CN115422555B - Back door program detection method and device, electronic equipment and storage medium - Google Patents

Back door program detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115422555B
CN115422555B CN202211376822.0A CN202211376822A CN115422555B CN 115422555 B CN115422555 B CN 115422555B CN 202211376822 A CN202211376822 A CN 202211376822A CN 115422555 B CN115422555 B CN 115422555B
Authority
CN
China
Prior art keywords
program
data
target
tested
test data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211376822.0A
Other languages
Chinese (zh)
Other versions
CN115422555A (en
Inventor
肖达
沈传宝
刘加勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huayuan Information Technology Co Ltd
Original Assignee
Beijing Huayuan Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huayuan Information Technology Co Ltd filed Critical Beijing Huayuan Information Technology Co Ltd
Priority to CN202211376822.0A priority Critical patent/CN115422555B/en
Publication of CN115422555A publication Critical patent/CN115422555A/en
Application granted granted Critical
Publication of CN115422555B publication Critical patent/CN115422555B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Abstract

The embodiment of the disclosure provides a backdoor program detection method and device, electronic equipment and a storage medium, and is applied to the technical field of internet. The method comprises the following steps: acquiring test data; acquiring a first operation result of a benchmark program on the test data, wherein the first operation result comprises a first operation duration of the benchmark program when the test data is processed; acquiring a second operation result of the program to be tested on the test data, wherein the second operation result comprises a second operation time length of the program to be tested when the program to be tested processes the test data; and comparing the second operation time length with the first operation time length to obtain a first comparison result, and determining whether the program to be tested is embedded into the back door program or not according to the first comparison result. In this way, whether the backdoor program is embedded in the target system can be effectively detected.

Description

Back door program detection method and device, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to a method and an apparatus for detecting a backdoor program, an electronic device, and a storage medium.
Background
With the development of internet technology, information resources have been increased explosively, and the security problem of the information resources is accompanied. Information resources face various threats, if a carrier on which the information resources depend has a leak, the leak is very easy to be utilized by lawless persons, for example, hackers can utilize the leak, and a backdoor program capable of being remotely controlled is implanted into a target program, so that the target program or the target system enters the target system under the condition that the target program or the target system does not have the control authority, and illegal operations such as remotely controlling a user computer, stealing a user bank account, monitoring the user internet surfing in real time and the like are carried out, and further the information resources are leaked. Therefore, whether the carrier on which the information resource depends exists in the backdoor program needs to be detected, and the backdoor program is deleted, so that the leakage of the information resource and the safety risk of operation are reduced.
At present, in network communication, intrusion of a target system realized by implanting a backdoor program is difficult to effectively detect.
Disclosure of Invention
The disclosure provides a backdoor program detection method and device, an electronic device and a storage medium.
According to a first aspect of the present disclosure, a backdoor program detection method is provided. The method comprises the following steps:
acquiring test data;
acquiring a first operation result of a benchmark program on the test data, wherein the first operation result comprises a first operation duration of the benchmark program when the test data is processed;
acquiring a second operation result of the program to be tested on the test data, wherein the second operation result comprises a second operation duration of the program to be tested when the program to be tested processes the test data;
and comparing the second operation time length with the first operation time length to obtain a first comparison result, and determining whether the program to be tested is embedded into the back door program according to the first comparison result.
Further, the test data is data to be identified; the determining whether the program to be tested is embedded with a back door program according to the first comparison result includes:
if the first comparison result is larger than a first preset threshold value, determining that the program to be tested is embedded into a back door program;
if the first comparison result is not greater than the first preset threshold, acquiring first identification information and second identification information; the first identification information is an identification result generated when the benchmark program processes the data to be identified; the second identification information is an identification result generated when the program to be identified processes the data to be identified;
and comparing the second identification information with the first identification information to obtain a second comparison result, and determining whether the program to be tested is embedded into the back door program according to the second comparison result.
The generation mode of the test data comprises the following steps:
acquiring a branch path and a reference data set of the reference program;
acquiring a first target path and a second target path of the benchmark program; the first target path is a branch path comprising an input port and an output port; the second target path is a path of the benchmark program when executing one or more data in the benchmark dataset;
acquiring target data of the benchmark program; the target data is data corresponding to the second target path which is the same as the first target path;
and selecting extreme value data from the target data as the test data, wherein the extreme value data is the data with the maximum or minimum deviation from the target data average value.
Wherein the determination of the data with the maximum or minimum deviation from the target data mean comprises one or more of: the absolute value of the difference from the target data mean is minimum, the positive deviation from the target data mean is maximum, and the negative deviation from the target data mean is maximum.
Further, the number of the data to be identified is multiple, and the method further includes:
acquiring a plurality of identification results of the to-be-identified data of the to-be-identified program, wherein each identification result is a first identification operation result or a second identification operation result;
and respectively acquiring the occupation ratios of the first identification operation result and the second identification operation result in the plurality of identification results, and taking the first identification operation result or the second identification operation result with the occupation ratio larger than a second preset threshold value as the second identification information.
Further, the number of the test data is plural, and the method further includes:
obtaining a plurality of running time length results of the program to be tested on each test data;
and rejecting abnormal operation results in the operation time length results, and taking the operation time length results obtained after rejection as the second operation time length.
According to a second aspect of the present disclosure, a backdoor program detection apparatus is provided. The device includes:
the first acquisition module is used for acquiring test data;
a second obtaining module, configured to obtain a first operation result of the benchmark program on the test data, where the first operation result includes a first operation duration of the benchmark program when processing the test data;
the third obtaining module is used for obtaining a second operation result of the to-be-tested program on the test data, wherein the second operation result comprises a second operation duration of the to-be-tested program in processing the test data;
and the judging module is used for comparing the second operation time length with the first operation time length to obtain a first comparison result, and determining whether the program to be tested is embedded into the back door program according to the first comparison result.
According to a third aspect of the present disclosure, an electronic device is provided. The electronic device includes: a memory having a computer program stored thereon and a processor implementing the method as described above when executing the program.
According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method according to the first aspect of the present disclosure.
According to the backdoor program detection method, the backdoor program detection device, the electronic equipment and the storage medium, the first operation time length and the second operation time length are obtained, the second operation time length is compared with the first operation time length, and whether the backdoor program is embedded into the program to be detected or not is determined according to the comparison result. In this way, whether the backdoor program is embedded in the target system can be effectively detected.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. The accompanying drawings are included to provide a further understanding of the present disclosure, and are not intended to limit the disclosure thereto, and the same or similar reference numerals will be used to indicate the same or similar elements, where:
FIG. 1 shows a flow diagram of a backdoor program detection method according to an embodiment of the present disclosure;
FIG. 2 shows a flow diagram for generating test data according to an embodiment of the present disclosure;
FIG. 3 shows a block diagram of a back door program detection device according to an embodiment of the present disclosure;
FIG. 4 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter associated objects are in an "or" relationship.
Fig. 1 shows a flow diagram of a backdoor procedure detection method 100 according to an embodiment of the disclosure. The method 100 comprises:
step 110, test data is obtained.
The generation method of the test data, as shown in fig. 2, includes the following steps:
and step 111, acquiring the branch path and the reference data set of the reference program.
In some embodiments, the reference program is disassembled, the object code is converted into an assembly code, an assembly level instruction sequence of the reference program is obtained, a control flow graph of the reference program is extracted from the instruction sequence by means of a third-party tool, and the control flow graph is analyzed to obtain all branch paths in the execution process of the reference program. Among them, the third-party tool for extracting the control flow graph, such as: c + + Source FlowChart, visustin, autoFlowChart, source to flowChart, crystal FLOW for C, athTek, etc. Since the programs are sets of instructions and data, each program has its own input data set and output data set, and the required data is acquired from the input data set of the reference program as the data in the reference data set.
Step 112, acquiring a first target path and a second target path of the benchmark program; the first target path is a branch path comprising an input port and an output port; the second target path is a path of the benchmark program when executing one or more data in the benchmark dataset.
In some embodiments, a branch path including an input port and an output port is selected as the first target path from all branch paths of the benchmark program obtained in step 111, and the selected first target path is a complete path from the input port to the output port, and the incomplete paths including only the input port, only the output port, or neither the input port nor the output port are screened out, for example, if the input port is a and the output port is k, the branch path of the benchmark program is: { a → b → c → e → k, a → b → f, e → j → k, a → b → f → k, a → c → e → j → k, c → e → j … … }, and after the incomplete path is eliminated, the first target path is: { a → b → c → e → k, a → b → f → k, a → c → e → j → k, … … }. After paths which do not substantially help the detection backdoor program are eliminated, the detection efficiency can be improved, the validity of test data can be improved, and errors can be reduced. It should be noted that the selected first target path may be one or multiple, and is not limited by the described example.
In some embodiments, one or more data are selected from the reference data set, different data sets are formed to execute the reference program, and an execution path corresponding to each data set is recorded as the second target path, for example, the second target path is: { a → b → c → e → k, a → b → d → k, a → d → e → j → k, … … }, wherein the execution data corresponding to the execution path a → b → c → e → k is: { a1; b1, b2; c2; e3, e5; k7}.
Step 113, acquiring target data of the benchmark program; the target data is data corresponding to the second target path which is the same as the first target path.
In some embodiments, the second target path obtained in step 112 is compared with the first target path, a second target path identical to the first target path is selected, and then data corresponding to the second target path is obtained to constitute target data of the benchmark program. For example, the first target path is: { a → b → c → e → k, a → b → f → k, a → c → e → j → k, … … }, the second target path is: { a → b → c → e → k, a → b → d → k, a → d → e → j → k, … … }, then a → b → c → e → k is selected, and data { a1; b1 B2; c2; e3, e5; k7 as target data. It should be noted that the second target path selected to be the same as the first target path may be one or more, and is not limited by the described examples.
And step 114, selecting extreme value data from the target data as the test data, wherein the extreme value data is data with the maximum or minimum deviation from the target data average value.
In some embodiments, the determination of the data with the largest or smallest deviation from the target data mean comprises one or more of: the absolute value of the difference from the target data mean is minimum, the positive deviation from the target data mean is maximum, and the negative deviation from the target data mean is maximum.
Step 120, obtaining a first operation result of the benchmark program on the test data, where the first operation result includes a first operation duration of the benchmark program when processing the test data.
Step 130, obtaining a second operation result of the test data by the program to be tested, where the second operation result includes a second operation duration of the program to be tested when processing the test data.
Further, the number of the test data is plural, and the method further includes:
obtaining a plurality of running time length results of the program to be tested on each test data;
and rejecting abnormal operation results in the operation time length results, and taking the operation time length results obtained after rejection as the second operation time length.
In some embodiments, the plurality of test data obtained in step 110 are respectively input into the program to be tested, the program to be tested is executed, the running time corresponding to each test data is recorded, the abnormal value is removed from the running time, and the value obtained after the removal is used as the second running time. Determination of the anomaly value, for example: any one or more of a minimum value, a maximum value, a measured value that has a deviation from the mean of more than two standard deviations, a measured value that has a deviation from the mean of more than three standard deviations, an outlier, and the like. The data is mixed with abnormal values, so that the detection result is necessarily distorted, the abnormal values are removed, the result can better meet the objective condition, the detection error is reduced, and the accuracy is improved. It should be noted that the method for determining the abnormal value is not limited by the described examples.
Step 140, comparing the second operation duration with the first operation duration to obtain a first comparison result, and determining whether the program to be tested is embedded into the back door program according to the first comparison result.
Specifically, the test data is data to be identified; the determining whether the program to be tested is embedded with a backdoor program according to the first comparison result comprises the following steps:
(1) If the first comparison result is larger than a first preset threshold value, determining that the program to be tested is embedded into a back door program;
(2) If the first comparison result is not greater than the first preset threshold, acquiring first identification information and second identification information; the first identification information is an identification result generated when the benchmark program processes the data to be identified; the second identification information is an identification result generated when the program to be identified processes the data to be identified;
(3) And comparing the second identification information with the first identification information to obtain a second comparison result, and determining whether the program to be tested is embedded into the back door program according to the second comparison result.
Further, the number of the data to be identified is multiple, and the method further includes:
acquiring a plurality of identification results of the to-be-identified data of the to-be-identified program, wherein each identification result is a first identification operation result or a second identification operation result;
and respectively acquiring the occupation ratios of the first identification operation result and the second identification operation result in the plurality of identification results, and taking the first identification operation result or the second identification operation result with the occupation ratio larger than a second preset threshold value as the second identification information.
In some embodiments, the plurality of test data obtained in step 110 are used as data to be identified, and are respectively input into the program to be tested, the program to be tested is executed, the identification result corresponding to each data to be identified is recorded, for example, the number of times of success of the identification result is 98, the number of times of failure of the identification result is 2, the second preset threshold is 95, and the identification result "success" greater than the second preset threshold is used as the second identification information.
In some embodiments, the second operation duration obtained in step 130 is compared with the first operation duration obtained in step 120, for example, when the standard variance between the second operation duration and the first operation duration is greater than a first preset threshold, the program to be tested is embedded into the backdoor program, an alarm is issued, and the embedded backdoor program is deleted; and when the standard variance is not greater than the first preset threshold, comparing the second identification information with the first identification information, if the standard variance is successful, indicating that the program to be tested is not embedded into the backdoor program, if the standard variance is failed, indicating that the program to be tested is embedded into the backdoor program, alarming and deleting the embedded backdoor program, and if the standard variance is inconsistent, reporting an error, and readjusting the first preset threshold and the second preset threshold by a user. Through two-layer judgment, the accuracy of back door program detection is improved, and misjudgment is reduced. It should be noted that the comparison of the second operation duration with the first operation duration is not limited to the standard deviation.
According to the embodiment of the disclosure, the following technical effects are achieved:
according to the backdoor program detection method provided by the disclosure, the first operation time length and the second operation time length are obtained, the second operation time length is compared with the first operation time length, and whether the backdoor program is embedded in the program to be detected is determined according to the comparison result. In this way, whether the backdoor program is embedded in the target system can be effectively detected.
It is noted that while for simplicity of explanation, the foregoing method embodiments have been described as a series of acts or combination of acts, it will be appreciated by those skilled in the art that the present disclosure is not limited by the order of acts, as some steps may, in accordance with the present disclosure, occur in other orders and concurrently. Further, those skilled in the art will appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules are not necessarily required for the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are further described below.
Fig. 3 shows a block diagram of a back door program detection apparatus 300 according to an embodiment of the present disclosure. As shown in fig. 3, the apparatus 300 includes:
a first obtaining module 301, configured to obtain test data;
a second obtaining module 302, configured to obtain a first operation result of the benchmark program on the test data, where the first operation result includes a first operation duration of the benchmark program when processing the test data;
a third obtaining module 303, configured to obtain a second operation result of the test data of the program to be tested, where the second operation result includes a second operation duration of the program to be tested when processing the test data;
the determining module 304 is configured to compare the second operation duration with the first operation duration to obtain a first comparison result, and determine whether the program to be tested is embedded into the back door program according to the first comparison result.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the described module may refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, and do not violate the good customs of the public order.
According to an embodiment of the present disclosure, the present disclosure also provides an electronic device and a readable storage medium.
FIG. 4 shows a schematic block diagram of an electronic device 400 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
The device 400 comprises a computing unit 401 which may perform various suitable actions and processes in accordance with a computer program stored in a Read Only Memory (ROM) 402 or a computer program loaded from a storage unit 408 into a Random Access Memory (RAM) 403. In the RAM 403, various programs and data required for the operation of the device 400 can also be stored. The calculation unit 401, the ROM 402, and the RAM 403 are connected to each other via a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
A number of components in device 400 are connected to I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, or the like; an output unit 407 such as various types of displays, speakers, and the like; a storage unit 408 such as a magnetic disk, optical disk, or the like; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
Computing unit 401 may be a variety of general and/or special purpose processing components with processing and computing capabilities. Some examples of the computing unit 401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The calculation unit 401 executes the respective methods and processes described above, such as the back door program detection method. For example, in some embodiments, the back door program detection method may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as storage unit 408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 400 via the ROM 402 and/or the communication unit 409. When the computer program is loaded into RAM 403 and executed by computing unit 401, one or more steps of the backdoor program detection method described above may be performed. Alternatively, in other embodiments, the computing unit 401 may be configured to perform the back door program detection method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server with a combined blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.

Claims (8)

1. A back door procedure detection method, comprising:
acquiring a branch path and a reference data set of a reference program;
acquiring a first target path and a second target path of the benchmark program; the first target path is a branch path comprising an input port and an output port; the second target path is a path of the benchmark program when executing one or more data in the benchmark dataset;
acquiring target data of the benchmark program; the target data is data corresponding to the second target path which is the same as the first target path;
selecting extreme value data from the target data as test data, wherein the extreme value data are data with the maximum or minimum deviation from the target data average value;
acquiring a first operation result of a benchmark program on the test data, wherein the first operation result comprises a first operation duration of the benchmark program when the test data is processed;
acquiring a second operation result of the program to be tested on the test data, wherein the second operation result comprises a second operation time length of the program to be tested when the program to be tested processes the test data;
and comparing the second operation time length with the first operation time length to obtain a first comparison result, and determining whether the program to be tested is embedded into the back door program according to the first comparison result.
2. The method of claim 1, wherein the test data is data to be identified; the determining whether the program to be tested is embedded with a back door program according to the first comparison result includes:
if the first comparison result is larger than a first preset threshold value, determining that the program to be tested is embedded into a back door program;
if the first comparison result is not greater than the first preset threshold, acquiring first identification information and second identification information; the first identification information is an identification result generated when the benchmark program processes the data to be identified; the second identification information is an identification result generated when the program to be identified processes the data to be identified;
and comparing the second identification information with the first identification information to obtain a second comparison result, and determining whether the program to be tested is embedded into the back door program according to the second comparison result.
3. The method of claim 1, wherein the data having the greatest or least deviation from the target data mean is determined in a manner comprising one or more of: the absolute value of the difference from the target data mean is minimum, the positive deviation from the target data mean is maximum, and the negative deviation from the target data mean is maximum.
4. The method of claim 2, wherein the number of the data to be identified is plural, the method further comprising:
acquiring a plurality of identification results of the to-be-identified data of the to-be-identified program, wherein each identification result is a first identification operation result or a second identification operation result;
and respectively acquiring the occupation ratios of the first identification operation result and the second identification operation result in the plurality of identification results, and taking the first identification operation result or the second identification operation result with the occupation ratio larger than a second preset threshold value as the second identification information.
5. The method of any of claims 1-4, wherein the number of test data is plural, the method further comprising:
obtaining a plurality of running time length results of the program to be tested on each test data;
and rejecting abnormal operation results in the operation time length results, and taking the operation time length results obtained after rejection as the second operation time length.
6. Back door procedure detection device, its characterized in that includes:
the first acquisition module is used for acquiring a branch path and a reference data set of a reference program; acquiring a first target path and a second target path of the benchmark program; the first target path is a branch path comprising an input port and an output port; the second target path is a path of the benchmark program when executing one or more data in the benchmark dataset; acquiring target data of the benchmark program; the target data is data corresponding to the second target path which is the same as the first target path; selecting extreme value data from the target data as test data, wherein the extreme value data are data with the maximum or minimum deviation from the target data average value;
the second obtaining module is used for obtaining a first operation result of the benchmark program on the test data, wherein the first operation result comprises a first operation duration of the benchmark program when the test data is processed;
a third obtaining module, configured to obtain a second operation result of the to-be-tested program on the test data, where the second operation result includes a second operation duration of the to-be-tested program when processing the test data;
and the judging module is used for comparing the second operation time length with the first operation time length to obtain a first comparison result, and determining whether the program to be tested is embedded into the back door program according to the first comparison result.
7. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-5.
8. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method according to any one of claims 1-5.
CN202211376822.0A 2022-11-04 2022-11-04 Back door program detection method and device, electronic equipment and storage medium Active CN115422555B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211376822.0A CN115422555B (en) 2022-11-04 2022-11-04 Back door program detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211376822.0A CN115422555B (en) 2022-11-04 2022-11-04 Back door program detection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115422555A CN115422555A (en) 2022-12-02
CN115422555B true CN115422555B (en) 2023-02-28

Family

ID=84207440

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211376822.0A Active CN115422555B (en) 2022-11-04 2022-11-04 Back door program detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115422555B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102622299A (en) * 2010-04-13 2012-08-01 常州云博软件工程技术有限公司 Working method of software detection system
CN109977633A (en) * 2019-03-28 2019-07-05 武汉斗鱼鱼乐网络科技有限公司 A kind of program protection method and relevant apparatus
CN110135198A (en) * 2019-02-18 2019-08-16 北京车和家信息技术有限公司 Program flow monitoring method, system and vehicle
CN110457907A (en) * 2019-07-25 2019-11-15 腾讯科技(深圳)有限公司 A kind of firmware program detecting method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7036697B2 (en) * 2018-09-27 2022-03-15 株式会社日立製作所 Monitoring system and monitoring method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102622299A (en) * 2010-04-13 2012-08-01 常州云博软件工程技术有限公司 Working method of software detection system
CN110135198A (en) * 2019-02-18 2019-08-16 北京车和家信息技术有限公司 Program flow monitoring method, system and vehicle
CN109977633A (en) * 2019-03-28 2019-07-05 武汉斗鱼鱼乐网络科技有限公司 A kind of program protection method and relevant apparatus
CN110457907A (en) * 2019-07-25 2019-11-15 腾讯科技(深圳)有限公司 A kind of firmware program detecting method and device

Also Published As

Publication number Publication date
CN115422555A (en) 2022-12-02

Similar Documents

Publication Publication Date Title
EP3120248B1 (en) Unsupervised anomaly detection for arbitrary time series
CN116049146A (en) Database fault processing method, device, equipment and storage medium
CN114978877A (en) Exception handling method and device, electronic equipment and computer readable medium
CN115422555B (en) Back door program detection method and device, electronic equipment and storage medium
CN115589339B (en) Network attack type identification method, device, equipment and storage medium
CN115328621B (en) Transaction processing method, device, equipment and storage medium based on block chain
CN108509796B (en) Method for detecting risk and server
CN115687406A (en) Sampling method, device and equipment of call chain data and storage medium
CN114581711A (en) Target object detection method, apparatus, device, storage medium, and program product
CN114546799A (en) Point burying log checking method and device, electronic equipment, storage medium and product
CN114003497A (en) Method, device and equipment for testing service system and storage medium
CN113010571A (en) Data detection method, data detection device, electronic equipment, storage medium and program product
CN113807391A (en) Task model training method and device, electronic equipment and storage medium
EP3457609A1 (en) System and method for computing of anomalies based on frequency driven transformation and computing of new features based on point anomaly density
CN116401113B (en) Environment verification method, device and medium for heterogeneous many-core architecture acceleration card
CN117493127B (en) Application program detection method, device, equipment and medium
CN115190008B (en) Fault processing method, fault processing device, electronic equipment and storage medium
CN115718919A (en) Firmware Trojan detection positioning method and device, electronic equipment and storage medium
CN117632670A (en) Fault warning method and device for test environment, electronic equipment and storage medium
CN115344459A (en) Inspection method, inspection device, storage medium and electronic equipment
CN116755913A (en) Abnormality analysis method and device for equipment
CN115758317A (en) Risk identification method and device, electronic equipment and storage medium
CN115604091A (en) Data processing method and device, substrate control management system and electronic equipment
CN117499148A (en) Network access control method, device, equipment and storage medium
CN114416418A (en) Data detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant