the monitoring data corresponding to the attack plane and the network intrusion detection rule corresponding to the attack plane, where the network intrusion detection rule of the attack plane is a rule configured for network intrusion detection for the attack plane.
In the embodiment of the application, the attack face possibly having the vulnerability is determined through the monitoring data of the applied attack face and the network intrusion detection rule corresponding to the applied attack face, so that the mining efficiency of the application vulnerability can be effectively improved in an auxiliary manner.
Optionally, as an embodiment, the determining unit 410 is specifically configured to: and if the monitoring data of the first attack surface in the application accords with the data characteristics of the vulnerability specified by the network intrusion detection rule of the first attack surface, determining the first attack surface of the application as the attack surface with the possibility of the vulnerability.
Further, the determining unit 410 may also determine the number of possible vulnerabilities in the first attack plane of the application.
Optionally, as an embodiment, the obtaining unit 420 further obtains a network intrusion detection rule corresponding to the applied attack plane from a network intrusion detection rule database, where the network intrusion detection rule database is used to store a mapping relationship between the attack plane and the trained network intrusion detection rule.
Or, optionally, as another embodiment, the determining unit 410 further determines, according to the type of the attack plane of the application, a network intrusion detection rule corresponding to the attack plane of the application.
Optionally, the network intrusion detection rules are configured via snort tools.
Optionally, the obtaining unit 420 is specifically configured to obtain, according to the type of the first attack surface in the application, monitoring data corresponding to the type of the first attack surface.
Further, the obtaining unit 420 is specifically configured to:
determining a hook device corresponding to a first attack surface according to the type of the first attack surface in the application, wherein the hook device is used for intercepting data received by the application on the first attack surface;
and acquiring the monitoring data corresponding to the first attack surface by the application according to the hook device corresponding to the first attack surface.
Or, optionally, as another embodiment, the obtaining unit 420 is specifically configured to: and acquiring monitoring data required by the network intrusion detection rule of the first attack face according to the network intrusion detection rule of the first attack face in the application.
The application vulnerability discovery apparatus 400 may also implement the method in the embodiment shown in fig. 2, and for specific implementation, reference may be made to the attack plane extraction prejudging system in the embodiment shown in fig. 1 or the method in the embodiment shown in fig. 2, which is not described again.
In short, the above description is only a preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

Claims (11)

1. A method for finding application vulnerabilities, comprising:
determining an attack surface of the application according to static program detection information and running environment detection information of the application, wherein the attack surface detected according to the static program detection information at least comprises one or more of an attack surface of a component of a browser plug-in, an attack surface of a web driver and an attack surface of an embedded advertising network, and the attack surface detected according to the running environment detection information at least comprises a communication technology and/or a network protocol adopted when the application interacts with external equipment;
determining a network intrusion detection rule corresponding to the attack surface of the application according to the type of the attack surface of the application;
acquiring monitoring data corresponding to an attack surface when the application runs, wherein the monitoring data corresponding to the attack surface is determined based on the type of the attack surface or a network intrusion detection rule corresponding to the attack surface;
and determining an attack face with possible bugs in the applied attack face according to the monitoring data corresponding to the attack face and the network intrusion detection rule corresponding to the attack face, wherein the network intrusion detection rule of the attack face is a rule which is configured for network intrusion detection aiming at the attack face.
2. The method of claim 1, wherein determining an attack plane in which a vulnerability may exist in the applied attack planes according to monitoring data corresponding to the attack plane and a network intrusion detection rule corresponding to the attack plane comprises:
and if the monitoring data of the first attack surface in the application accords with the data characteristics of the vulnerability specified by the network intrusion detection rule of the first attack surface, determining the first attack surface of the application as the attack surface with the possibility of the vulnerability.
3. The method of claim 2,
the method further comprises the following steps: and determining the number of possible vulnerabilities in the first attack plane of the application.
4. The method of claim 1, wherein before determining an attack face in which a vulnerability may exist in the applied attack faces according to the monitoring data corresponding to the attack face and the network intrusion detection rule corresponding to the attack face, the method further comprises:
and acquiring a network intrusion detection rule corresponding to the applied attack face from a network intrusion detection rule database according to the applied attack face, wherein the network intrusion detection rule database is used for storing a mapping relation between the attack face and the trained network intrusion detection rule.
5. The method of claim 1 or 4,
the network intrusion detection rules are configured through snort tools.
6. The method of claim 1, obtaining monitoring data corresponding to a runtime attack plane for the application, comprising:
and acquiring the monitoring data corresponding to the type of the first attack surface according to the type of the first attack surface in the application.
7. The method of claim 6, wherein obtaining the monitoring data corresponding to the type of the first attack surface according to the type of the first attack surface in the application comprises:
determining a hook device corresponding to a first attack surface according to the type of the first attack surface in the application, wherein the hook device is used for intercepting data received by the application on the first attack surface;
and acquiring the monitoring data corresponding to the first attack surface according to the hook device corresponding to the first attack surface.
8. The method of claim 1, obtaining monitoring data corresponding to a runtime attack plane for the application, comprising:
and acquiring monitoring data required by the network intrusion detection rule of the first attack surface according to the network intrusion detection rule of the first attack surface in the application.
9. An application vulnerability discovery apparatus, comprising:
the system comprises a determining unit and an application processing unit, wherein the determining unit determines an attack surface of an application according to static program detection information and running environment detection information of the application, the attack surface detected according to the static program detection information at least comprises one or more of an attack surface of a browser plug-in, an attack surface of a web drive and an attack surface of an advertisement network, and the attack surface detected according to the running environment detection information at least comprises a communication technology and/or a network protocol adopted when the application interacts with external equipment;
the acquisition unit is used for acquiring the monitoring data corresponding to the attack surface when the application runs, and the monitoring data corresponding to the attack surface is determined based on the type of the attack surface or the network intrusion detection rule corresponding to the attack surface;
the determining unit further determines a network intrusion detection rule corresponding to the attack surface according to the type of the attack surface, and determines the attack surface with a possible vulnerability in the applied attack surface according to the monitoring data corresponding to the attack surface and the network intrusion detection rule corresponding to the attack surface, wherein the network intrusion detection rule of the attack surface is a rule for network intrusion detection configured for the attack surface.
10. An electronic device, comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
determining an attack surface of the application according to static program detection information and running environment detection information of the application, wherein the attack surface detected according to the static program detection information at least comprises one or more of an attack surface of a browser plug-in, an attack surface of a web driver and an attack surface of an embedded advertising network, and the attack surface detected according to the running environment detection information at least comprises a communication technology and/or a network protocol adopted when the application interacts with external equipment;
determining a network intrusion detection rule corresponding to the attack surface of the application according to the type of the attack surface of the application;
acquiring monitoring data corresponding to an attack surface when the application runs, wherein the monitoring data corresponding to the attack surface is determined based on the type of the attack surface or a network intrusion detection rule corresponding to the attack surface;
and determining an attack face with possible bugs in the applied attack face according to the monitoring data corresponding to the attack face and the network intrusion detection rule corresponding to the attack face, wherein the network intrusion detection rule of the attack face is a rule which is configured for network intrusion detection aiming at the attack face.
11. A computer-readable storage medium storing one or more programs that, when executed by an electronic device including a plurality of application programs, cause the electronic device to:
determining an attack surface of the application according to static program detection information and running environment detection information of the application, wherein the attack surface detected according to the static program detection information at least comprises one or more of an attack surface of a browser plug-in, an attack surface of a web driver and an attack surface of an embedded advertising network, and the attack surface detected according to the running environment detection information at least comprises a communication technology and/or a network protocol adopted when the application interacts with external equipment;
determining a network intrusion detection rule corresponding to the attack surface of the application according to the type of the attack surface of the application;
acquiring monitoring data corresponding to an attack surface when the application runs, wherein the monitoring data corresponding to the attack surface is determined based on the type of the attack surface or a network intrusion detection rule corresponding to the attack surface;
and determining an attack face with possible bugs in the applied attack face according to the monitoring data corresponding to the attack face and the network intrusion detection rule corresponding to the attack face, wherein the network intrusion detection rule of the attack face is a rule which is configured for network intrusion detection aiming at the attack face.
CN201710666451.2A 2017-08-07 2017-08-07 Method, device and system for searching application vulnerability Active CN107506648B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710666451.2A CN107506648B (en) 2017-08-07 2017-08-07 Method, device and system for searching application vulnerability

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710666451.2A CN107506648B (en) 2017-08-07 2017-08-07 Method, device and system for searching application vulnerability

Publications (2)

Publication Number Publication Date
CN107506648A CN107506648A (en) 2017-12-22
CN107506648B true CN107506648B (en) 2021-02-23

Family

ID=60689037

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710666451.2A Active CN107506648B (en) 2017-08-07 2017-08-07 Method, device and system for searching application vulnerability

Country Status (1)

Country Link
CN (1) CN107506648B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109218315B (en) * 2018-09-20 2021-06-01 华为技术有限公司 Safety management method and safety management device
DE102018221349A1 (en) * 2018-12-10 2020-06-10 Robert Bosch Gmbh Procedure for managing a store
CN111435393B (en) * 2019-01-14 2024-04-16 北京京东尚科信息技术有限公司 Object vulnerability detection method, device, medium and electronic equipment
DE102019205977A1 (en) 2019-04-25 2020-10-29 Robert Bosch Gmbh Electromechanical brake pressure generator for a hydraulic brake system of a vehicle and method for producing an electromechanical brake pressure generator
CN110365673B (en) * 2019-07-11 2021-09-03 武汉思普崚技术有限公司 Method, server and system for isolating network attack plane
CN110213301B (en) * 2019-07-11 2021-09-03 武汉思普崚技术有限公司 Method, server and system for transferring network attack plane
CN110381047B (en) * 2019-07-11 2021-09-03 武汉思普崚技术有限公司 Network attack surface tracking method, server and system
CN110365674B (en) * 2019-07-11 2021-09-03 武汉思普崚技术有限公司 Method, server and system for predicting network attack surface
CN110619219B (en) * 2019-07-31 2021-08-24 广州亚美信息科技有限公司 Application program source code protection method and device, computer equipment and storage medium
CN111740992B (en) * 2020-06-19 2022-08-30 北京字节跳动网络技术有限公司 Website security vulnerability detection method, device, medium and electronic equipment
CN113660296B (en) * 2021-10-21 2023-04-18 中国核电工程有限公司 Method and device for detecting anti-attack performance of industrial control system and computer equipment
CN114070648A (en) * 2021-12-02 2022-02-18 北京神州新桥科技有限公司 Evaluation method, device, equipment and storage medium for configuring network security policy

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8584242B2 (en) * 2011-07-12 2013-11-12 At&T Intellectual Property I, L.P. Remote-assisted malware detection
US10318728B2 (en) * 2014-12-16 2019-06-11 Entit Software Llc Determining permissible activity based on permissible activity rules
CN106022116B (en) * 2016-05-12 2018-11-06 南京大学 The automation patch system and method attacked between being applied based on Android program

Also Published As

Publication number Publication date
CN107506648A (en) 2017-12-22

Similar Documents

Publication Publication Date Title
CN107506648B (en) Method, device and system for searching application vulnerability
US10558807B2 (en) Method and device for providing access page
US10601848B1 (en) Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
Chen et al. Finding unknown malice in 10 seconds: Mass vetting for new threats at the {Google-Play} scale
US10140451B2 (en) Detection of malicious scripting language code in a network environment
US8997231B2 (en) Preventive intrusion device and method for mobile devices
CN107612924B (en) Attacker positioning method and device based on wireless network intrusion
US9081961B2 (en) System and method for analyzing malicious code using a static analyzer
US10621338B1 (en) Method to detect forgery and exploits using last branch recording registers
CA2968201A1 (en) Systems and methods for malicious code detection
CN103746992B (en) Based on reverse intruding detection system and method thereof
CN107465702B (en) Early warning method and device based on wireless network intrusion
CN111294345A (en) Vulnerability detection method, device and equipment
WO2017071148A1 (en) Cloud computing platform-based intelligent defense system
CN107566401B (en) Protection method and device for virtualized environment
CN111565202B (en) Intranet vulnerability attack defense method and related device
Luoshi et al. A3: automatic analysis of android malware
CN107332804B (en) Method and device for detecting webpage bugs
CN111464526A (en) Network intrusion detection method, device, equipment and readable storage medium
CN112532631A (en) Equipment safety risk assessment method, device, equipment and medium
CN116340943A (en) Application program protection method, device, equipment, storage medium and program product
CN111177727A (en) Vulnerability detection method and device
Xenakis et al. Attacking the baseband modem of mobile phones to breach the users' privacy and network security
US10721148B2 (en) System and method for botnet identification
Ramachandran et al. Android anti-virus analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20200923

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman, British Islands

Applicant after: Innovative advanced technology Co.,Ltd.

Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman, British Islands

Applicant before: Advanced innovation technology Co.,Ltd.

Effective date of registration: 20200923

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman, British Islands

Applicant after: Advanced innovation technology Co.,Ltd.

Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands

Applicant before: Alibaba Group Holding Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant