CN113821570A - Data processing method based on block chain and SQL - Google Patents

Data processing method based on block chain and SQL Download PDF

Info

Publication number
CN113821570A
CN113821570A CN202111382975.1A CN202111382975A CN113821570A CN 113821570 A CN113821570 A CN 113821570A CN 202111382975 A CN202111382975 A CN 202111382975A CN 113821570 A CN113821570 A CN 113821570A
Authority
CN
China
Prior art keywords
execution function
execution
executed
function
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111382975.1A
Other languages
Chinese (zh)
Other versions
CN113821570B (en
Inventor
谢家贵
李志平
马若龙
郭健
张波
朱斯语
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Academy of Information and Communications Technology CAICT
Original Assignee
China Academy of Information and Communications Technology CAICT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Academy of Information and Communications Technology CAICT filed Critical China Academy of Information and Communications Technology CAICT
Priority to CN202111382975.1A priority Critical patent/CN113821570B/en
Publication of CN113821570A publication Critical patent/CN113821570A/en
Application granted granted Critical
Publication of CN113821570B publication Critical patent/CN113821570B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2471Distributed queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Probability & Statistics with Applications (AREA)
  • Mathematical Physics (AREA)
  • Fuzzy Systems (AREA)
  • Computing Systems (AREA)
  • Computational Linguistics (AREA)
  • Debugging And Monitoring (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the application provides a data processing method based on a block chain and SQL, which comprises the following steps: firstly, acquiring user information; then calling an intelligent contract corresponding to the user information according to the binding relationship, wherein the intelligent contract comprises an SQL database address; determining a target node server of the SQL database corresponding to the storage intelligent contract from the plurality of node servers according to the SQL database address; then, acquiring transaction operation to be processed; and finally executing the transaction operation to be processed on the target node server according to the intelligent contract to update the SQL database to obtain an execution result.

Description

Data processing method based on block chain and SQL
Technical Field
The present application relates to a blockchain technology, and in particular, to a data processing method based on a blockchain and SQL.
Background
The storage technology of the current block chain and the storage of the traditional database are not well combined, and in the prior art, in order to adjust (including modifying and operating) data in the intelligent contract of the block chain, a technician is required to perform operations at a code bottom layer based on a KV (key-value) database structure, so that a responsible person must have a professional technician to perform the operations, and the modifying process and the modifying content are not intuitive.
Disclosure of Invention
The embodiment of the application provides a data processing method and device based on a block chain and SQL, computer equipment and a readable storage medium.
In a first aspect, an embodiment of the present application provides a data processing method based on a block chain and SQL, which is applied to the block chain, where the block chain stores a plurality of intelligent contracts, the intelligent contracts have a binding relationship with user information, and the block chain includes a plurality of node servers, and the method includes:
acquiring user information;
calling an intelligent contract corresponding to the user information according to the binding relationship, wherein the intelligent contract comprises an SQL database address;
according to the SQL database address, determining a target node server of the SQL database corresponding to the storage intelligent contract from the plurality of node servers;
acquiring a transaction operation to be processed;
and executing the transaction operation to be processed on the target node server according to the intelligent contract so as to update the SQL database and obtain an execution result.
In one possible embodiment, the node server is configured with a filter, the intelligent contract includes an execution function, and the executing of the pending transaction operation on the target node server according to the intelligent contract includes:
and in the case that the execution function passes through the filter, executing the transaction operation to be processed at the target node server according to the execution function.
In one possible embodiment, the step of determining whether the execution function passes the filter includes:
judging whether the contract identification of the intelligent contract corresponding to the execution function is matched with the database identification of the SQL database;
if the contract identifier is matched with the database identifier, judging whether the execution function exists in a preset execution function range, and if the execution function exists in the preset execution function range, judging that the execution function passes through the filter; if the execution function does not exist in the preset execution function range, judging that the execution function does not pass through the filter;
if the contract identifier does not match the database identifier, it is determined that the executing function does not pass through the filter.
In one possible embodiment, before executing the pending transaction operation on the target node server according to the smart contract, the method further comprises:
acquiring an execution function to be executed;
carrying out first code structure detection on an execution function to be executed to obtain a first code structure detection result corresponding to the execution function to be executed;
performing first command source detection processing on the execution function to be executed according to a first code structure detection result corresponding to the execution function to be executed to obtain a first command source detection result corresponding to the execution function to be executed, wherein the first command source detection processing is the first command source detection processing of the execution function to be executed by a pointer;
executing the to-be-executed execution function subjected to the first command source detection processing based on the virtual SQL database, and outputting a corresponding execution result of the to-be-executed execution function after the virtual SQL database is executed, wherein the virtual SQL database is used for performing simulation analysis on the execution function through a virtual execution algorithm;
respectively carrying out second code structure detection and second command source detection on an execution result to obtain a second code structure detection result and a second command source detection result corresponding to the execution result, wherein the second command source detection processing is secondary command source detection processing of an execution function to be executed by a pointer, the command source detection processing refers to analyzing a program code in the execution function on the premise of not executing the execution function to find a malicious tampering code group consisting of risk command content, a command generation variable and a risk target command in the execution function, the risk command content comprises target risk command content, and the target risk command content is a character string variable with the length larger than a preset threshold value; in the malicious tampering code group containing the target risk command content, when the target risk command content transmits data to the risk target command in an assignment mode, the command source detection result of the execution function corresponding to the malicious tampering code group is that the execution function is not abnormal;
and when at least one detection result of the first code structure detection result, the first command source detection result, the second code structure detection result and the second command source detection result corresponding to the execution function to be executed is abnormal, determining that the execution function to be executed is an abnormal execution function.
In a possible implementation manner, the current execution function is an execution function to be executed, and the current-order code structure detection is performed on the current execution function to obtain a current-order code structure detection result corresponding to the current execution function, including:
extracting feature information from the current execution function to obtain at least one feature information to be matched;
matching each feature information to be matched with the feature information of the abnormal execution function; the abnormal execution function characteristic information comprises at least one of abnormal execution function code information, abnormal execution function regular string information and abnormal execution function entropy information;
and when at least one piece of feature information to be matched is successfully matched, determining that the current-order code structure detection result corresponding to the current execution function is abnormal.
In one possible implementation, the method for generating the entropy information of the abnormal execution function includes the following steps:
acquiring a plurality of abnormal execution functions;
respectively extracting code elements from each abnormal execution function to obtain a code element set corresponding to each abnormal execution function, wherein the code element set comprises a plurality of code elements and position information corresponding to each code element;
generating corresponding undetermined entropy information based on a code element set corresponding to the same abnormal execution function to obtain undetermined entropy information corresponding to each abnormal execution function;
and generating abnormal execution function entropy information based on each piece of undetermined entropy information.
In a possible embodiment, performing a first command source detection process on an execution function to be executed according to a first code structure detection result corresponding to the execution function to be executed to obtain a first command source detection result corresponding to the execution function to be executed includes:
and when the first code structure detection result indicates that the execution function is abnormal, performing first command source detection processing on the execution function to be executed to obtain a first command source detection result corresponding to the execution function to be executed.
In one possible implementation, the node server is configured with a private key, the SQL database is configured with a password, the private key is used for encrypting the password, and before executing the pending transaction operation on the target node server according to the intelligent contract to update the SQL database, the method further includes:
calling a target private key of a target node server to decrypt the password of the SQL database;
and calling the password of the decrypted SQL database so as to connect the target node server to the SQL database.
In one possible embodiment, the method further comprises:
judging whether the execution results received by the plurality of node servers are consistent;
if yes, judging that the execution result is normal;
if not, the SQL data is judged to be tampered.
In a second aspect, an embodiment of the present application provides a data processing apparatus based on a block chain and SQL, which is applied to the block chain, where the block chain stores a plurality of intelligent contracts, the intelligent contracts have a binding relationship with user information, the block chain includes a plurality of node servers, and the apparatus includes:
the matching module is used for acquiring user information; calling an intelligent contract corresponding to the user information according to the binding relationship, wherein the intelligent contract comprises an SQL database address; according to the SQL database address, determining a target node server of the SQL database corresponding to the storage intelligent contract from the plurality of node servers;
the execution module is used for acquiring transaction operation to be processed; and executing the transaction operation to be processed on the target node server according to the intelligent contract so as to update the SQL database and obtain an execution result.
In a third aspect, an embodiment of the present application provides a computer device, where the computer device includes a processor and a nonvolatile memory storing computer commands, and when the computer commands are executed by the processor, the computer device executes the data processing method based on the blockchain and the SQL in at least one possible implementation manner of the first aspect.
In a fourth aspect, an embodiment of the present application provides a readable storage medium, where the readable storage medium includes a computer program, and the computer program, when running, controls a computer device in which the readable storage medium is located to execute the data processing method based on the block chain and the SQL in at least one possible implementation manner of the first aspect.
By adopting the data processing method based on the block chain and the SQL provided by the embodiment of the application, user information is firstly obtained; then calling an intelligent contract corresponding to the user information according to the binding relationship, wherein the intelligent contract comprises an SQL database address; determining a target node server of the SQL database corresponding to the storage intelligent contract from the plurality of node servers according to the SQL database address; then, acquiring transaction operation to be processed; and finally executing the transaction operation to be processed on the target node server according to the intelligent contract to update the SQL database to obtain an execution result.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic view of a scene interaction of a data processing system based on a block chain and SQL according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating steps of a data processing method based on a block chain and SQL according to an embodiment of the present application;
fig. 3 is a schematic block diagram of a block chain and SQL-based data processing apparatus for executing the block chain and SQL-based data processing method in fig. 2 according to an embodiment of the present application;
fig. 4 is a schematic block diagram of a computer device for executing the data processing method based on the blockchain and SQL in fig. 2 according to an embodiment of the present disclosure.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present application more apparent, the following further detailed description of the exemplary embodiments of the present application with reference to the accompanying drawings makes it clear that the described embodiments are only a part of the embodiments of the present application, and are not exhaustive of all embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Referring to fig. 1 in combination, fig. 1 is a schematic view of a scene interaction of a data processing system based on a block chain and SQL provided in an embodiment of the present application, where the data processing system based on the block chain and the SQL includes the block chain, the block chain stores a plurality of intelligent contracts, the intelligent contracts correspond to user information in a one-to-one binding relationship, the block chain includes a plurality of node servers 10, the node servers 10 may be in communication connection, and the node servers 10 may be in the form of an intelligent terminal, a cloud server, and the like, which is not limited herein. In other embodiments of the present application, the data processing system based on the blockchain and the SQL may also be composed of more or less components, which is not limited herein.
Referring to fig. 2, in order to solve the aforementioned technical problem, an embodiment of the present invention provides a data processing method based on a blockchain and SQL, which may be implemented by the blockchain in fig. 1 as an execution subject, and the following describes the data processing method based on the blockchain and the SQL in detail.
In step S201, user information is acquired.
And S202, calling an intelligent contract corresponding to the user information according to the binding relationship, wherein the intelligent contract comprises an SQL database address.
Step S203, according to the SQL database address, a target node server 10 storing the SQL database corresponding to the intelligent contract is determined from the plurality of node servers 10.
And step S204, acquiring the transaction operation to be processed.
Step S205, execute the pending transaction operation on the target node server 10 according to the intelligent contract, so as to update the SQL database and obtain the execution result.
In the embodiment of the present application, a binding relationship between an intelligent contract and user information in a one-to-one correspondence manner, that is, a user may independently assign an intelligent contract to the user, and when a subsequent user needs to perform a service operation, an intelligent contract only belonging to the user may be determined according to the user information of the user.
After the SQL database address is obtained, the target node server 10 that maintains the SQL database may be located, and it should be noted that in this embodiment of the present application, each node server 10 may directly maintain the SQL database, and in other embodiments of this embodiment of the present application, each node server 10 may also maintain the SQL database server that has the SQL database, which is not limited herein. Meanwhile, each node server 10 maintains only one SQL database or SQL database server, thereby ensuring the security of the SQL database. It should be understood that, in the embodiment of the present application, a user may initiate the above-mentioned procedure at any node server 10, or may initiate the above-mentioned procedure as a node server 10 after accessing a block chain by using other terminal devices, which is not limited herein.
After the intelligent contract and the SQL database of the user are determined through the user information, the transaction operation to be processed can be initiated, so that the improved intelligent contract can be used for directly carrying out operation on the SQL database to obtain an execution result.
In one possible embodiment, the node server 10 is configured with a filter, the smart contract comprises an execution function, and the foregoing step S205 can be implemented by performing the following steps in detail.
In the case where the execution function passes through the filter, the sub-step S205-1 executes the pending transaction operation at the target node server 10 according to the execution function.
In the embodiment of the application, in order to ensure isolation between different intelligent contracts and SQL databases, the intelligent contracts which are not related may be prevented from affecting the SQL databases by setting a filter, for example, a preset condition may be added to the filter, and after the intelligent contracts and the SQL databases both meet the preset condition, the user may invoke the correct intelligent contracts to update data in the SQL databases, that is, to execute the transaction operation to be processed. It should be understood that, in the embodiment of the present application, in the case of being based on a block chain, the pending transaction operation may refer to operations such as adding, updating, deleting and the like of service data by using an intelligent contract. Meanwhile, in order to enable the node server 10 to be called by the smart contract, the node server 10 is also packaged corresponding to the basic function interface of the configuration-related execution function.
In order to more clearly describe the scheme provided by the embodiment of the present application, the embodiment of the present application provides an example of determining whether the execution function passes through the filter, and the following implementation manner may be implemented.
Step S301, judging whether the contract identification of the intelligent contract corresponding to the execution function is matched with the database identification of the SQL database.
If the contract identifier matches the database identifier, step S302 is performed.
If the contract identifier does not match the database identifier, step S303 is performed.
Step S302, determining whether the execution function exists in the preset execution function range, and if the execution function exists in the preset execution function range, performing step S304. If the execution function is not within the predetermined execution function range, step S305 is executed.
Step 303, if the contract identifier does not match the database identifier, then it is determined that the executed function does not pass through the filter.
In step S304, it is determined that the execution function passes through the filter.
In step S305, it is determined that the execution function does not pass through the filter.
On the basis of the foregoing, an embodiment of the present application provides a specific setting mode of a filter, where it may be first determined whether a contract identifier of an intelligent contract corresponding to an execution function matches a database identifier of an SQL database, that is, it is determined whether a current intelligent contract and SQL data belong to a user currently performing operations, and after determining matching, it is further determined whether a transaction operation to be processed that the user wants to execute is reasonable, specifically, it may be determined whether an execution function included in the intelligent contract and used for implementing the transaction operation to be processed is within a preset execution function range of the filter, if so, the operation may be correctly executed, otherwise, it is determined that the transaction operation to be processed that the user currently wants to execute is not reasonable, and the user cannot implement the corresponding operation.
In the embodiment of the present application, the execution function included in the smart contract may have the following three types: data structure definition statement (DDL): CREATE/ALTER/DROP/TRUNCATETABLE. Data management statement (execution function): INSERT/DELETE/UPDATE. Data query statement (DQL): SELECT. It should be understood that when the intelligent contract executes the transactional statement execution function, a starting point is needed, all execution function statements after the starting point can take effect, and the rest non-transactional statements take effect directly after execution.
In order to more clearly describe the solutions provided in the embodiments of the present application, a more detailed description of the embodiments is provided below. The existing intelligent contract A and the intelligent contract B respectively provide services for two users and are used for operating the database a and the database B. By setting the filter, the intelligent contract A only has the authority to operate the database a, and the contract identifier of the intelligent contract A is matched with the database identifier of the database a and is not matched with the identifier of the database b, so that any operation cannot be performed on the database b. In other embodiments of the present application, in addition to configuring the identifier for the intelligent contract and the database, the relationship between the intelligent contract and the database may also be bound in other manners, for example, by setting a white list to allow the intelligent contract to operate on the SQL database.
In a possible implementation manner, the embodiment of the present application further provides the following detection example for the execution function itself.
In step S402, an execution function to be executed is acquired.
The nodes can perform anomaly detection on the execution functions, and identify the anomalous execution functions from a large number of execution functions so as to prevent malicious attacks.
In a possible implementation manner, the node may automatically trigger to acquire an execution function to be executed, and perform exception detection on the execution function to be executed. For example, a node may automatically trigger the detection of an anomaly in a locally executed function every preset duration. Or, when the node acquires a new execution function, the abnormal detection of the execution function is automatically triggered.
In one possible implementation, the node may trigger exception detection for the executing function in response to the executing function detection request. For example, a user triggers and generates an execution function detection request in an antivirus interface of an antivirus application program on a node, and the node performs exception detection on a local execution function according to the execution function detection request to identify the local exception execution function. The node may also receive an execution function detection request sent by another device, and perform abnormality detection on the local execution function according to the execution function detection request.
Step S404, performing a first code structure detection on the execution function to be executed, to obtain a first code structure detection result corresponding to the execution function to be executed.
The code structure detection means that on the premise that the execution function is not executed, potential safety problems in the code are searched by analyzing the components of the program code in the execution function. The first code structure check is a first code structure check of the execution function to be executed by the pointer.
Specifically, since the detection speed of the code structure detection is fast and is applicable to execution functions of all formats, after the node acquires the execution function to be executed, the node may preferentially perform first code structure detection on the execution function to be executed, perform static analysis on source codes of the execution function to be executed, and determine whether an abnormal source code exists in the execution function to be executed, thereby obtaining a first code structure detection result corresponding to the execution function to be executed.
In one possible embodiment, the detection of the code structure may be performed by means of feature matching. The specific method may be to extract feature information from the execution function to be executed, match the extracted feature information with feature information in an illegal function library, and indicate that the execution function to be executed is abnormal once matching is successful. When the feature matching is performed, the feature information corresponding to the execution function to be executed may be directly matched with the feature information in the illegal function library, or the feature information corresponding to the execution function to be executed may be counted, and the statistical result may be matched with the feature information in the illegal function library. For example, a character string is extracted from an execution function to be executed, the extracted character string may be matched with an abnormal execution function character string in an illegal function library, or information entropy calculation may be performed on the extracted character string, and a calculation result may be matched with an abnormal execution function information entropy in the illegal function library.
In one possible implementation, code structure detection may be performed by a machine learning model. The method may include taking a known abnormal execution function as a positive execution function and a known abnormal execution function as a negative execution function, taking the positive execution function and the negative execution function as training execution functions, inputting the training execution functions into an execution function detection model to be trained, taking labels corresponding to the training execution functions as expected outputs of the execution function detection model, and performing supervised training on the execution function detection model to obtain the trained execution function detection model. The node may input the execution function to be executed into the trained execution function detection model, and the execution function detection model outputs a first code structure detection result corresponding to the execution function to be executed. It can be understood that different execution function detection models can be trained for different programming languages, and the detection accuracy of the execution functions corresponding to the different programming languages is improved.
Step S406, performing a first command source detection process on the execution function to be executed according to the first code structure detection result corresponding to the execution function to be executed, so as to obtain a first command source detection result corresponding to the execution function to be executed.
The command source detection processing refers to that on the premise that an execution function is not executed, program codes in the execution function are scanned and analyzed through lexical analysis, syntactic analysis, control flow, data flow analysis and other technologies, so that a malicious tampering code group in the execution function is found. The first command source detection processing is the first command source detection processing of the execution function to be executed by the pointer.
Specifically, after obtaining the first code structure detection result, the node may perform the first command source detection processing on the execution function to be executed according to the first code structure detection result corresponding to the execution function to be executed, to obtain the first command source detection result corresponding to the execution function to be executed. The node may perform the first command source detection processing on the execution function to be executed only when the first code structure detection result indicates that the execution function is abnormal, so as to obtain a first command source detection result corresponding to the execution function to be executed. When the first code structure detection result is that the execution function is abnormal, the node can quickly determine that the execution function to be executed is the abnormal execution function and does not execute subsequent operations. The node may also perform, when the first code structure detection result indicates that the execution function is abnormal, the first command source detection processing on the execution function to be executed continuously to obtain a first command source detection result corresponding to the execution function to be executed. It can be understood that the first code structure detection and the first command source detection are different detection processes, and can detect different abnormal problems in the execution function, therefore, when the execution function to be executed is known to be an abnormal execution function, continuing to perform subsequent detection processes on the execution function to be executed can maximally find out all abnormal information in the execution function to be executed, and comprehensively mining the abnormal information of the execution function to be executed, thereby being helpful for relevant people
In a possible implementation manner, when performing the first command source detection processing, the node may perform syntax parsing on a source code of the execution function to be executed, to generate an SQL abstract syntax tree corresponding to the execution function to be executed, where each node on the SQL abstract syntax tree represents one structure in the source code. The node can determine a risk command content node and a risk target command node from the node according to the attribute of the node, the risk command content and the characteristics of the risk target command on the SQL abstract syntax tree, analyzes the operation relation between the node and the node, judges whether a leakage path from the risk command content to the risk target command exists or not, and can determine that a first command source detection result is that an execution function to be executed is abnormal when a malicious tampering code group exists and the malicious tampering code group meets a preset condition. Furthermore, the first command source detection result may further include an initial SQL abstract syntax tree corresponding to the execution function to be executed, so that when the execution function to be executed is executed based on the virtual SQL database subsequently, the initial SQL abstract syntax tree may be executed directly based on the virtual SQL database, thereby simplifying the detection steps and improving the detection efficiency.
Step S408, executing the to-be-executed execution function subjected to the first command source detection processing based on the virtual SQL database, and outputting an execution result corresponding to the to-be-executed execution function after the execution of the virtual SQL database.
The virtual SQL database is used for carrying out simulation analysis on an execution function to be executed, so that the encrypted, deformed and confused execution function is decrypted and restored. The virtual SQL database is integrated with a virtual execution algorithm, the virtual execution algorithm can be used for carrying out simulation analysis on an execution function to be executed, whether an encryption confusion method such as character string splicing, character string replacement, base64 encryption and the like is used in the execution function is detected, so that an encryption, deformation and confusion type execution function is identified, and when the execution function to be executed is the execution function subjected to encryption, deformation and confusion, the execution function to be executed can be decrypted, the decrypted execution function to be executed is output, and the most original execution function is restored. The execution result is the decrypted execution function to be executed.
Specifically, if the execution function is an encryption, transformation, or obfuscated type abnormal execution function, the abnormal variables and the leakage function that can be controlled by the outside are hidden in the shell code, and the encryption, transformation, or obfuscated type abnormal execution function cannot be easily identified through the first code structure detection and the first command source detection processing. Therefore, when the first code structure detection and the first command source detection processing do not detect the abnormality, the node may further execute the execution function to be executed under the virtual SQL database to determine whether the execution function to be executed is encrypted, deformed, or confused, and decrypt and restore the encrypted execution function to be executed to obtain the execution result corresponding to the execution function to be executed. And the node performs second code structure detection and second command source detection processing on the execution result, so as to finally judge whether the execution function to be executed is an abnormal execution function. Of course, when it is detected that the execution function to be executed is abnormal based on the first code structure detection and the first command source detection, the node may also execute the execution function to be executed in the virtual SQL database to obtain an execution result corresponding to the execution function to be executed, and then further perform the second code structure detection and the second command source detection on the execution result to find out more abnormal information in the execution function to be executed.
In a possible implementation manner, the virtual SQL database may further integrate an SQL abstract syntax tree generating algorithm, so that after the virtual execution algorithm executes the execution function to be executed and outputs the execution result corresponding to the execution function to be executed, the target SQL abstract syntax tree corresponding to the execution result may be further output, so that when the execution result is subsequently subjected to second command source detection processing, the node may directly analyze the target SQL abstract syntax tree corresponding to the execution result to obtain a second command source detection result, thereby improving the detection efficiency.
Step S410, performing a second code structure detection and a second command source detection on the execution result, respectively, to obtain a second code structure detection result and a second command source detection result corresponding to the execution result.
The second code structure detection is secondary code structure detection of the pointer to the execution function to be executed, specifically, code structure detection of the execution result corresponding to the execution function to be executed. The second command source detection processing is secondary command source detection processing of the pointer to the execution function to be executed, specifically, command source detection processing of the execution result corresponding to the execution function to be executed.
Specifically, after the execution result is obtained, the node may perform second code structure detection on the execution result to obtain a second code structure detection result corresponding to the execution result, and perform second command source detection processing on the execution result to obtain a second command source detection result. It can be understood that if the execution function to be executed is encrypted, deformed, and obfuscated, the code structure detection and the command source detection processing directly performed on the execution function to be executed cannot easily identify the hidden abnormal feature information and the malicious tampered code group. Therefore, after obtaining the execution result corresponding to the execution function to be executed, the node may further perform second code structure detection and second command source detection on the execution result corresponding to the execution function to be executed, and finally determine whether the execution function to be executed is an abnormal execution function based on the second code structure detection result and the second command source detection result corresponding to the execution result.
In step S412, when at least one of the first code structure detection result, the first command source detection result, the second code structure detection result and the second command source detection result corresponding to the execution function to be executed is an abnormal execution function, the execution function to be executed is determined to be an abnormal execution function.
Specifically, when at least one of the first code structure detection result, the first command source detection result, the second code structure detection result, and the second command source detection result corresponding to the execution result that is to be executed is an abnormal execution function, the node may determine that the execution function that is to be executed is an abnormal execution function. If the execution function to be executed is abnormal, the node can generate warning information in time to remind relevant personnel that the execution function is abnormal, and protection is performed in time.
In a possible implementation manner, the node may perform exception detection on the execution function to be executed according to the order of the first code structure detection, the first command source detection processing, the execution function execution, the second code structure detection, and the second command source detection processing. Once the first detection result is that the execution function is abnormal, the node can stop subsequent processing and directly determine that the execution function to be executed is the abnormal execution function, so that computer resources are saved. Moreover, the first code structure detection and the first command source detection process both perform static analysis on the source code, and the execution of the execution function in the virtual SQL database performs simulation analysis on the source code of the execution function, so that the resource consumption of the simulation analysis is greater than that of the static analysis. Therefore, the first code structure detection and the first command source detection processing are preferentially carried out on the execution function to be executed, and when the first code structure detection result and the first command source detection result are the execution functions are not abnormal, the execution function to be executed is executed based on the virtual execution algorithm, and the second code structure detection and the second command source detection processing are carried out, so that the computer resource consumption can be reduced, and the detection efficiency of the abnormal execution function can be improved.
In a possible implementation manner, the node may perform a complete set of exception detection on the execution function to be executed according to the sequence of the first code structure detection, the first command source detection processing, the execution function, the second code structure detection and the second command source detection processing. The code structure detection and the command source detection are different detection processes, so that different abnormal problems in the execution function can be detected, the first code structure detection and the first command source detection process aim at the execution function to be executed, and the second code structure detection and the second command source detection process aim at the execution result corresponding to the execution function to be executed, so that the complete set of abnormal detection can be carried out to comprehensively detect various abnormal information in the execution function to be executed, for example, not only the abnormal characteristic information and the abnormal malicious tampering code group in the encrypted execution function, but also the abnormal characteristic information and the abnormal malicious tampering code group in the execution result. The node can send all the abnormal information corresponding to the executive function to be executed to the terminal corresponding to the relevant personnel or locally display all the abnormal information corresponding to the executive function to be executed, and the abnormal information can assist developers in data protection and resist hacker attacks. The node may also generate an exception level corresponding to the execution function to be executed according to the amount of the exception information corresponding to the execution function to be executed, and display the execution function to be executed based on the exception level of the execution function to be executed. For example, when the higher the exception level corresponding to the execution function to be executed is, the more forward the display position of the execution function to be executed is, and the exception level corresponding to the execution function to be executed is displayed at the same time. It can be understood that the larger the number of the exception information corresponding to the execution function to be executed is, the higher the exception level corresponding to the execution function to be executed is.
In the method for detecting the abnormal execution function, the execution function to be executed is obtained by obtaining the execution function to be executed, the first code structure detection is carried out on the execution function to be executed, the first code structure detection result corresponding to the execution function to be executed is obtained, the first command source detection processing is carried out on the execution function to be executed according to the first code structure detection result corresponding to the execution function to be executed, the execution function to be executed which is subjected to the first command source detection processing is executed based on the virtual SQL database, the corresponding execution result of the execution function to be executed after the execution of the execution function in the virtual SQL database is output, the second code structure detection and the second command source detection processing are respectively carried out on the execution result, and the second code structure detection result and the second command source detection result corresponding to the execution result are obtained, and when at least one detection result of the first code structure detection result, the first command source detection result, the second code structure detection result and the second command source detection result corresponding to the execution function to be executed is abnormal, determining that the execution function to be executed is an abnormal execution function. Thus, the first code structure detection and the first command source detection with less resource consumption are firstly carried out on the execution function to be executed, can quickly obtain a preliminary detection result, can quickly and intuitively determine whether the execution function to be executed is an abnormal execution function or not based on the preliminary detection result, further executes the execution function to be executed based on the virtual SQL database, decrypting the execution function to be executed to obtain an execution result, finally performing second code structure detection and second command source detection on the execution result to obtain a target detection result, determining whether the encrypted execution function to be executed is an abnormal execution function based on the target detection result, through the ordered cooperation of code structure detection, command source detection and execution of the execution function, the detection range can be expanded, and therefore the detection accuracy of the abnormal execution function is improved.
In a possible implementation manner, the current execution function is an execution function to be executed, and the current-order code structure detection is performed on the current execution function to obtain a current-order code structure detection result corresponding to the current execution function, including:
step S502, extracting characteristic information from the current execution function to obtain at least one characteristic information to be matched.
Specifically, a code structure detection process is described by taking a current execution function as an example, the current execution function may be an execution function to be executed, or may also be an execution result, and the code structure detection mainly aims at matching detection of the execution function on a source code level. And if the current execution function is the execution function to be executed, performing first code structure detection on the current execution function to obtain a first code structure detection result corresponding to the current execution function. And if the current execution function is the execution result, performing second code structure detection on the current execution function to obtain a second code structure detection result corresponding to the current execution function. The node may perform feature extraction on the current execution function, extract feature information from the current execution function, and obtain at least one piece of feature information to be matched based on the extracted feature information. The node may use a line of codes in the execution function as feature information to be matched, or may generate feature information to be matched based on each code element and the position information in the execution function. The node may also segment the execution function based on the segmentation identifier, and use the segment of the execution function obtained by segmentation as the feature information to be matched.
Step S504, matching each feature information to be matched with the feature information of the abnormal execution function; the abnormal execution function characteristic information comprises at least one of abnormal execution function code information, abnormal execution function regular string information and abnormal execution function entropy information.
The abnormal execution function feature information refers to feature information of an abnormal execution function. The abnormal execution function characteristic information is obtained by performing data analysis on a large number of abnormal execution functions. The abnormal execution function code information refers to characteristic information of a character string type corresponding to the abnormal execution function, namely characteristic information described by the character string. The regular string information of the abnormal execution function refers to characteristic information of a regular string type corresponding to the abnormal execution function, namely, the characteristic information described by the regular expression. The abnormal execution function entropy information is characteristic information of an entropy type corresponding to the abnormal execution function, and is entropy information generated based on a code framework of the abnormal execution function.
Specifically, an illegal function library is arranged on the node, and is stored with abnormal execution function characteristic information, wherein the abnormal execution function characteristic information includes multiple types of abnormal characteristic information such as character strings, regular strings, entropy values and the like, and is used for performing corresponding matching query with the current execution function to identify whether the current execution function is an abnormal execution function. The abnormal execution function characteristic information is obtained by performing data analysis on a large number of abnormal execution functions and can represent the universality characteristic of the abnormal execution functions. When the code structure is detected, the node can match each piece of feature information to be matched with the feature information of the abnormal execution function respectively, and once the matching is successful, the current execution function can be determined to have abnormality.
Step S506, when at least one of the feature information to be matched is successfully matched, determining that the detection result of the current-order code structure corresponding to the current execution function is abnormal.
Specifically, when at least one piece of feature information to be matched is successfully matched, the node may determine that the currently executed function includes abnormal data, and that the currently executed function has an abnormality.
In a possible implementation manner, the node may establish different abnormal execution function characteristic information for different programming languages, that is, establish corresponding abnormal execution function characteristic information for execution functions of different execution function formats. Therefore, when the node performs feature matching, the execution function format of the current execution function, that is, the target programming language used in the current execution function, may be judged first, then the target abnormal execution function feature information corresponding to the target programming language is obtained, and the feature information to be matched corresponding to the current execution function and the target abnormal execution function feature information are matched, so as to quickly determine the current-order code structure detection result.
In the embodiment, the detection result of the current-order code structure can be quickly obtained by matching the feature information to be matched of the current execution function with the feature information of the abnormal execution function, and a plurality of matching rules such as character string matching and regular matching are supported during matching, so that the detection mode is flexible and efficient.
In one possible implementation, the method for generating the entropy information of the abnormal execution function includes the following steps:
acquiring a plurality of abnormal execution functions; respectively extracting code elements from each abnormal execution function to obtain a code element set corresponding to each abnormal execution function, wherein the code element set comprises a plurality of code elements and position information corresponding to each code element; generating corresponding undetermined entropy information based on a code element set corresponding to the same abnormal execution function to obtain undetermined entropy information corresponding to each abnormal execution function; and generating abnormal execution function entropy information based on each piece of undetermined entropy information.
The code elements refer to special symbols in the source code of the execution function, such as mathematical symbols, punctuation marks and unit symbols. The undetermined entropy information refers to an entropy value generated based on a code element corresponding to an abnormal execution function. The entropy information of the abnormal execution function is obtained based on entropy values corresponding to the abnormal execution functions and is used for representing the universality and commonality of the entropy values of the abnormal execution functions.
In particular, the execution functions written by the same hacker or the same group of hackers often have a specific style, e.g. using the same or similar code framework. In addition, the code is generally composed of numbers, letters and special symbols, wherein the numbers and the letters can be flexibly changed according to actual needs, and the special symbols are important components of the code frame and are relatively fixed. Therefore, the nodes can analyze the code elements of a large number of abnormal execution functions, extract the common information among the abnormal execution functions and obtain the entropy information of the abnormal execution functions. The node may specifically obtain a plurality of abnormal execution functions with known exceptions, and extract code elements from each abnormal execution function, respectively, to obtain a code element set corresponding to each abnormal execution function. The code element set not only comprises a plurality of code elements, but also comprises position information corresponding to each code element, and the whole frame of the code can be determined based on the code elements and the corresponding position information. The node can perform information entropy calculation on a code element set corresponding to one abnormal execution function to generate the undetermined entropy information corresponding to the abnormal execution function, so that each abnormal execution function can obtain the undetermined entropy information corresponding to each abnormal execution function. Finally, the node may generate the entropy information of the abnormal execution function based on each piece of the undetermined entropy information, for example, perform statistical analysis on each piece of the undetermined entropy information, may use a plurality of pieces of the undetermined entropy information with a large number of repetitions as the entropy information of the abnormal execution function, or may use each piece of the undetermined entropy information as the entropy information of the abnormal execution function. The entropy information to be determined can be clustered, so that the entropy information to be determined is grouped to obtain at least one piece of intermediate entropy information, one piece of intermediate entropy information can represent the entropy information to be determined of the abnormal execution function corresponding to the same hacker or the same hacker group, and each piece of intermediate entropy information is respectively used as the entropy information of the abnormal execution function. The clustering analysis is used for grouping the information of undetermined entropy, so that different intermediate entropy information has a certain discrimination. Further, the node may allocate different hacker identifiers to different entropy information of the abnormal execution function, so that if the current entropy information corresponding to the current execution function is successfully matched with the entropy information of a certain abnormal execution function, the current-order code structure detection result may further include the hacker identifier corresponding to the entropy information of the abnormal execution function. The clustering analysis may adopt a density-based clustering algorithm (e.g., a DBSCAN clustering algorithm), a partition-based clustering method (e.g., a k-means clustering algorithm).
In this embodiment, the undetermined entropy information corresponding to the abnormal execution function is generated based on the code element set corresponding to the abnormal execution function, and the abnormal execution function entropy information is generated based on the undetermined entropy information corresponding to the multiple abnormal execution functions, so that the reliability of the abnormal execution function entropy information can be improved.
In a possible embodiment, performing a first command source detection process on an execution function to be executed according to a first code structure detection result corresponding to the execution function to be executed to obtain a first command source detection result corresponding to the execution function to be executed includes:
and when the first code structure detection result indicates that the execution function is abnormal, performing first command source detection processing on the execution function to be executed to obtain a first command source detection result corresponding to the execution function to be executed.
Specifically, in order to reduce computer resource consumption, after a first code structure detection is performed on an execution function to be executed to obtain a first code structure detection result corresponding to the execution function to be executed, if the first code structure detection result indicates that the execution function is not abnormal, a node performs a first command source detection process on the execution function to be executed to obtain a first command source detection result corresponding to the execution function to be executed, and if the first code structure detection result indicates that the execution function is abnormal, the node does not need to execute subsequent operations.
In a possible implementation manner, the performing a current execution function as an execution function to be executed, performing command source detection on the current execution function to obtain a command source detection result corresponding to the current execution function, including:
step S602, performing syntax parsing on the current execution function to obtain a current SQL abstract syntax tree corresponding to the current execution function.
The SQL abstract syntax tree represents the code structure of the programming language in a tree form, and each node on the tree represents one structure in source codes and is an abstract representation of the code structure of the source codes of the execution functions.
Specifically, a command source detection process is described by taking a currently executed function as an example, where the currently executed function may be an executed function to be executed or an execution result, and the command source detection mainly aims at path detection of the executed function on a source code level. If the current execution function is the execution function to be executed, the first command source detection processing is performed on the current execution function. And obtaining a first command source detection result corresponding to the current execution function. If the current execution function is the execution result, the second command source detection processing is performed on the current execution function. And obtaining second command source detection processing corresponding to the current execution function. When the current order command source detection processing is carried out, the node firstly carries out syntax analysis on the current execution function to obtain a current SQL abstract syntax tree corresponding to the current execution function. The nodes may specifically perform lexical analysis on the current execution function, split the source code into a plurality of words (i.e., tokens), transmit each word into a segmenter, and determine the part of speech of each word through a series of recognizers (e.g., a keyword recognizer, an identifier recognizer, a constant recognizer, an operator recognizer, etc.), thereby obtaining a token sequence corresponding to the current execution function. the token sequence includes a plurality of tokens and attributes corresponding to the respective tokens. Then, the node may perform syntax analysis on the token sequence corresponding to the current execution function based on the syntax analyzer, so as to obtain a current SQL abstract syntax tree corresponding to the current execution function.
Step S604, respectively matching the variable nodes with the node types of the first type and the function nodes with the second type in the current SQL abstract syntax tree with reference risk command content, taking the successfully matched variable nodes and function nodes as first risk command content nodes, taking the variable nodes with the initial abstract syntax tree parameters of the nodes in the current SQL abstract syntax tree as character strings and the variable nodes with the length of the character strings larger than a preset threshold value as second risk command content nodes, and obtaining target risk command content nodes based on the first risk command content nodes and the second risk command content nodes.
The risk command content refers to a variable which can be controlled by the outside or a function for reading outside data, and is the most initial exception. The key role of the abnormal execution function is to enable an attacker to enable the node to execute own commands outside the node, so that variables which can be controlled by the outside or functions which can read outside data are regarded as risk command contents. Reference to risk command content refers to some commonly used variables and functions known to receive external parameters. Further, in an actual production scenario, in order to prevent the abnormal execution function from being detected by the antivirus software, an attacker usually performs certain encryption and obfuscation processing on the code of the execution function, and a part of the code after the encryption and obfuscation processing usually includes a character string variable with a long length. Thus, the risk command content may also be a string variable having a length greater than a preset threshold. The string variable is a variable storing a string constant, and the value of the string variable is the string constant. The node initial abstract syntax tree parameters refer to the first abstract syntax tree parameters of the variable nodes. And when the first abstract syntax tree parameter of the variable node is a character string, the variable node is a character string variable. When the first abstract syntax tree parameter of the variable node is a character string and the length of the character string is greater than a preset threshold value, the variable node is a character string variable with the length greater than the preset threshold value.
Specifically, the SQL abstract syntax tree includes various types of nodes such as variables, operations, functions, and the like. Based on the characteristics of the risk command content, the node can match the variable node with the node type of the first type, the function node with the second type and the reference risk command content in the current SQL abstract syntax tree, and the successfully matched variable node and function node are used as the first risk command content node. The node may also use a variable node in the current SQL abstract syntax tree in which the node initial abstract syntax tree parameter is a character string and the length of the character string is greater than a preset threshold value as a second risk command content node, that is, use a character string variable whose length is greater than a preset threshold value as a risk command content. And the node takes the first risk command content node and the second risk command content node as target risk command content nodes respectively.
And step S606, matching the function node with the node type of the second type in the current SQL abstract syntax tree with the reference risk target command, and taking the successfully matched function node as a risk target command node.
Wherein the risk target command refers to a function that finally executes the malicious behavior.
Specifically, based on the characteristics of the risk target command, the node may match the function node of which the node type in the current SQL abstract syntax tree is the second type with the reference risk target command, and use the successfully matched function node as the risk target command node.
In a possible implementation manner, the node may establish different reference risk command content sets and reference risk target command sets for different programming languages, that is, establish corresponding reference risk command content sets and reference risk target command sets for execution functions of different execution function formats. Therefore, when the node determines the risk command content node and the risk target command node, the execution function format of the current execution function, namely the target programming language used in the current execution function, can be judged first, then the target reference risk command content set and the target reference risk target command set corresponding to the target programming language are obtained, and the node in the current SQL abstract syntax tree corresponding to the current execution function is matched with the reference risk command content in the target reference risk command content set and the reference risk target command in the target reference risk target command set, so that the risk command content node and the risk target command node are determined quickly.
Step S608, in the current SQL abstract syntax tree, a current-order command source detection result corresponding to the current execution function is obtained based on the position relationship between the target risk command content node and the risk target command node.
Specifically, the malicious tampering code group is composed of three types of nodes: risk command content, command generation variables and risk target commands. The command generation variable is used for processing the exception variable and generating a new exception variable. In order to prevent the abnormal execution function from being simply detected, an attacker carries out a series of processing and transmission on the content of the risk command and then uses the content of the risk command, and all variables generated in the series of processes are command generation variables. When the risk command content enters the risk target command through a series of command generating variables, it can be determined that a malicious tampered code group exists. If the malicious tampering code group exists, the node can determine that the current-order command source detection result corresponding to the current execution function is that the execution function is abnormal. Further, in order to improve the detection accuracy and reduce false alarms, the node may further audit the malicious tampering code set, and when the malicious tampering code set meets a preset condition, the node determines that the current-order command source detection result corresponding to the current execution function is abnormal for the execution function.
In the embodiment, a current SQL abstract syntax tree corresponding to a current execution function is obtained by performing syntax analysis on the current execution function, a variable node with a first type of node type and a function node with a second type of node type in the current SQL abstract syntax tree are respectively matched with reference risk command content, the successfully matched variable node and function node are taken as first risk command content nodes, the variable node with a character string as an initial abstract syntax tree parameter of the node in the current SQL abstract syntax tree and a character string length larger than a preset threshold value is taken as a second risk command content node, a target risk command content node is obtained based on the first risk command content node and the second risk command content node, the function node with the second type of node type in the current SQL abstract syntax tree is matched with the reference risk target command, and the successfully matched function node is taken as a risk target command node, and in the current SQL abstract syntax tree, obtaining a current-order command source detection result corresponding to the current execution function based on the position relation between the target risk command content node and the risk target command node. Therefore, the target risk command content not only comprises the ordinary risk command content, but also comprises the target risk command content, the search range of the risk command content is expanded, and then the malicious tampering code group in the ordinary execution function can be searched, and the malicious tampering code group in part of the encryption execution function can also be searched, so that part of abnormal execution functions can be searched without executing the encryption execution function, and the resource consumption of the node is effectively saved.
In a possible implementation manner, in the current SQL abstract syntax tree, obtaining a current-order command source detection result corresponding to the current execution function based on the position relationship between the target risk command content node and the risk target command node includes:
performing depth-first traversal on the current SQL abstract syntax tree, and inquiring the incidence relation between target risk command content nodes and risk target command nodes; and determining a current-order command source detection result corresponding to the current execution function based on the query result.
Specifically, the node performs depth-first traversal on the current SQL abstract syntax tree, and queries whether an association relationship exists between a target risk command content node and a risk target command node. The node may determine a current order command source detection result corresponding to the currently executed function according to the query result. If an association relationship exists between the target risk command content node and the risk target command node and the association relationship is a malicious tampering code group, the node can determine that the command source detection result corresponding to the currently executed function is that the currently executed function is abnormal. Further, in order to improve the detection accuracy and reduce false alarm, the node may further audit the malicious tampering code set, and when the malicious tampering code set meets a preset condition, the node determines that the command source detection result corresponding to the current execution function is abnormal for the execution function.
In the embodiment, the incidence relation between the target risk command content node and the risk target command node can be accurately found by performing depth-first traversal on the current SQL abstract syntax tree.
In one possible implementation, determining a current-order command source detection result corresponding to the currently executed function based on the query result includes:
when an incidence relation exists between the target risk command content node and the risk target command node and the incidence relation covers other variable nodes except the target risk command content node and the risk target command node, determining that a malicious tampering code group exists in the current execution function; when a malicious tampering code group exists in the current execution function, determining a current order command source detection result corresponding to the current execution function based on the malicious tampering code group; and when the malicious tampering code group does not exist in the current execution function, determining that the current order command source detection result corresponding to the current execution function is that the execution function has no abnormity.
Specifically, if the currently executed function only includes the risk command content or the risk target command, and no valid malicious tampering code set is formed, the current-order command source detection result corresponding to the currently executed function is that the executed function is not abnormal. Only when the content of the risk command enters the risk target command through a series of command generation variables, namely a malicious tampering code group exists, the malicious tampering code group needs to be judged more carefully to determine whether the current execution function is an abnormal execution function. Therefore, when an association relationship exists between the target risk command content node and the risk target command node, and the association relationship is covered with other variable nodes except the target risk command content node and the risk target command node, the node can determine that a malicious tampering code group exists in the currently executed function.
In a possible implementation manner, when a malicious tampering code set exists, the node may directly determine that the current-order command source detection result corresponding to the current execution function is that the execution function has an exception. Of course, the node may further perform more detailed audit on the malicious tampering code group to determine the current-order command source detection result corresponding to the current execution function, thereby reducing false alarm and improving the command source detection accuracy.
In this embodiment, when a malicious tampering code group does not exist in the current execution function, it is directly determined that the current-order command source detection result corresponding to the current execution function is that the execution function is not abnormal, and when a malicious tampering code group exists in the current execution function, it is not directly determined that the current-order command source detection result corresponding to the current execution function is that the execution function is abnormal, but it is further determined that the current-order command source detection result corresponding to the current execution function is based on the malicious tampering code group, so that the accuracy of command source detection can be improved.
In one possible implementation, when a malicious tampering code group exists in a currently executed function, determining a current-order command source detection result corresponding to the currently executed function based on the malicious tampering code group includes:
and when the target risk command content node transmits data to the risk target command node in an assignment mode through the malicious tampering code group and the target risk command content node is a second risk command content node, determining that the current order command source detection result corresponding to the current execution function is that the execution function is not abnormal.
Specifically, if the malicious tampering code group exists, it is directly determined that the execution function to be executed is an abnormal execution function, and some false alarm conditions may exist. In an actual production environment, a developer writes a large fixed text or character string in a code variable due to an encoding habit, that is, a character string variable with an excessively long length may exist in a normal development process of the developer, which is normally used by the developer but not used maliciously, but the developer usually does not process the code variable by using technologies such as character string splicing, character string replacement, base64 encryption, and the like. Therefore, in order to reduce the false alarm of command source detection, after determining that a malicious tampering code group exists, the node may perform more detailed audit, and further analyze the malicious tampering code group to determine the current-order command source detection result. When the target risk command content node transmits data to the risk target command node in an assignment mode through the malicious tampering code group and the target risk command content node is the second risk command content node, the node can determine that the current order command source detection result corresponding to the current execution function is that the execution function is not abnormal, and determine that the current order command source detection result corresponding to the current execution function is that the execution function is abnormal under other conditions. It can be understood that if the parameter is that the content of the risk command is not processed, and is only transferred to the risk target command through the malicious tampering code group in a simple manner of assigning values, the current execution function is a secure execution function, and no security problem is caused. If the parameters of the risk target command are that the content of the risk command is not processed and is only transmitted to the risk target command in an assignment mode, the risk target command function is probably normally used by a developer in the development process rather than being used maliciously. In order to avoid being killed by antivirus software, an attacker generally does not directly use the parameters, but processes the parameters by using a series of methods such as splicing, replacing, encryption functions and the like.
In this embodiment, when the target risk command content node transmits data to the risk target command node in an assignment manner through the malicious tampering code group and the target risk command content node is the second risk command content node, it is determined that the current-order command source detection result corresponding to the current execution function is that the execution function is not abnormal, so that false alarm of command source detection can be effectively reduced, and accuracy of command source detection is improved.
In a possible implementation manner, executing an execution function to be executed after the first command source detection processing based on the virtual SQL database, and outputting an execution result corresponding to the execution result of the execution function to be executed after the virtual SQL database is executed includes:
step S702, obtaining an initial SQL abstract syntax tree corresponding to the execution function to be executed from the first command source detection result corresponding to the execution function to be executed, and converting the initial SQL abstract syntax tree into a modification command group to be detected.
The initial SQL abstract syntax tree refers to the SQL abstract syntax tree corresponding to the execution function to be executed. A modification command refers to a machine command that can be recognized and directly executed by a node. The modification command to be detected refers to a modification command corresponding to the execution function to be executed. The set of modification commands to be detected comprises a plurality of modification commands to be detected.
Specifically, in order to prevent the antivirus software from detecting the antivirus software, an attacker usually performs certain encryption obfuscation processing on the code for executing the function. The first code structure detection and first command source detection processes typically have difficulty finding an abnormal execution function that has undergone encryption obfuscation processing. At this time, the node may execute the execution function to be executed based on the virtual SQL database to obtain the decrypted execution function, thereby finally determining whether the execution function to be executed is abnormal based on the execution result. The node may obtain an initial SQL abstract syntax tree corresponding to the execution function to be executed from a first command source detection result corresponding to the execution function to be executed, and compile the initial SQL abstract syntax tree, thereby converting the initial SQL abstract syntax tree into a modification command group to be detected.
Step S704, obtaining a kernel processing function corresponding to each modification command to be detected in the modification command group to be detected in the virtual SQL database, and executing the modification command group to be detected based on the kernel processing function to obtain a target execution function.
Specifically, when executing an execution function to be executed, a node first converts the initial SQL abstract syntax tree into a modification command group to be detected, determines the modification command group to be executed, and then calls and executes a kernel processing function corresponding to each modification command to be detected, thereby completing an execution function execution operation and obtaining a target execution function. If the code of the execution function to be executed uses methods such as character string splicing, character string replacement, base64 encryption and the like, when the modification command group to be executed is executed, the nodes call kernel processing functions corresponding to the methods to execute the processing methods realized in the kernel processing functions, so that the execution function to be executed is decrypted to obtain the decrypted execution function.
And step S706, when the execution function to be executed is inconsistent with the target execution function, taking the target execution function as an execution result and outputting the execution result.
Specifically, if the code of the execution function to be executed does not use the obfuscation methods such as string concatenation, string replacement, base64 encryption, etc., the target execution function obtained by the node executing the modification command group to be executed based on the kernel processing function is still the execution function to be executed. If the code of the execution function to be executed uses the confusion methods such as character string splicing, character string replacement, base64 encryption and the like, the target execution function obtained by the node executing the modification command group to be detected based on the kernel processing function is the execution result corresponding to the execution function to be executed. Therefore, when the execution function to be executed is inconsistent with the target execution function, the node may output the target execution function as an execution result, and perform the second code structure detection and the second command source detection on the execution result, thereby finally determining whether the execution function to be executed is an abnormal execution function. When the execution function to be executed is consistent with the target execution function, the node may not perform execution function output.
In one possible implementation, different virtual execution algorithms may be established for different programming languages. Adaptive operation code commands and kernel processing functions are designed according to different programming languages, so that the accuracy and adaptability of the virtual execution algorithm are improved.
In this embodiment, the encrypted execution function may be decrypted based on the kernel processing function to obtain an execution result, and then the execution result is further subjected to second code structure detection and second command source detection, so that the encrypted abnormal execution function can be detected, and accuracy of execution function detection is improved.
In a possible implementation manner, after executing the to-be-executed execution function subjected to the first command source detection processing based on the virtual SQL database and outputting an execution result corresponding to the to-be-executed execution function after the virtual SQL database is executed, the method further includes: and generating a target SQL abstract syntax tree corresponding to the execution result based on the virtual SQL database. Performing a second command source detection process on the execution result to obtain a second command source detection result corresponding to the execution result, including: and performing second command source detection processing on the execution result based on the target SQL abstract syntax tree to obtain a second command source detection result corresponding to the execution result.
In particular, the node may also integrate a virtual execution algorithm and an SQL abstract syntax tree generation algorithm in the virtual SQL database. In this way, after the node executes the execution function to be executed based on the virtual execution algorithm and outputs the execution result corresponding to the execution function to be executed, the node may further generate and output the target SQL abstract syntax tree corresponding to the execution result based on the SQL abstract syntax tree generation algorithm. Furthermore, when the node performs the second command source detection processing on the execution result, the node does not need to regenerate the target SQL abstract syntax tree corresponding to the execution result, and can directly obtain the target SQL abstract syntax tree corresponding to the execution result output by the virtual SQL database, and perform the second command source detection processing on the target SQL abstract syntax tree to obtain the second command source detection result corresponding to the execution result.
In this embodiment, when performing the second command source detection processing on the execution result, the target SQL abstract syntax tree corresponding to the execution result output by the virtual SQL database may be obtained, and the target SQL abstract syntax tree is directly analyzed to obtain the second command source detection result corresponding to the execution result, so that the second command source detection efficiency of the execution result may be improved.
In this embodiment, the execution function detection request triggers the abnormal detection of the execution function, and the execution function detection can be triggered according to actual needs, rather than blind detection. When the execution function to be executed is abnormal, warning information carrying the execution function identification corresponding to the execution function to be executed is generated and displayed, and related personnel can be reminded in time to improve the vigilance.
In a possible implementation manner, the node server 10 is configured with a private key, the SQL database is configured with a password, and the private key is used to encrypt the password, and before step S205 is executed, the following example is further provided in this embodiment of the present application.
In step S206, the target private key of the target node server 10 is called to decrypt the password of the SQL database.
In step S207, the decrypted password of the SQL database is called, so that the target node server 10 is connected to the SQL database.
In order to ensure the security of the data stored in the SQL database, on the basis that the consensus mechanism of the block chain cannot be utilized, each node server 10 may separately manage the password of the SQL database that is maintained by itself. For example, each node server 10 may be pre-configured with a private key, which is used to encrypt the password of the SQL database, and the encrypted password of the SQL database may be stored in the kv table of the intelligent contract. When the SQL database maintained by the node server 10 needs to be used subsequently, the corresponding intelligent contract may provide the encrypted password of the SQL database, and then the private key of the node server 10 decrypts the encrypted password for normal use. It should be understood that if a node server 10 private key is revealed, this node server 10 may be discarded. It should be understood that the above-mentioned password of the SQL database may refer to a password of a server where the SQL database is located, and in other embodiments of the embodiment of the present application, an account password of a user may also be configured for the SQL database, and the security of the SQL database is further improved by matching with the filter.
In one possible implementation, the embodiments of the present application also provide the following examples.
In step S208, it is determined whether or not the execution results received by the plurality of node servers 10 match.
If yes, go to step S209.
If not, go to step S210.
In step S209, the execution result is determined to be normal.
Step S210, determining that the SQL data is tampered.
In addition to the method proposed above, the embodiment of the present application provides a scheme for determining whether a data tampering problem occurs, according to a to-be-processed transaction operation input by a user, each node server 10 correspondingly executes an execution function for implementing the to-be-processed transaction operation, and updates a corresponding execution result at each node server 10, where if different execution results exist, it indicates that a corresponding SQL database has been tampered.
Besides, as described above, the intelligent contract includes the execution functions of execution functions, namely three types of statements, namely DDL statements and DQL statements, each function only allows receiving its own type of statement as input, and the filter controls the input SQL statement type, which can also improve the security of the intelligent contract and the SQL data.
When a user uses the method for the first time, a dedicated intelligent contract can be created for the user, a corresponding SQL database is created at the same time, the new intelligent contract and the SQL database are bound with each other and are completely isolated from other intelligent contracts and the SQL database, but the database CREATE operation is not allowed to be executed by the intelligent contract, so that the duplicate name of the originally existing SQL database and the newly created SQL database can be caused, the situation of management confusion can be caused, and the virtual machine corresponding to the block chain can be created.
The embodiment of the present application provides a data processing apparatus 110 based on a block chain and SQL, which is applied to the block chain, where the block chain stores a plurality of intelligent contracts, the intelligent contracts have a binding relationship with user information, the block chain includes a plurality of node servers 10, please refer to fig. 3 in combination, and the data processing apparatus 110 based on the block chain and the SQL includes:
a matching module 1101 for obtaining user information; calling an intelligent contract corresponding to the user information according to the binding relationship, wherein the intelligent contract comprises an SQL database address; and according to the SQL database address, determining a target node server 10 of the SQL database corresponding to the storage intelligent contract from the plurality of node servers 10.
An execution module 1102, configured to obtain a transaction operation to be processed; and executing the transaction operation to be processed on the target node server 10 according to the intelligent contract so as to update the SQL database and obtain an execution result.
It should be noted that, for the implementation principle of the data processing apparatus 110 based on the block chain and the SQL, reference may be made to the implementation principle of the data processing method based on the block chain and the SQL, which is not described herein again. It should be understood that the division of the modules of the above apparatus is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity or may be physically separated. And these modules can be realized in the form of software called by processing element; or may be implemented entirely in hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. For example, the matching module 1101 may be a processing element separately set up, or may be implemented by being integrated into a chip of the apparatus, or may be stored in the memory 400 of the apparatus in the form of program code, and the matching module 1101 may be called and executed by a processing element of the apparatus. Other modules are implemented similarly. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, the steps of the method or the modules may be implemented by hardware integrated logic circuits in a processor element or by commands in the form of software.
For example, the above modules may be one or more integrated circuits configured to implement the above methods, such as: one or more Application Specific Integrated Circuits (ASICs), or one or more microprocessors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs), among others. For another example, when some of the above modules are implemented in the form of a processing element scheduler code, the processing element may be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor that can call program code. As another example, these modules may be integrated together, implemented in the form of a system-on-a-chip (SOC).
The embodiment of the present invention provides a computer device 100, where the computer device 100 includes a processor and a non-volatile memory storing a computer command, and when the computer command is executed by the processor, the computer device 100 executes the data processing apparatus 110 based on the blockchain and the SQL. As shown in fig. 4, fig. 4 is a block diagram of a computer device 100 according to an embodiment of the present invention. The computer device 100 comprises a block chain and SQL based data processing apparatus 110, a memory 111, a processor 112 and a communication unit 113.
To facilitate the transfer or interaction of data, the elements of the memory 111, the processor 112 and the communication unit 113 are electrically connected to each other, directly or indirectly. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The blockchain and SQL-based data processing apparatus 110 includes at least one software functional module that may be stored in a memory 111 in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the computer device 100. The processor 112 is configured to execute the block chain and SQL-based data processing apparatus 110 stored in the memory 111, for example, software functions included in the block chain and SQL-based data processing apparatus 110.
An embodiment of the present application provides a readable storage medium, where the readable storage medium includes a computer program, and the computer program controls, when running, a computer device in the readable storage medium to execute the data processing method based on the blockchain and the SQL in at least one of the foregoing possible embodiments.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Claims (12)

1. A data processing method based on a block chain and SQL is characterized in that the data processing method is applied to the block chain, the block chain stores a plurality of intelligent contracts, the intelligent contracts are in binding relation with user information, the block chain comprises a plurality of node servers, and the method comprises the following steps:
acquiring user information;
calling an intelligent contract corresponding to the user information according to the binding relationship, wherein the intelligent contract comprises an SQL database address;
according to the SQL database address, determining a target node server for storing the SQL database corresponding to the intelligent contract from the plurality of node servers;
acquiring a transaction operation to be processed;
and executing the transaction operation to be processed on the target node server according to the intelligent contract so as to update the SQL database and obtain an execution result.
2. The method of claim 1, wherein the node server is configured with a filter, wherein the smart contract comprises an execution function, and wherein executing the pending transaction operation on the target node server in accordance with the smart contract comprises:
and under the condition that the execution function passes through the filter, executing the transaction operation to be processed at the target node server according to the execution function.
3. The method of claim 2, wherein determining whether the execution function passes the filter comprises:
judging whether the contract identification of the intelligent contract corresponding to the execution function is matched with the database identification of the SQL database;
if the contract identifier is matched with the database identifier, judging whether the execution function exists in a preset execution function range, and if the execution function exists in the preset execution function range, judging that the execution function passes through the filter; if the execution function does not exist in the preset execution function range, judging that the execution function does not pass through the filter;
and if the contract identification is not matched with the database identification, judging that the execution function does not pass through the filter.
4. The method of claim 2, wherein prior to performing the pending transaction operation on the target node server in accordance with the intelligent contract, the method further comprises:
acquiring an execution function to be executed;
performing first code structure detection on the execution function to be executed to obtain a first code structure detection result corresponding to the execution function to be executed;
performing first command source detection processing on the execution function to be executed according to a first code structure detection result corresponding to the execution function to be executed to obtain a first command source detection result corresponding to the execution function to be executed, wherein the first command source detection processing is first command source detection processing of the execution function to be executed by a pointer;
executing an execution function to be executed after first command source detection processing based on a virtual SQL database, and outputting an execution result corresponding to the execution function to be executed after the execution of the virtual SQL database, wherein the virtual SQL database is used for performing simulation analysis on the execution function through a virtual execution algorithm;
respectively carrying out second code structure detection and second command source detection processing on the execution result to obtain a second code structure detection result and a second command source detection result corresponding to the execution result, wherein the second command source detection processing is secondary command source detection processing of an execution function to be executed by a pointer, the command source detection processing refers to analyzing program codes in the execution function on the premise of not executing the execution function to find a malicious tampering code group consisting of risk command content, a command generation variable and a risk target command in the execution function, the risk command content comprises target risk command content, and the target risk command content is a character string variable with the length larger than a preset threshold value; in the malicious tampering code group containing the target risk command content, when the target risk command content transmits data to a risk target command in an assignment mode, the command source detection result of an execution function corresponding to the malicious tampering code group is that the execution function is not abnormal;
and when at least one of a first code structure detection result, a first command source detection result, a second code structure detection result and a second command source detection result corresponding to the execution result is an execution function abnormity, determining that the execution function to be executed is an abnormal execution function.
5. The method of claim 4, wherein the currently executed function is the executed function to be executed, and performing current-order code structure detection on the currently executed function to obtain a current-order code structure detection result corresponding to the currently executed function includes:
extracting feature information from the current execution function to obtain at least one piece of feature information to be matched;
matching each feature information to be matched with the feature information of the abnormal execution function; the abnormal execution function characteristic information comprises at least one of abnormal execution function code information, abnormal execution function regular string information and abnormal execution function entropy information;
and when at least one piece of feature information to be matched is successfully matched, determining that the detection result of the current-order code structure corresponding to the current execution function is abnormal.
6. The method according to claim 5, wherein the method for generating the entropy information of the abnormal execution function comprises the following steps:
acquiring a plurality of abnormal execution functions;
respectively extracting code elements from each abnormal execution function to obtain a code element set corresponding to each abnormal execution function, wherein the code element set comprises a plurality of code elements and position information corresponding to each code element;
generating corresponding undetermined entropy information based on a code element set corresponding to the same abnormal execution function to obtain undetermined entropy information corresponding to each abnormal execution function;
and generating the entropy information of the abnormal execution function based on the information of each undetermined entropy.
7. The method of claim 4, wherein performing a first command source detection process on the to-be-executed execution function according to the first code structure detection result corresponding to the to-be-executed execution function to obtain a first command source detection result corresponding to the to-be-executed execution function, comprises:
and when the first code structure detection result indicates that the execution function is abnormal, performing first command source detection processing on the execution function to be executed to obtain a first command source detection result corresponding to the execution function to be executed.
8. The method of claim 1, wherein the node server is configured with a private key, wherein the SQL database is configured with a password, and wherein the private key is used to encrypt the password, and wherein before the pending transaction operation is executed on the target node server according to the intelligent contract to update the SQL database with the execution result, the method further comprises:
calling a target private key of the target node server to decrypt the password of the SQL database;
and calling the decrypted password of the SQL database so as to connect the target node server to the SQL database.
9. The method of claim 1, further comprising:
judging whether the execution results received by the plurality of node servers are consistent;
if yes, judging that the execution result is normal;
if not, judging that the SQL data is tampered.
10. A data processing device based on a block chain and SQL is applied to the block chain, the block chain stores a plurality of intelligent contracts, the intelligent contracts have a binding relation with user information, the block chain comprises a plurality of node servers, and the device comprises:
the matching module is used for acquiring user information; calling an intelligent contract corresponding to the user information according to the binding relationship, wherein the intelligent contract comprises an SQL database address; according to the SQL database address, determining a target node server for storing the SQL database corresponding to the intelligent contract from the plurality of node servers;
the execution module is used for acquiring transaction operation to be processed; and executing the transaction operation to be processed on the target node server according to the intelligent contract so as to update the SQL database and obtain an execution result.
11. A computer device comprising a processor and a non-volatile memory storing computer commands, wherein when the computer commands are executed by the processor, the computer device performs the method of processing data based on blockchain and SQL according to any one of claims 1 to 9.
12. A readable storage medium, comprising a computer program, wherein the computer program controls a computer device on which the readable storage medium is executed to perform the method for processing data based on block chaining and SQL according to any one of claims 1-9.
CN202111382975.1A 2021-11-22 2021-11-22 Data processing method based on block chain and SQL Active CN113821570B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111382975.1A CN113821570B (en) 2021-11-22 2021-11-22 Data processing method based on block chain and SQL

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111382975.1A CN113821570B (en) 2021-11-22 2021-11-22 Data processing method based on block chain and SQL

Publications (2)

Publication Number Publication Date
CN113821570A true CN113821570A (en) 2021-12-21
CN113821570B CN113821570B (en) 2022-03-01

Family

ID=78917985

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111382975.1A Active CN113821570B (en) 2021-11-22 2021-11-22 Data processing method based on block chain and SQL

Country Status (1)

Country Link
CN (1) CN113821570B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106874440A (en) * 2017-02-07 2017-06-20 杭州秘猿科技有限公司 A kind of block chain state storage method based on SQL database
CN109857724A (en) * 2019-02-12 2019-06-07 众安信息技术服务有限公司 The method and apparatus for supporting multitype database is realized based on block chain
CN111741000A (en) * 2020-06-22 2020-10-02 北京邮电大学 Data access system and method based on block chain and intelligent contract and mobile base station
US20200344132A1 (en) * 2019-04-26 2020-10-29 Salesforce.Com, Inc. Systems, methods, and apparatuses for implementing a metadata driven rules engine on blockchain using distributed ledger technology (dlt)
WO2020238255A1 (en) * 2019-05-30 2020-12-03 创新先进技术有限公司 Smart contract management method and apparatus based on blockchain, and electronic device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106874440A (en) * 2017-02-07 2017-06-20 杭州秘猿科技有限公司 A kind of block chain state storage method based on SQL database
CN109857724A (en) * 2019-02-12 2019-06-07 众安信息技术服务有限公司 The method and apparatus for supporting multitype database is realized based on block chain
US20200344132A1 (en) * 2019-04-26 2020-10-29 Salesforce.Com, Inc. Systems, methods, and apparatuses for implementing a metadata driven rules engine on blockchain using distributed ledger technology (dlt)
WO2020238255A1 (en) * 2019-05-30 2020-12-03 创新先进技术有限公司 Smart contract management method and apparatus based on blockchain, and electronic device
CN111741000A (en) * 2020-06-22 2020-10-02 北京邮电大学 Data access system and method based on block chain and intelligent contract and mobile base station

Also Published As

Publication number Publication date
CN113821570B (en) 2022-03-01

Similar Documents

Publication Publication Date Title
US11693962B2 (en) Malware clustering based on function call graph similarity
US10264009B2 (en) Automated machine learning scheme for software exploit prediction
US11716349B2 (en) Machine learning detection of database injection attacks
CN110610196B (en) Desensitization method, system, computer device and computer readable storage medium
CN110225029B (en) Injection attack detection method, device, server and storage medium
KR101874373B1 (en) A method and apparatus for detecting malicious scripts of obfuscated scripts
US11580222B2 (en) Automated malware analysis that automatically clusters sandbox reports of similar malware samples
US20220222372A1 (en) Automated data masking with false positive detection and avoidance
US20220100868A1 (en) Systems and methods for triaging software vulnerabilities
US20210240829A1 (en) Malware Clustering Based on Analysis of Execution-Behavior Reports
CN111159697B (en) Key detection method and device and electronic equipment
CN112511546A (en) Vulnerability scanning method, device, equipment and storage medium based on log analysis
CN111368289A (en) Malicious software detection method and device
US9600644B2 (en) Method, a computer program and apparatus for analyzing symbols in a computer
CN112817877B (en) Abnormal script detection method and device, computer equipment and storage medium
CN113190839A (en) Web attack protection method and system based on SQL injection
CN113821570B (en) Data processing method based on block chain and SQL
CN109299610B (en) Method for verifying and identifying unsafe and sensitive input in android system
Ganz et al. Detecting Backdoors in Collaboration Graphs of Software Repositories
KR102411383B1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
US11868473B2 (en) Method for constructing behavioural software signatures
US20220398588A1 (en) Identifying an unauthorized data processing transaction
CN112286724B (en) Data recovery processing method based on block chain and cloud computing center
US20230205882A1 (en) Detecting malicious queries using syntax metrics
Kumar et al. Identification and securing form SQL injection attacks using SVM and SQLIA

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant