CN115935361B - Java memory horse detection method and device - Google Patents
Java memory horse detection method and device Download PDFInfo
- Publication number
- CN115935361B CN115935361B CN202310024300.2A CN202310024300A CN115935361B CN 115935361 B CN115935361 B CN 115935361B CN 202310024300 A CN202310024300 A CN 202310024300A CN 115935361 B CN115935361 B CN 115935361B
- Authority
- CN
- China
- Prior art keywords
- class data
- detection
- rule base
- target class
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The application relates to the technical field of data security, and provides a Java memory horse detection method and device. The method comprises the following steps: acquiring current data to be detected; extracting target class data with modification from each current class data; and detecting the target class data according to each detection rule in a local rule base, and determining a Java memory horse detection result of the target class data. The Java memory horse detection method provided by the embodiment of the invention can reduce the resources required to be occupied by the memory horse detection.
Description
Technical Field
The application relates to the technical field of data security, in particular to a Java memory horse detection method and device.
Background
Among the many Java security technologies, there is a way to dynamically inject a webshell, also called Java memory horse, using memory. The Java memory horse is a program with properties such as a malicious Listener and a Filter which are injected into the service middleware by an Agent mechanism or uploading jsp files or utilizing a deserialization vulnerability and the like, so that an attacker can directly execute any code through a web page interface developed externally, and the malicious code exists in the memory without an actual landing file. The technology can achieve that the file is free of landing or slightly landed, the absence of landing means that uploading of the webshell file is not needed, and the slight landing means that the file is deleted immediately after being accessed once after uploading the webshell. The traditional webshell detection is to scan the file to find out the webshell, but the Java memory horse has high concealment because the file is not landed or is slightly landed, and is not easy to find.
Currently, in order to detect a Java memory horse, a agent or a reflection mode is adopted to inject a static rule, so that when the Java memory horse detection is triggered, all class data are traversed by the static rule to detect whether the Java memory horse exists. However, this detection method needs to traverse all class data at each detection, and since class data is usually large, a large amount of resources are required for each detection.
Disclosure of Invention
The present application aims to solve at least one of the technical problems existing in the related art. Therefore, the Java memory horse detection method can reduce resources occupied by detecting the memory horse.
The application also provides a Java memory horse detection device.
The application also provides electronic equipment.
The present application also proposes a computer-readable storage medium.
According to an embodiment of the first aspect of the application, the Java memory horse detection method comprises the following steps:
acquiring current data to be detected;
extracting target class data with modification from each current class data;
and detecting the target class data according to each detection rule in a local rule base, and determining a Java memory horse detection result of the target class data.
According to the Java memory horse detection method provided by the embodiment of the application, the modified target class data are extracted from the obtained current class data, and when the target class data are extracted, the target class data are detected through the detection rules in the local rule base, so that the Java memory horse detection result of the target class data is determined. Because normal class data basically does not change in the running process of the Java program, when Java memory horse detection is performed for some time, java memory horse detection is performed only for abnormal class data through detection rules, and Java memory horse detection is not required for all class data in each detection. The abnormal class data is usually few, so that the problem of occupying resources is basically not considered, and the resources required for detecting Java memory horses can be reduced.
According to one embodiment of the present application, extracting target class data with modification from each of the current class data includes:
matching each current class data with each history class data to extract target class data which is not matched with each history class data from each current class data;
wherein, each history class data is the class data obtained when the Java memory horse detection is performed last time.
According to one embodiment of the present application, detecting the target class data according to each detection rule in the local rule base, and determining a Java memory horse detection result of the target class data includes:
synchronizing each detection rule in a remote rule base to the local rule base;
and detecting the target class data according to each synchronized detection rule, and determining a Java memory horse detection result of the target class data.
According to one embodiment of the present application, further comprising:
and determining that the Java memory horse detection result of the target class data is non-malicious class data, and sending the target class data to the remote rule base for Java memory horse detection.
According to one embodiment of the present application, further comprising:
and determining that the Java memory horse detection result of the target class data is non-malicious class data, periodically acquiring each detection rule in the remote rule base for multiple times, synchronizing the detection rules to the local rule base, and detecting the target class data according to each detection rule in the local rule base after each synchronization until the detection times of the target class data reach preset times or the Java memory horse detection result of the target class data is malicious class data.
According to one embodiment of the present application, further comprising:
determining that each history class data does not exist, and synchronizing each detection rule in a remote rule base to the local rule base;
and detecting each current class data according to each synchronized detection rule, and determining Java memory horse detection results of each current class data.
According to one embodiment of the application, the local rule base synchronizes detection rules of the remote rule base at regular time;
and carrying out Java memory horse detection on various data acquired when synchronization is completed after each local rule base synchronization.
According to an embodiment of the second aspect of the present application, a Java memory horse detection apparatus includes:
the class data acquisition module is used for acquiring each current class data to be detected;
the target class extraction module is used for extracting target class data with modification from each piece of current class data;
and the memory horse detection module is used for detecting the target class data according to each detection rule in the local rule base and determining Java memory horse detection results of the target class data.
An electronic device according to an embodiment of a third aspect of the present application includes a processor and a memory storing a computer program, where the processor implements the Java memory horse detection method according to any of the above embodiments when executing the computer program.
A computer readable storage medium according to an embodiment of a fourth aspect of the present application, on which a computer program is stored, which when executed by a processor, implements the Java memory horse detection method according to any of the above embodiments.
A computer program product according to an embodiment of the fifth aspect of the present application, comprising: the computer program, when executed by a processor, implements a Java memory horse detection method as described in any of the embodiments above.
The above technical solutions in the embodiments of the present application have at least one of the following technical effects:
and extracting target class data with modification from the obtained current class data, and detecting the target class data through each detection rule in the local rule base when the target class data is extracted, so as to determine a Java memory horse detection result of the target class data. Because normal class data basically does not change in the running process of the Java program, when Java memory horse detection is performed for some time, java memory horse detection is performed only for abnormal class data through detection rules, and Java memory horse detection is not required for all class data in each detection. The abnormal class data is usually few, so that the problem of occupying resources is basically not considered, and the resources required for detecting Java memory horses can be reduced.
Furthermore, each detection rule in the remote rule base is synchronized to the local rule base, so that the Java memory horse detection result of the target class data is determined by detecting the target class data according to each synchronized detection rule, the detection rule of the local rule base can be updated in a synchronous mode of the remote rule base, a new Java program is not required to be issued, the updating efficiency of the local rule base is improved, the latest detection rule of the target class data is ensured, and the accuracy of Java memory horse detection of the target class data is improved.
Furthermore, after the Java memory horse detection result of the target class data is determined to be the non-malicious class data, the local rule base is updated at regular time for a plurality of times, and the target class data is re-detected after each local rule base update, so that the target class data can be accurately detected without being sent to a remote rule base, and sensitive data leakage is avoided. And because the modified target class data is usually few, even if the detection is performed for a plurality of times, the problem of occupying resources is basically not considered.
Drawings
For a clearer description of the present application or of the prior art, the drawings that are used in the description of the embodiments or of the prior art will be briefly described, it being apparent that the drawings in the description below are some embodiments of the present application, and that other drawings may be obtained from these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a Java memory horse detection method according to an embodiment of the present application;
FIG. 2 is a flowchart for further refining Java memory horse detection of target class data in the Java memory horse detection method of FIG. 1;
fig. 3 is a schematic structural diagram of a Java memory horse detection apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The following describes and describes the Java memory horse detection method and apparatus provided in the embodiments of the present application in detail through several specific embodiments.
In an embodiment, a Java memory horse detection method is provided, and the method is applied to a terminal device and used for detecting Java memory horses. The network device may be a user terminal or a server, and the user terminal may be a desktop terminal or a portable terminal, such as a desktop computer, a notebook computer, and the like. The server can be an independent server or a server cluster formed by a plurality of servers, and can also be a cloud server for providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, big data and artificial intelligent sampling point devices and the like.
As shown in fig. 1, the Java memory horse detection method provided in this embodiment includes:
and step 103, detecting the target class data according to each detection rule in the local rule base, and determining a Java memory horse detection result of the target class data.
And extracting target class data with modification from the obtained current class data, and detecting the target class data through each detection rule in the local rule base when the target class data is extracted, so as to determine a Java memory horse detection result of the target class data. Because normal class data basically does not change in the running process of the Java program, when Java memory horse detection is performed for some time, java memory horse detection is performed only for abnormal class data through detection rules, and Java memory horse detection is not required for all class data in each detection. The abnormal class data is usually few, so that the problem of occupying resources is basically not considered, and the resources required for detecting Java memory horses can be reduced.
In an embodiment, before Java memory horse detection is performed, a Java agent technology may be used to inject the detection engine into the Java process. The java agent may inject the agent program into the already running java process, but requires the process id of this java process. The detection engine can also be specified by the running parameters when the java program is just running.
After the injection of the detection engine is completed, the detection engine is started, all current class data are obtained from the Java program, whether modification exists in all current class data is detected, and if so, whether new addition, deletion or content modification exists is detected. For deleted class data, the class data may be ignored; for newly added current class data or current class data with content modification, the class data is very suspicious because the class data is rarely changed in the running process of the program, and the class data is marked as target class data and extracted at the moment.
For the acquisition of the target class data, the class data can be monitored by a hook class adding method, monitoring file change, timing scanning and the like. For example, each of the current class data may be matched with each of the history class data to extract target class data that does not match each of the history class data from each of the current class data.
Wherein, each history class data is the class data obtained when the Java memory horse detection is performed last time.
In one embodiment, after each Java memory horse detection, all class data existing in the detection is recorded as historical class data. When next Java memory Ma Jian time is performed, each history class data recorded in the last Java memory Ma Jian time is obtained, and then each history class data is compared with each current class data obtained when next Java memory horse detection is performed, so as to determine whether new addition, deletion or content modification exists in the current class data, and the current class data in which the content modification is newly added or generated is marked as target class data.
After the target class data is extracted, the target class data can be detected through each detection rule loaded in the local rule base. And when the class data is detected by adopting the fixed static rule, the static rule is not updated and can be easily bypassed along with the time. If the static rule is to be updated, a new Java program needs to be released, which is very tedious. For this purpose, in one embodiment, as shown in fig. 2, the detecting the target class data according to each detection rule in the local rule base, and determining the Java memory horse detection result of the target class data includes:
In one embodiment, the local database is communicatively coupled to a remote rule base that records all detection rules added by the user, which can record more accurate detection rules added by means of bytecode analysis, manual analysis, machine learning, and the like at any time. After the target class data is extracted, the terminal device executes the update of the local rule base to send an update request to the remote rule base to request the version number of the remote rule base. If the version number is the same as the version number of the local rule base, the method indicates that each detection rule in the remote rule base is synchronized to the local rule base; if the version number is different from that of the local rule base, all detection rules in the remote rule base are acquired and synchronized to the local rule base so as to finish updating of the local rule base.
After all detection rules in the remote rule base are synchronized to the local rule base, the target class data can be detected according to all the synchronized detection rules in the local rule base,
and determining the Java memory horse detection result of the target class data to ensure that the detection rule of the target class data is the latest detection rule, thereby improving the accuracy of Java memory horse detection of the target class data.
By synchronizing each detection rule in the remote rule base to the local rule base so as to detect the target class data according to each detection rule after synchronization, the Java memory horse detection result of the target class data is determined, so that the detection rule of the local rule base can be updated in a synchronous mode of the remote rule base without issuing a new Java program, the updating efficiency of the local rule base is improved, the detection rule of the target class data is ensured to be the latest detection rule, and the Java memory horse detection accuracy of the target class data is improved.
In an embodiment, when the Java memory horse detection result of the target class data is that the Java memory horse exists in the target class data, the Java memory horse detection result is marked as malicious class data, and a sample of the malicious class data is reserved, so that subsequent manual analysis of the malicious class data is facilitated. Wherein the samples may be bytecodes of the malicious class data. Illustratively, after malicious class data is detected, a result.csv file and a data.db file are generated under the current execution directory by default, and a result.zip file is also generated under the condition of no networking. Wherein result. Csv includes a list for recording malicious content, including malicious class data and types and paths thereof. The data db is used for recording detailed information of the detection result, which is a sqlite file. result.zip is used to record the content of the detected malicious class data.
In one embodiment, when the Java memory horse detection result of the target class data is that the Java memory horse is not detected to exist in the target class data, the Java memory horse is marked as non-malicious class data. Since class data is rarely changed during the running process of the program, the non-malicious class data may be malicious class data that bypasses the detection rule. Thus, the non-malicious class data may be sent to a remote rule base, which may be subjected to multiple Java memory horse checks. Because the remote rule base can record more accurate detection rules added by means of byte code analysis, manual analysis, machine learning and the like at any time, the detection rules in the remote rule base are updated more frequently and comprehensively, so that the accuracy of Java memory horse detection on the non-malicious data can be improved.
However, considering that the running environment of the Java program may have strict requirements on confidentiality, the class data may contain some sensitive information, such as implementation of a system or an algorithm, and if the class data is uploaded to a remote rule base, the sensitive information may be revealed. Therefore, in order to reduce the leakage of the sensitive information and ensure the accuracy of the Java memory horse detection of the target class data, in an embodiment, when the Java memory horse detection result of the target class data is determined to be the non-malicious class data, each detection rule in the remote rule base is obtained for multiple times and synchronized to the local rule base, and each detection rule in the local rule base is used for detecting the target class data after each synchronization until the detection times of the target class data reach the preset times or the Java memory horse detection result of the target class data is the malicious class data.
In one embodiment, when the target class data is detected to be non-malicious class data, the target class data is recorded first, then the local rule base is updated regularly through the remote rule base, and the target class data is re-detected every time the local rule base is updated. Illustratively, each detection rule in the remote rule base is synchronized to the local rule base at regular time, and after synchronization of the detection rule of the remote rule base is completed, the target class data is detected through each detection rule synchronized with the remote rule base in the local rule base. If the Java memory horse exists in the target class data, namely the target class data is malicious class data, the detection of the target class data is ended. If the Java memory horse still cannot be detected in the target class data in the detection, the target class data is re-detected after the local rule base is updated through the remote rule base next time until the detection times of the target class data reach the preset times, such as 5 times.
In this way, after the Java memory horse detection result of the target class data is determined to be the non-malicious class data, the local rule base is updated for a plurality of times, and the target class data is re-detected after each local rule base update, so that the target class data can be accurately detected without being sent to a remote rule base, and sensitive data leakage is avoided. And because the modified target class data is usually few, even if the detection is performed for a plurality of times, the problem of occupying resources is basically not considered.
In an embodiment, if the target class data does not exist in the current class data, if the current class data is identical to the history class data or the current class data is modified by deleting the class data, the Java memory horse detection is ended.
In an embodiment, if it is not detected that each history class data is recorded, the Java memory horse detection is the first detection when the detection engine is started, and at this time, each detection rule of the local rule base is loaded to traverse all current class data, so as to perform Java memory horse detection on all current class data one by one. The Java memory horse detection is carried out on all the current class data one by one, all rules are matched with all the current class data one by one, and the hash of each class data is recorded to detect whether Java memory horses exist in all the current class data.
In order to further improve the accuracy of Java memory horse detection, in an embodiment, the Java memory horse detection of all class data may be performed at regular time while each current class data is detected at regular time to extract the target class data with modification from each current class data for Java memory horse detection. Specifically, each time the Java memory horse detection of all kinds of data is executed, the detection rules of the remote rule base are synchronized to the local rule base, and after the synchronization of the local rule base is completed, the Java memory horse detection is carried out on all kinds of data obtained when the synchronization is completed.
The Java memory horse detection of all class data is executed at regular time, and the Java memory horse detection of the target class data can run alternately, for example, the time interval of the Java memory horse detection of all class data is 2 minutes, the time interval of the Java memory horse detection of the target class data is 2 minutes, then the Java memory horse detection of the target class data is executed for the first time 1 minute after the detection engine is started, and the Java memory horse detection of all class data is executed for the first time 2 minutes after the detection engine is started. Thus, the second detection of the Java memory horses for the target class data is performed 3 minutes after the detection engine is started, and the second detection of the Java memory horses for all class data is performed 4 minutes after the detection engine is started, so that the detection of the Java memory horses for the target class data and the detection of the Java memory horses for all class data are alternately performed.
Therefore, under the condition that the detection times of the Java memory horse are the same, compared with the related technology that all class data are detected in each detection, only half of detection times are needed to detect all class data, so that the occupation of resources is greatly reduced, the comprehensive detection of all class data and the targeted detection of part of class data can be achieved, and the accuracy of Java memory horse detection is ensured.
The following describes the Java memory horse detection apparatus provided in the present application, and the Java memory horse detection apparatus described below and the Java memory horse detection method described above may be referred to correspondingly.
In one embodiment, as shown in fig. 3, there is provided a Java memory horse detection apparatus, including:
a class data acquisition module 210, configured to acquire each current class data to be detected;
a target class extraction module 220, configured to extract target class data having modification from each of the current class data;
the memory horse detection module 230 is configured to detect the target class data according to each detection rule in the local rule base, and determine a Java memory horse detection result of the target class data.
And extracting target class data with modification from the obtained current class data, and detecting the target class data through each detection rule in the local rule base when the target class data is extracted, so as to determine a Java memory horse detection result of the target class data. Because normal class data basically does not change in the running process of the Java program, when Java memory horse detection is performed for some time, java memory horse detection is performed only for abnormal class data through detection rules, and Java memory horse detection is not required for all class data in each detection. The abnormal class data is usually few, so that the problem of occupying resources is basically not considered, and the resources required for detecting Java memory horses can be reduced.
In one embodiment, the object class extraction module 220 is specifically configured to:
matching each current class data with each history class data to extract target class data which is not matched with each history class data from each current class data;
wherein, each history class data is the class data obtained when the Java memory horse detection is performed last time.
In one embodiment, the memory horse detection module 230 is specifically configured to:
synchronizing each detection rule in a remote rule base to the local rule base;
and detecting the target class data according to each synchronized detection rule, and determining a Java memory horse detection result of the target class data.
In one embodiment, the memory horse detection module 230 is further configured to:
and determining that the Java memory horse detection result of the target class data is non-malicious class data, and sending the target class data to the remote rule base for Java memory horse detection.
In one embodiment, the memory horse detection module 230 is further configured to:
and determining that the Java memory horse detection result of the target class data is non-malicious class data, periodically acquiring each detection rule in the remote rule base for multiple times, synchronizing the detection rules to the local rule base, and detecting the target class data according to each detection rule in the local rule base after each synchronization until the detection times of the target class data reach preset times or the Java memory horse detection result of the target class data is malicious class data.
In one embodiment, the memory horse detection module 230 is further configured to:
determining that each history class data does not exist, and synchronizing each detection rule in a remote rule base to the local rule base;
and detecting each current class data according to each synchronized detection rule, and determining Java memory horse detection results of each current class data.
In one embodiment, the local rule base synchronizes detection rules of the remote rule base at regular time;
and carrying out Java memory horse detection on various data acquired when synchronization is completed after each local rule base synchronization.
Fig. 4 illustrates a physical schematic diagram of an electronic device, as shown in fig. 4, which may include: processor 810, communication interface (Communication Interface) 820, memory 830, and communication bus 840, wherein processor 810, communication interface 820, memory 830 accomplish communication with each other through communication bus 840. Processor 810 may call a computer program in memory 830 to perform Java memory horse detection methods, including, for example:
acquiring current data to be detected;
extracting target class data with modification from each current class data;
and detecting the target class data according to each detection rule in a local rule base, and determining a Java memory horse detection result of the target class data.
Further, the logic instructions in the memory 830 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, an embodiment of the present application further provides a storage medium, where the storage medium includes a computer program, where the computer program may be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, the computer is capable of executing the Java memory horse detection method provided in the foregoing embodiments, for example, including:
acquiring current data to be detected;
extracting target class data with modification from each current class data;
and detecting the target class data according to each detection rule in a local rule base, and determining a Java memory horse detection result of the target class data.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.
Claims (7)
1. The Java memory horse detection method is characterized by comprising the following steps:
acquiring current data to be detected;
extracting target class data with modification from each current class data;
detecting the target class data according to each detection rule in a local rule base, and determining a Java memory horse detection result of the target class data;
determining that Java memory horse detection results of the target class data are non-malicious class data, sending the target class data to a remote rule base for Java memory horse detection, or periodically acquiring each detection rule in the remote rule base for multiple times to synchronize to the local rule base, and detecting the target class data according to each detection rule in the local rule base after each synchronization until the detection times of the target class data reach preset times, or the Java memory horse detection results of the target class data are malicious class data;
detecting the target class data according to each detection rule in a local rule base, and determining a Java memory horse detection result of the target class data, wherein the Java memory horse detection result comprises the following steps:
determining that the version number obtained from the remote rule base is inconsistent with the version number of the local rule base, and synchronizing each detection rule in the remote rule base to the local rule base;
and detecting the target class data according to each synchronized detection rule, and determining a Java memory horse detection result of the target class data.
2. The Java memory horse detection method as claimed in claim 1, wherein extracting the target class data having the modification from each of the current class data comprises:
matching each current class data with each history class data to extract target class data which is not matched with each history class data from each current class data;
wherein, each history class data is the class data obtained when the Java memory horse detection is performed last time.
3. The Java memory horse detection method of claim 2, further comprising:
determining that each history class data does not exist, and synchronizing each detection rule in a remote rule base to the local rule base;
and detecting each current class data according to each synchronized detection rule, and determining Java memory horse detection results of each current class data.
4. A Java memory horse detection method according to any one of claims 2-3, wherein the local rule base synchronizes detection rules of the remote rule base at regular time;
and carrying out Java memory horse detection on various data acquired when synchronization is completed after each local rule base synchronization.
5. A Java memory horse detection apparatus, comprising:
the class data acquisition module is used for acquiring each current class data to be detected;
the target class extraction module is used for extracting target class data with modification from each piece of current class data;
the memory horse detection module is used for detecting the target class data according to each detection rule in the local rule base and determining Java memory horse detection results of the target class data;
the memory horse detection module is also used for: determining that Java memory horse detection results of the target class data are non-malicious class data, sending the target class data to a remote rule base for Java memory horse detection, or periodically acquiring each detection rule in the remote rule base for multiple times to synchronize to the local rule base, and detecting the target class data according to each detection rule in the local rule base after each synchronization until the detection times of the target class data reach preset times, or the Java memory horse detection results of the target class data are malicious class data;
the memory horse detection module is specifically used for: determining that the version number obtained from the remote rule base is inconsistent with the version number of the local rule base, and synchronizing each detection rule in the remote rule base to the local rule base;
and detecting the target class data according to each synchronized detection rule, and determining a Java memory horse detection result of the target class data.
6. An electronic device comprising a processor and a memory storing a computer program, characterized in that the processor implements the Java memory horse detection method of any of claims 1 to 4 when executing the computer program.
7. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the Java memory horse detection method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310024300.2A CN115935361B (en) | 2023-01-09 | 2023-01-09 | Java memory horse detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310024300.2A CN115935361B (en) | 2023-01-09 | 2023-01-09 | Java memory horse detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115935361A CN115935361A (en) | 2023-04-07 |
| CN115935361B true CN115935361B (en) | 2023-06-16 |
Family
ID=86550740
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310024300.2A Active CN115935361B (en) | 2023-01-09 | 2023-01-09 | Java memory horse detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115935361B (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| RU2747464C2 (en) * | 2019-07-17 | 2021-05-05 | Акционерное общество "Лаборатория Касперского" | Method for detecting malicious files based on file fragments |
| CN113312624B (en) * | 2021-06-21 | 2023-06-30 | 厦门服云信息科技有限公司 | Java Web application memory Trojan horse detection method, terminal equipment and storage medium |
| CN113886825A (en) * | 2021-09-29 | 2022-01-04 | 中国工商银行股份有限公司 | Code detection method, device, system, equipment and storage medium |
| CN114065204A (en) * | 2021-11-29 | 2022-02-18 | 中国工商银行股份有限公司 | File-free Trojan horse searching and killing method and device |
| CN113946825B (en) * | 2021-12-22 | 2022-04-26 | 北京微步在线科技有限公司 | Memory horse processing method and system |
-
2023
- 2023-01-09 CN CN202310024300.2A patent/CN115935361B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN115935361A (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2551820C2 (en) | Method and apparatus for detecting viruses in file system | |
| US8997253B2 (en) | Method and system for preventing browser-based abuse | |
| CN111190962B (en) | File synchronization method and device and local terminal | |
| US20110219454A1 (en) | Methods of identifying activex control distribution site, detecting security vulnerability in activex control and immunizing the same | |
| US20150331905A1 (en) | Apparatus and methods for scanning data in a cloud storage service | |
| US20180091355A1 (en) | Single sign-on system and single sign-on method | |
| US11570196B2 (en) | Method for determining duplication of security vulnerability and analysis apparatus using same | |
| CN109800571B (en) | Event processing method and device, storage medium and electronic device | |
| CN108898012B (en) | Method and apparatus for detecting illegal program | |
| CN114417335A (en) | Malicious file detection method and device, electronic equipment and storage medium | |
| EP4035039A1 (en) | Secure restore | |
| CN111107101A (en) | Firewall system and method for multi-dimensional filtering request of nginx | |
| KR102042045B1 (en) | Apparatus, method and system for detecting malicious code | |
| CN115935361B (en) | Java memory horse detection method and device | |
| CN106919844B (en) | A kind of android system vulnerability of application program detection method | |
| JP2015132942A (en) | Connection destination information determination device, connection destination information determination method and program | |
| CN115714660A (en) | Authority configuration method and device | |
| CN112966270A (en) | Application program security detection method and device, electronic equipment and storage medium | |
| CN116346488B (en) | Unauthorized access detection method and device | |
| CN113779583B (en) | Behavior detection method and device, storage medium and electronic equipment | |
| JP2017168146A (en) | Connection destination information determination device, connection destination information determination method, and program | |
| CN115374067A (en) | Abnormal file detection method, device, equipment, storage medium and program product | |
| Chen et al. | Research on Digital Forensics Framework for Malicious Behavior in Cloud | |
| CN116346488A (en) | Unauthorized access detection method, device and storage medium | |
| JP2023078441A (en) | Execution control system, execution control method, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |