CN115422555B - Back door program detection method and device, electronic equipment and storage medium - Google Patents
Back door program detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115422555B CN115422555B CN202211376822.0A CN202211376822A CN115422555B CN 115422555 B CN115422555 B CN 115422555B CN 202211376822 A CN202211376822 A CN 202211376822A CN 115422555 B CN115422555 B CN 115422555B
- Authority
- CN
- China
- Prior art keywords
- program
- data
- target
- tested
- test data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Abstract
The embodiment of the disclosure provides a backdoor program detection method and device, electronic equipment and a storage medium, and is applied to the technical field of internet. The method comprises the following steps: acquiring test data; acquiring a first operation result of a benchmark program on the test data, wherein the first operation result comprises a first operation duration of the benchmark program when the test data is processed; acquiring a second operation result of the program to be tested on the test data, wherein the second operation result comprises a second operation time length of the program to be tested when the program to be tested processes the test data; and comparing the second operation time length with the first operation time length to obtain a first comparison result, and determining whether the program to be tested is embedded into the back door program or not according to the first comparison result. In this way, whether the backdoor program is embedded in the target system can be effectively detected.
Description
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to a method and an apparatus for detecting a backdoor program, an electronic device, and a storage medium.
Background
With the development of internet technology, information resources have been increased explosively, and the security problem of the information resources is accompanied. Information resources face various threats, if a carrier on which the information resources depend has a leak, the leak is very easy to be utilized by lawless persons, for example, hackers can utilize the leak, and a backdoor program capable of being remotely controlled is implanted into a target program, so that the target program or the target system enters the target system under the condition that the target program or the target system does not have the control authority, and illegal operations such as remotely controlling a user computer, stealing a user bank account, monitoring the user internet surfing in real time and the like are carried out, and further the information resources are leaked. Therefore, whether the carrier on which the information resource depends exists in the backdoor program needs to be detected, and the backdoor program is deleted, so that the leakage of the information resource and the safety risk of operation are reduced.
At present, in network communication, intrusion of a target system realized by implanting a backdoor program is difficult to effectively detect.
Disclosure of Invention
The disclosure provides a backdoor program detection method and device, an electronic device and a storage medium.
According to a first aspect of the present disclosure, a backdoor program detection method is provided. The method comprises the following steps:
acquiring test data;
acquiring a first operation result of a benchmark program on the test data, wherein the first operation result comprises a first operation duration of the benchmark program when the test data is processed;
acquiring a second operation result of the program to be tested on the test data, wherein the second operation result comprises a second operation duration of the program to be tested when the program to be tested processes the test data;
and comparing the second operation time length with the first operation time length to obtain a first comparison result, and determining whether the program to be tested is embedded into the back door program according to the first comparison result.
Further, the test data is data to be identified; the determining whether the program to be tested is embedded with a back door program according to the first comparison result includes:
if the first comparison result is larger than a first preset threshold value, determining that the program to be tested is embedded into a back door program;
if the first comparison result is not greater than the first preset threshold, acquiring first identification information and second identification information; the first identification information is an identification result generated when the benchmark program processes the data to be identified; the second identification information is an identification result generated when the program to be identified processes the data to be identified;
and comparing the second identification information with the first identification information to obtain a second comparison result, and determining whether the program to be tested is embedded into the back door program according to the second comparison result.
The generation mode of the test data comprises the following steps:
acquiring a branch path and a reference data set of the reference program;
acquiring a first target path and a second target path of the benchmark program; the first target path is a branch path comprising an input port and an output port; the second target path is a path of the benchmark program when executing one or more data in the benchmark dataset;
acquiring target data of the benchmark program; the target data is data corresponding to the second target path which is the same as the first target path;
and selecting extreme value data from the target data as the test data, wherein the extreme value data is the data with the maximum or minimum deviation from the target data average value.
Wherein the determination of the data with the maximum or minimum deviation from the target data mean comprises one or more of: the absolute value of the difference from the target data mean is minimum, the positive deviation from the target data mean is maximum, and the negative deviation from the target data mean is maximum.
Further, the number of the data to be identified is multiple, and the method further includes:
acquiring a plurality of identification results of the to-be-identified data of the to-be-identified program, wherein each identification result is a first identification operation result or a second identification operation result;
and respectively acquiring the occupation ratios of the first identification operation result and the second identification operation result in the plurality of identification results, and taking the first identification operation result or the second identification operation result with the occupation ratio larger than a second preset threshold value as the second identification information.
Further, the number of the test data is plural, and the method further includes:
obtaining a plurality of running time length results of the program to be tested on each test data;
and rejecting abnormal operation results in the operation time length results, and taking the operation time length results obtained after rejection as the second operation time length.
According to a second aspect of the present disclosure, a backdoor program detection apparatus is provided. The device includes:
the first acquisition module is used for acquiring test data;
a second obtaining module, configured to obtain a first operation result of the benchmark program on the test data, where the first operation result includes a first operation duration of the benchmark program when processing the test data;
the third obtaining module is used for obtaining a second operation result of the to-be-tested program on the test data, wherein the second operation result comprises a second operation duration of the to-be-tested program in processing the test data;
and the judging module is used for comparing the second operation time length with the first operation time length to obtain a first comparison result, and determining whether the program to be tested is embedded into the back door program according to the first comparison result.
According to a third aspect of the present disclosure, an electronic device is provided. The electronic device includes: a memory having a computer program stored thereon and a processor implementing the method as described above when executing the program.
According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method according to the first aspect of the present disclosure.
According to the backdoor program detection method, the backdoor program detection device, the electronic equipment and the storage medium, the first operation time length and the second operation time length are obtained, the second operation time length is compared with the first operation time length, and whether the backdoor program is embedded into the program to be detected or not is determined according to the comparison result. In this way, whether the backdoor program is embedded in the target system can be effectively detected.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. The accompanying drawings are included to provide a further understanding of the present disclosure, and are not intended to limit the disclosure thereto, and the same or similar reference numerals will be used to indicate the same or similar elements, where:
FIG. 1 shows a flow diagram of a backdoor program detection method according to an embodiment of the present disclosure;
FIG. 2 shows a flow diagram for generating test data according to an embodiment of the present disclosure;
FIG. 3 shows a block diagram of a back door program detection device according to an embodiment of the present disclosure;
FIG. 4 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter associated objects are in an "or" relationship.
Fig. 1 shows a flow diagram of a backdoor procedure detection method 100 according to an embodiment of the disclosure. The method 100 comprises:
The generation method of the test data, as shown in fig. 2, includes the following steps:
and step 111, acquiring the branch path and the reference data set of the reference program.
In some embodiments, the reference program is disassembled, the object code is converted into an assembly code, an assembly level instruction sequence of the reference program is obtained, a control flow graph of the reference program is extracted from the instruction sequence by means of a third-party tool, and the control flow graph is analyzed to obtain all branch paths in the execution process of the reference program. Among them, the third-party tool for extracting the control flow graph, such as: c + + Source FlowChart, visustin, autoFlowChart, source to flowChart, crystal FLOW for C, athTek, etc. Since the programs are sets of instructions and data, each program has its own input data set and output data set, and the required data is acquired from the input data set of the reference program as the data in the reference data set.
In some embodiments, a branch path including an input port and an output port is selected as the first target path from all branch paths of the benchmark program obtained in step 111, and the selected first target path is a complete path from the input port to the output port, and the incomplete paths including only the input port, only the output port, or neither the input port nor the output port are screened out, for example, if the input port is a and the output port is k, the branch path of the benchmark program is: { a → b → c → e → k, a → b → f, e → j → k, a → b → f → k, a → c → e → j → k, c → e → j … … }, and after the incomplete path is eliminated, the first target path is: { a → b → c → e → k, a → b → f → k, a → c → e → j → k, … … }. After paths which do not substantially help the detection backdoor program are eliminated, the detection efficiency can be improved, the validity of test data can be improved, and errors can be reduced. It should be noted that the selected first target path may be one or multiple, and is not limited by the described example.
In some embodiments, one or more data are selected from the reference data set, different data sets are formed to execute the reference program, and an execution path corresponding to each data set is recorded as the second target path, for example, the second target path is: { a → b → c → e → k, a → b → d → k, a → d → e → j → k, … … }, wherein the execution data corresponding to the execution path a → b → c → e → k is: { a1; b1, b2; c2; e3, e5; k7}.
In some embodiments, the second target path obtained in step 112 is compared with the first target path, a second target path identical to the first target path is selected, and then data corresponding to the second target path is obtained to constitute target data of the benchmark program. For example, the first target path is: { a → b → c → e → k, a → b → f → k, a → c → e → j → k, … … }, the second target path is: { a → b → c → e → k, a → b → d → k, a → d → e → j → k, … … }, then a → b → c → e → k is selected, and data { a1; b1 B2; c2; e3, e5; k7 as target data. It should be noted that the second target path selected to be the same as the first target path may be one or more, and is not limited by the described examples.
And step 114, selecting extreme value data from the target data as the test data, wherein the extreme value data is data with the maximum or minimum deviation from the target data average value.
In some embodiments, the determination of the data with the largest or smallest deviation from the target data mean comprises one or more of: the absolute value of the difference from the target data mean is minimum, the positive deviation from the target data mean is maximum, and the negative deviation from the target data mean is maximum.
Further, the number of the test data is plural, and the method further includes:
obtaining a plurality of running time length results of the program to be tested on each test data;
and rejecting abnormal operation results in the operation time length results, and taking the operation time length results obtained after rejection as the second operation time length.
In some embodiments, the plurality of test data obtained in step 110 are respectively input into the program to be tested, the program to be tested is executed, the running time corresponding to each test data is recorded, the abnormal value is removed from the running time, and the value obtained after the removal is used as the second running time. Determination of the anomaly value, for example: any one or more of a minimum value, a maximum value, a measured value that has a deviation from the mean of more than two standard deviations, a measured value that has a deviation from the mean of more than three standard deviations, an outlier, and the like. The data is mixed with abnormal values, so that the detection result is necessarily distorted, the abnormal values are removed, the result can better meet the objective condition, the detection error is reduced, and the accuracy is improved. It should be noted that the method for determining the abnormal value is not limited by the described examples.
Specifically, the test data is data to be identified; the determining whether the program to be tested is embedded with a backdoor program according to the first comparison result comprises the following steps:
(1) If the first comparison result is larger than a first preset threshold value, determining that the program to be tested is embedded into a back door program;
(2) If the first comparison result is not greater than the first preset threshold, acquiring first identification information and second identification information; the first identification information is an identification result generated when the benchmark program processes the data to be identified; the second identification information is an identification result generated when the program to be identified processes the data to be identified;
(3) And comparing the second identification information with the first identification information to obtain a second comparison result, and determining whether the program to be tested is embedded into the back door program according to the second comparison result.
Further, the number of the data to be identified is multiple, and the method further includes:
acquiring a plurality of identification results of the to-be-identified data of the to-be-identified program, wherein each identification result is a first identification operation result or a second identification operation result;
and respectively acquiring the occupation ratios of the first identification operation result and the second identification operation result in the plurality of identification results, and taking the first identification operation result or the second identification operation result with the occupation ratio larger than a second preset threshold value as the second identification information.
In some embodiments, the plurality of test data obtained in step 110 are used as data to be identified, and are respectively input into the program to be tested, the program to be tested is executed, the identification result corresponding to each data to be identified is recorded, for example, the number of times of success of the identification result is 98, the number of times of failure of the identification result is 2, the second preset threshold is 95, and the identification result "success" greater than the second preset threshold is used as the second identification information.
In some embodiments, the second operation duration obtained in step 130 is compared with the first operation duration obtained in step 120, for example, when the standard variance between the second operation duration and the first operation duration is greater than a first preset threshold, the program to be tested is embedded into the backdoor program, an alarm is issued, and the embedded backdoor program is deleted; and when the standard variance is not greater than the first preset threshold, comparing the second identification information with the first identification information, if the standard variance is successful, indicating that the program to be tested is not embedded into the backdoor program, if the standard variance is failed, indicating that the program to be tested is embedded into the backdoor program, alarming and deleting the embedded backdoor program, and if the standard variance is inconsistent, reporting an error, and readjusting the first preset threshold and the second preset threshold by a user. Through two-layer judgment, the accuracy of back door program detection is improved, and misjudgment is reduced. It should be noted that the comparison of the second operation duration with the first operation duration is not limited to the standard deviation.
According to the embodiment of the disclosure, the following technical effects are achieved:
according to the backdoor program detection method provided by the disclosure, the first operation time length and the second operation time length are obtained, the second operation time length is compared with the first operation time length, and whether the backdoor program is embedded in the program to be detected is determined according to the comparison result. In this way, whether the backdoor program is embedded in the target system can be effectively detected.
It is noted that while for simplicity of explanation, the foregoing method embodiments have been described as a series of acts or combination of acts, it will be appreciated by those skilled in the art that the present disclosure is not limited by the order of acts, as some steps may, in accordance with the present disclosure, occur in other orders and concurrently. Further, those skilled in the art will appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules are not necessarily required for the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are further described below.
Fig. 3 shows a block diagram of a back door program detection apparatus 300 according to an embodiment of the present disclosure. As shown in fig. 3, the apparatus 300 includes:
a first obtaining module 301, configured to obtain test data;
a second obtaining module 302, configured to obtain a first operation result of the benchmark program on the test data, where the first operation result includes a first operation duration of the benchmark program when processing the test data;
a third obtaining module 303, configured to obtain a second operation result of the test data of the program to be tested, where the second operation result includes a second operation duration of the program to be tested when processing the test data;
the determining module 304 is configured to compare the second operation duration with the first operation duration to obtain a first comparison result, and determine whether the program to be tested is embedded into the back door program according to the first comparison result.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the described module may refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, and do not violate the good customs of the public order.
According to an embodiment of the present disclosure, the present disclosure also provides an electronic device and a readable storage medium.
FIG. 4 shows a schematic block diagram of an electronic device 400 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
The device 400 comprises a computing unit 401 which may perform various suitable actions and processes in accordance with a computer program stored in a Read Only Memory (ROM) 402 or a computer program loaded from a storage unit 408 into a Random Access Memory (RAM) 403. In the RAM 403, various programs and data required for the operation of the device 400 can also be stored. The calculation unit 401, the ROM 402, and the RAM 403 are connected to each other via a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
A number of components in device 400 are connected to I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, or the like; an output unit 407 such as various types of displays, speakers, and the like; a storage unit 408 such as a magnetic disk, optical disk, or the like; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server with a combined blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.
Claims (8)
1. A back door procedure detection method, comprising:
acquiring a branch path and a reference data set of a reference program;
acquiring a first target path and a second target path of the benchmark program; the first target path is a branch path comprising an input port and an output port; the second target path is a path of the benchmark program when executing one or more data in the benchmark dataset;
acquiring target data of the benchmark program; the target data is data corresponding to the second target path which is the same as the first target path;
selecting extreme value data from the target data as test data, wherein the extreme value data are data with the maximum or minimum deviation from the target data average value;
acquiring a first operation result of a benchmark program on the test data, wherein the first operation result comprises a first operation duration of the benchmark program when the test data is processed;
acquiring a second operation result of the program to be tested on the test data, wherein the second operation result comprises a second operation time length of the program to be tested when the program to be tested processes the test data;
and comparing the second operation time length with the first operation time length to obtain a first comparison result, and determining whether the program to be tested is embedded into the back door program according to the first comparison result.
2. The method of claim 1, wherein the test data is data to be identified; the determining whether the program to be tested is embedded with a back door program according to the first comparison result includes:
if the first comparison result is larger than a first preset threshold value, determining that the program to be tested is embedded into a back door program;
if the first comparison result is not greater than the first preset threshold, acquiring first identification information and second identification information; the first identification information is an identification result generated when the benchmark program processes the data to be identified; the second identification information is an identification result generated when the program to be identified processes the data to be identified;
and comparing the second identification information with the first identification information to obtain a second comparison result, and determining whether the program to be tested is embedded into the back door program according to the second comparison result.
3. The method of claim 1, wherein the data having the greatest or least deviation from the target data mean is determined in a manner comprising one or more of: the absolute value of the difference from the target data mean is minimum, the positive deviation from the target data mean is maximum, and the negative deviation from the target data mean is maximum.
4. The method of claim 2, wherein the number of the data to be identified is plural, the method further comprising:
acquiring a plurality of identification results of the to-be-identified data of the to-be-identified program, wherein each identification result is a first identification operation result or a second identification operation result;
and respectively acquiring the occupation ratios of the first identification operation result and the second identification operation result in the plurality of identification results, and taking the first identification operation result or the second identification operation result with the occupation ratio larger than a second preset threshold value as the second identification information.
5. The method of any of claims 1-4, wherein the number of test data is plural, the method further comprising:
obtaining a plurality of running time length results of the program to be tested on each test data;
and rejecting abnormal operation results in the operation time length results, and taking the operation time length results obtained after rejection as the second operation time length.
6. Back door procedure detection device, its characterized in that includes:
the first acquisition module is used for acquiring a branch path and a reference data set of a reference program; acquiring a first target path and a second target path of the benchmark program; the first target path is a branch path comprising an input port and an output port; the second target path is a path of the benchmark program when executing one or more data in the benchmark dataset; acquiring target data of the benchmark program; the target data is data corresponding to the second target path which is the same as the first target path; selecting extreme value data from the target data as test data, wherein the extreme value data are data with the maximum or minimum deviation from the target data average value;
the second obtaining module is used for obtaining a first operation result of the benchmark program on the test data, wherein the first operation result comprises a first operation duration of the benchmark program when the test data is processed;
a third obtaining module, configured to obtain a second operation result of the to-be-tested program on the test data, where the second operation result includes a second operation duration of the to-be-tested program when processing the test data;
and the judging module is used for comparing the second operation time length with the first operation time length to obtain a first comparison result, and determining whether the program to be tested is embedded into the back door program according to the first comparison result.
7. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-5.
8. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method according to any one of claims 1-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211376822.0A CN115422555B (en) | 2022-11-04 | 2022-11-04 | Back door program detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211376822.0A CN115422555B (en) | 2022-11-04 | 2022-11-04 | Back door program detection method and device, electronic equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115422555A CN115422555A (en) | 2022-12-02 |
CN115422555B true CN115422555B (en) | 2023-02-28 |
Family
ID=84207440
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211376822.0A Active CN115422555B (en) | 2022-11-04 | 2022-11-04 | Back door program detection method and device, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115422555B (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102622299A (en) * | 2010-04-13 | 2012-08-01 | 常州云博软件工程技术有限公司 | Working method of software detection system |
CN109977633A (en) * | 2019-03-28 | 2019-07-05 | 武汉斗鱼鱼乐网络科技有限公司 | A kind of program protection method and relevant apparatus |
CN110135198A (en) * | 2019-02-18 | 2019-08-16 | 北京车和家信息技术有限公司 | Program flow monitoring method, system and vehicle |
CN110457907A (en) * | 2019-07-25 | 2019-11-15 | 腾讯科技(深圳)有限公司 | A kind of firmware program detecting method and device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP7036697B2 (en) * | 2018-09-27 | 2022-03-15 | 株式会社日立製作所 | Monitoring system and monitoring method |
-
2022
- 2022-11-04 CN CN202211376822.0A patent/CN115422555B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102622299A (en) * | 2010-04-13 | 2012-08-01 | 常州云博软件工程技术有限公司 | Working method of software detection system |
CN110135198A (en) * | 2019-02-18 | 2019-08-16 | 北京车和家信息技术有限公司 | Program flow monitoring method, system and vehicle |
CN109977633A (en) * | 2019-03-28 | 2019-07-05 | 武汉斗鱼鱼乐网络科技有限公司 | A kind of program protection method and relevant apparatus |
CN110457907A (en) * | 2019-07-25 | 2019-11-15 | 腾讯科技(深圳)有限公司 | A kind of firmware program detecting method and device |
Also Published As
Publication number | Publication date |
---|---|
CN115422555A (en) | 2022-12-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3120248B1 (en) | Unsupervised anomaly detection for arbitrary time series | |
CN116049146A (en) | Database fault processing method, device, equipment and storage medium | |
CN114978877A (en) | Exception handling method and device, electronic equipment and computer readable medium | |
CN115422555B (en) | Back door program detection method and device, electronic equipment and storage medium | |
CN115589339B (en) | Network attack type identification method, device, equipment and storage medium | |
CN115328621B (en) | Transaction processing method, device, equipment and storage medium based on block chain | |
CN108509796B (en) | Method for detecting risk and server | |
CN115687406A (en) | Sampling method, device and equipment of call chain data and storage medium | |
CN114581711A (en) | Target object detection method, apparatus, device, storage medium, and program product | |
CN114546799A (en) | Point burying log checking method and device, electronic equipment, storage medium and product | |
CN114003497A (en) | Method, device and equipment for testing service system and storage medium | |
CN113010571A (en) | Data detection method, data detection device, electronic equipment, storage medium and program product | |
CN113807391A (en) | Task model training method and device, electronic equipment and storage medium | |
EP3457609A1 (en) | System and method for computing of anomalies based on frequency driven transformation and computing of new features based on point anomaly density | |
CN116401113B (en) | Environment verification method, device and medium for heterogeneous many-core architecture acceleration card | |
CN117493127B (en) | Application program detection method, device, equipment and medium | |
CN115190008B (en) | Fault processing method, fault processing device, electronic equipment and storage medium | |
CN115718919A (en) | Firmware Trojan detection positioning method and device, electronic equipment and storage medium | |
CN117632670A (en) | Fault warning method and device for test environment, electronic equipment and storage medium | |
CN115344459A (en) | Inspection method, inspection device, storage medium and electronic equipment | |
CN116755913A (en) | Abnormality analysis method and device for equipment | |
CN115758317A (en) | Risk identification method and device, electronic equipment and storage medium | |
CN115604091A (en) | Data processing method and device, substrate control management system and electronic equipment | |
CN117499148A (en) | Network access control method, device, equipment and storage medium | |
CN114416418A (en) | Data detection method and device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |