CN117009955A

CN117009955A - IAST and RASP probe control method and device based on code vaccine

Info

Publication number: CN117009955A
Application number: CN202311257664.1A
Authority: CN
Inventors: 张涛; 董毅; 李超; 王越; 周辜名
Original assignee: Beijing Anpro Information Technology Co ltd
Current assignee: Beijing Anpro Information Technology Co ltd
Priority date: 2023-09-26
Filing date: 2023-09-26
Publication date: 2023-11-07
Anticipated expiration: 2043-09-26
Also published as: CN117009955B

Abstract

The disclosure provides IAST and RASP probe control method and device based on code vaccine, and relates to the technical field of computers. The method can deploy token sets for different function types, consume the token sets of corresponding function types when a call request of a function is detected, and realize counting the calls of the functions of different types; under the condition that the remaining unassigned virtual tokens in the token set are not enough to be assigned to any function, the probe is controlled to enter a fusing state, so that the working state of the probe is limited by the number of tokens in the token set, the probe stops working under the condition that the calling request is more, normal operation of the target service is ensured, the probability of fusing the probe due to other reasons can be reduced, and the stability of the probe security service is improved.

Description

IAST and RASP probe control method and device based on code vaccine

Technical Field

The disclosure relates to the technical field of computers, in particular to an IAST and RASP probe control method and device based on a code vaccine.

Background

Microservice is a software architecture model in which an application is split into small, independent service units, each with its own functions and data storage. A probe is a tool or component for monitoring and managing an application, typically embedded in an application or container. The main goal of the probe is to check the status of the application to ensure that it is functioning properly or to diagnose problems. In order to provide security services to micro-services, probes may be utilized to perform security detection on the micro-services.

However, the probe service occupies additional computing resources, and in the case of a large flow of the micro service, the computing resources occupied by the probe service may also increase, and even affect the normal operation of the micro service itself.

Disclosure of Invention

The embodiment of the disclosure at least provides IAST and RASP probe control method and device based on code vaccine.

In a first aspect, an embodiment of the present disclosure provides a method for controlling an IAST, RASP probe based on a code vaccine, including:

responding to the starting of a target service, and controlling a probe corresponding to the target service to enter a working state; the probe is used for providing security services for a plurality of functions in the target service;

aiming at any function type corresponding to the functions, deploying a token set for the function type; the token set comprises a plurality of virtual tokens used for representing the occupation amount of computing resources;

in response to detecting a call request for any one of the functions, determining the number of virtual tokens allocated to the any one function from a token set of a function type to which the any one function belongs;

and controlling the probe to enter a fusing state in the condition that the remaining unassigned virtual tokens in the token set are not enough to be assigned to any function.

In an alternative embodiment, the deploying the token set for the function type includes:

determining the total number of preset tokens corresponding to the function types;

and deploying a token set for the function type based on the preset total number of tokens.

In an alternative embodiment, the function types of the functions include a traffic entry function and/or a high resource occupancy function; the high resource occupation function occupies computing resources higher than a preset resource amount when called.

In an optional implementation manner, the determining the number of virtual tokens allocated to the any function from the token set of the function type to which the any function belongs includes:

determining a target weight corresponding to any function based on the sub-function type of the any function;

and determining the number of virtual tokens allocated to any function based on the target weight and a preset basic allocation amount.

In an optional implementation manner, the deploying a token set for any function type corresponding to the functions for the function types includes:

aiming at any function type corresponding to the functions, deploying a token set for the function type, and resetting the number of virtual tokens in the token set by taking preset duration as a period.

determining the token distribution quantity of the function type in unit time and the virtual token quantity upper limit corresponding to the function type aiming at any function type;

and taking the unit time as a period, distributing the virtual tokens of the token distribution quantity for the function type, and stopping distributing the virtual tokens for the function type under the condition that the quantity of the virtual tokens distributed for the function type reaches the upper limit of the virtual token quantity.

In an alternative embodiment, the method further comprises:

determining the computational resource occupancy of the probe;

and controlling the probe to enter a fusing state under the condition that the occupied amount of the computing resources of the probe is higher than the preset occupied amount.

In an alternative embodiment, the controlling the probe to enter the fusing state when the computing resource occupation amount of the probe is higher than the preset occupation amount includes:

determining a first duration time when the calculated resource occupancy amount of the probe is higher than the preset occupancy amount under the condition that the calculated resource occupancy amount of the probe is higher than the preset occupancy amount;

And controlling the probe to enter a fusing state under the condition that the first duration is longer than or equal to the first preset duration.

In an alternative embodiment, the method further comprises:

determining a second duration of time that the probe is in a blown state when the probe is in the blown state;

and controlling the probe to enter a working state under the condition that the second duration time is longer than a second preset duration time and the occupied amount of the computing resources of the probe is lower than or equal to the preset occupied amount.

In a second aspect, an embodiment of the present disclosure further provides an IAST, RASP probe control device based on a code vaccine, including:

the first control module is used for responding to the starting of the target service and controlling the probe corresponding to the target service to enter a working state; the probe is used for providing security services for a plurality of functions in the target service;

the deployment module is used for deploying a token set for any function type corresponding to the functions; the token set comprises a plurality of virtual tokens used for representing the occupation amount of computing resources;

the allocation module is used for responding to the detection of a call request for any one of the functions and determining the number of virtual tokens allocated to the any function from a token set of a function type to which the any function belongs;

And the second control module is used for controlling the probe to enter a fusing state in the case that the unallocated virtual tokens remained in the token set are not enough to be allocated to any function.

In an alternative embodiment, the deployment module is specifically configured to:

In an alternative embodiment, the allocation module is specifically configured to:

In an alternative embodiment, the second control module is further configured to:

determining the computational resource occupancy of the probe;

In an optional implementation manner, when the computing resource occupation amount of the probe is higher than the preset occupation amount, the second control module is used for controlling the probe to enter a fusing state:

In a third aspect, an optional implementation manner of the disclosure further provides a computer device, a processor, and a memory, where the memory stores machine-readable instructions executable by the processor, and the processor is configured to execute the machine-readable instructions stored in the memory, where the machine-readable instructions, when executed by the processor, perform the steps in the first aspect, or any possible implementation manner of the first aspect, when executed by the processor.

In a fourth aspect, an alternative implementation of the present disclosure further provides a computer readable storage medium having stored thereon a computer program which when executed performs the steps of the first aspect, or any of the possible implementation manners of the first aspect.

The description of the effect of the foregoing IAST, RASP probe control device, computer device, and computer-readable storage medium based on the code vaccine is referred to the description of the foregoing IAST, RASP probe control method based on the code vaccine, and is not repeated here.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the aspects of the disclosure.

The IAST and RASP probe control method and device based on the code vaccine can deploy token sets for different function types, consume token sets corresponding to the function types when a call request of the function is detected, and count calls of different types of functions; under the condition that the remaining unassigned virtual tokens in the token set are not enough to be assigned to any function, the probe is controlled to enter a fusing state, so that the working state of the probe is limited by the number of tokens in the token set, the probe stops working under the condition that the calling request is more, normal operation of the target service is ensured, the probability of fusing the probe due to other reasons can be reduced, and the stability of the probe security service is improved.

The foregoing objects, features and advantages of the disclosure will be more readily apparent from the following detailed description of the preferred embodiments taken in conjunction with the accompanying drawings.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings required for the embodiments are briefly described below, which are incorporated in and constitute a part of the specification, these drawings showing embodiments consistent with the present disclosure and together with the description serve to illustrate the technical solutions of the present disclosure. It is to be understood that the following drawings illustrate only certain embodiments of the present disclosure and are therefore not to be considered limiting of its scope, for the person of ordinary skill in the art may admit to other equally relevant drawings without inventive effort.

FIG. 1 illustrates a flow chart of a method of controlling IAST, RASP probes based on a coded vaccine provided by some embodiments of the present disclosure;

FIG. 2 illustrates a flow chart of another IAST, RASP probe control method based on a coded vaccine provided by some embodiments of the present disclosure;

FIG. 3 illustrates a schematic diagram of a coded vaccine-based IAST, RASP probe control device provided by some embodiments of the present disclosure;

Fig. 4 illustrates a schematic diagram of a computer device provided by some embodiments of the present disclosure.

Detailed Description

For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are only some embodiments of the present disclosure, but not all embodiments. The components of the disclosed embodiments generally described and illustrated herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present disclosure is not intended to limit the scope of the disclosure, as claimed, but is merely representative of selected embodiments of the disclosure. All other embodiments, which can be made by those skilled in the art based on the embodiments of this disclosure without making any inventive effort, are intended to be within the scope of this disclosure.

It is found that the existing probe fusing mode generally judges the fusing time according to the use state of a central processing unit (Central Processing Unit, CPU) or a memory, but the fusing mode does not care the flow and the specific reason. If the traffic of the service itself is small, the probe security service may be rendered unusable to some extent because of memory leaks or too high a computation of part of the interface CPU to cause a blow-out.

Based on the above study, the disclosure provides an IAST and RASP probe control method and device based on a code vaccine, which can deploy token sets for different function types, consume token sets corresponding to the function types when a call request of a function is detected, and realize counting of calls of different types of functions; under the condition that the remaining unassigned virtual tokens in the token set are not enough to be assigned to any function, the probe is controlled to enter a fusing state, so that the working state of the probe is limited by the number of tokens in the token set, the probe stops working under the condition that the calling request is more, normal operation of the target service is ensured, the probability of fusing the probe due to other reasons can be reduced, and the stability of the probe security service is improved.

The present invention is directed to a method for manufacturing a semiconductor device, and a semiconductor device manufactured by the method.

It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.

For the convenience of understanding the present embodiment, first, a detailed description will be given of a method for controlling an IAST and RASP probe based on a code vaccine disclosed in the present embodiment, where an execution body of the method for controlling an IAST and RASP probe based on a code vaccine provided in the present embodiment of the present disclosure is generally a computer device with a certain computing capability. In some possible implementations, the IAST, RASP probe control method based on the code vaccine can be realized by a mode that a processor calls computer readable instructions stored in a memory.

The following describes the IAST and RASP probe control method based on the code vaccine provided by the embodiment of the disclosure by taking an execution subject as a terminal device as an example.

Referring to fig. 1, a flowchart of an IAST and RASP probe control method based on a code vaccine according to an embodiment of the disclosure is shown, where the method includes steps S101 to S104, where:

s101, responding to the starting of a target service, and controlling a probe corresponding to the target service to enter a working state; the probe is used for providing security services for a plurality of functions in the target service.

The target service can be a micro service in the application program, and the micro service can be used as a small and independent service unit, has own functions and data storage, can be independently developed, deployed and maintained, and can be mutually cooperated by using a lightweight communication protocol.

When the target service is started, the terminal equipment can control the probe corresponding to the target service to enter the working state, and after the probe enters the working state, the safety service aiming at a plurality of functions in the target service can be provided.

The probe is a tool or component for monitoring and managing applications, typically embedded in an application or container. The main goal of the probe is to check the status of the application to ensure that it is functioning properly or to diagnose problems. In this embodiment, the probe may determine whether the function has a security problem according to the state of the function in service.

Specifically, the probes to be controlled in this embodiment may include an interactive application security test IAST and a runtime self-protection RASP probe.

Among other things, interactive application security testing (Interactive Application Security Testing, IAST) is an application security testing technique that interacts in real-time with running applications to identify potential security problems while minimizing false positives.

Run-time self-Protection (RASP) is an application security Protection technique. The protection program can be injected into the application program like a vaccine, is integrated with the application program, can detect and block the security attack in real time, so that the application program has self-protection capability, and can automatically defend the application program without manual intervention when the application program is damaged by actual attack.

The IAST probe is a probe used under the IAST technology, and the RASP probe is a probe used under the RASP technology.

The probe can be used for obtaining the state information related to the function by pre-inserting (hook) the function which needs the security service in the target service, inserting the code related to the probe into the function, or replacing the original function. The pre-instrumentation process may be performed before or after the target service is started, and the specific selection may be determined according to the type of the function.

The functions of the pre-pile may include functions related to security breach analysis, such as a smudge propagation analysis requiring a smudge source function, a smudge propagation function, a smudge convergence function, etc. Some of the functions are functions related to fuse control, and the functions have a large influence on the occupation of the computing resources, so that the use condition of the computing resources can be grasped by counting the functions. Therefore, for these functions, in addition to the stub related to the security service, a code related to the probe blowing needs to be added to realize the blowing of the probe.

The probe-fuse related functions described above may include a traffic entry function and a high resource occupancy function.

The flow entry function is a function through which each user request passes, and when one request is sent to the target service, the flow entry function must process the request, and the number of requests responded by the target service can be determined by checking the flow entry function.

In the target service, there may be various traffic entry functions, such as executing a function before processing the first request, executing a function before adding a variable to the view function before each request, and executing a function after_request after each request.

The high-resource occupation function is a function with relatively large consumption of a CPU and a memory, and is generally an i/o operation function, such as a file operation function (open), a network request function (request), a database write function (insert) and the like. In a specific implementation, the high-resource-occupation function may be a function that occupies computing resources higher than a preset amount of resources when called.

The functions in the step S101 may refer to the traffic entry function and the high resource occupation function.

S102, aiming at any function type corresponding to the functions, deploying a token set for the function type; the token set comprises a plurality of virtual tokens for representing the occupation amount of the computing resources.

After the probe enters the working state, the state information of the function can be obtained by inserting codes into the function, and the calculation resources occupied by the function can be recorded by using codes related to fusing. In the embodiment of the disclosure, token sets may be deployed for different function types, where the token sets include a plurality of virtual tokens for representing the occupation amount of computing resources, and the computing resources occupied by the functions may be quantified by using the virtual tokens, so as to determine whether probe fusing is needed.

Fusing of probes may refer to the manner in which a service request is mitigated under certain conditions in order to trigger certain operations. For example, after the probe is fused, operations such as forwarding a request for a target service to a standby service, returning cache data, rejecting the request and the like can be performed to reduce the load of the target service, or the security service provided by the probe can be stopped and the computing resource occupied by the probe can be released, so that the target service can normally process more requests.

The function types can refer to a flow entry function and a high-resource occupation function, and different token sets can be configured for different function types according to the characteristics of the function types.

For example, the corresponding preset total number of tokens may be set for different function types, and then the token set is deployed for the function type based on the preset total number of tokens.

In the implementation process, the total number of preset tokens corresponding to the flow entry function can be determined according to the load capacity of the terminal equipment. For example, if the terminal device can process the request within 200 times within a certain period of time and can normally use the function of the probe within the period of time, the total number of preset tokens corresponding to the traffic entry function can be set to 200.

The total number of preset tokens of the high-resource occupation function can also be set according to the loading capacity of the terminal equipment. For example, the terminal device may provide two thousand units of computing resources to the high-resource occupation function in a normal case, and the preset total number of tokens of the high-resource occupation function may be set to 2000.

When the token set is deployed, virtual tokens of the preset total number of tokens can be deployed for the function type at one time, or virtual tokens can be deployed for the function type in batches, and the total number of the virtual tokens deployed in each batch is the preset total number of the tokens.

S103, determining the number of virtual tokens allocated to any function from a token set of a function type to which the any function belongs in response to detecting a call request for the any function.

After the token set is deployed, virtual tokens in the token set can be consumed. Specifically, when a call request of any one of the functions is detected, the number of virtual tokens allocated to any one function can be determined from a token set of a function type to which the function belongs, and the virtual tokens are allocated to the function, so that counting of function calls and quantification of computing resource occupation are realized through consumption of the virtual tokens.

And S104, controlling the probe to enter a fusing state under the condition that the unallocated virtual tokens remained in the token set are not enough to be allocated to any function.

When the remaining unallocated tokens in the token set are not enough to be allocated to any function, the quantity of the current requests or the occupied computing resources are indicated to exceed the load capacity of the terminal equipment, and the probe can be controlled to enter a fusing state, so that the occupied computing resources of the probe are released.

It is noted that the probe control method provided by the embodiments of the present disclosure may be implemented based on a code vaccine technology. The code vaccine technology is to inject codes with security service capability into a server of an application, such as into a specific function of a micro service, so that the analyzed flow is obtained in the application, the context of the running process of the application is perceived, the position of a vulnerability and the cause of the defect existing in the application can be diagnosed in real time, autonomous detection and response are realized, and the external danger of the application is actively defended.

Any of the steps S101 to S104 described above may be implemented by a code injected into a function (such as a traffic entry function and a high resource occupation function), which may be injected using a code vaccine technique. The specific manner of injection may be pre-staking.

In the embodiment of the disclosure, the fusing time of the probe is associated with the consumption condition of the virtual token in the token set, so that the allocation of the virtual token and the supplementing of the fusing time of the probe are important.

In configuring the token set for the function type, an appropriate one of a plurality of ways may be selected according to the actual situation.

For any function type, the token allocation quantity of the function type in unit time and the upper limit of the virtual token quantity corresponding to the preset type can be determined first; then, virtual tokens are distributed for the function type by taking unit time as a period, and the quantity of the distributed virtual tokens is the distributed quantity of the tokens; in the case that the number of virtual tokens allocated to the function type reaches the upper limit of the number of virtual tokens, allocation of the virtual tokens to the function type is stopped.

The upper limit of the number of virtual tokens may be the total number of preset tokens. Specifically, the total number of preset tokens corresponding to the flow entry function is 200, the time period corresponding to the total number of preset tokens is 10 seconds, and the number of tokens allocated per unit time is 20/s.

The time period corresponding to the total number of the preset tokens can be determined according to actual requirements, for example, in an actual application scene, in order to prevent a target service from being unable to process a request in time, the request can be limited, the number of the requests with the greatest response in each unit time is limited, the number of token allocation in unit time can be set, and when the virtual token is exhausted, the probe can be fused to realize the current limitation.

In particular, the virtual token described above may be used for counting requests and quantifying computing resource occupancy. For example, if the number of preset tokens in unit time is 20, if there are 20 calls to the flow entry function in unit time, if 1 virtual token is allocated for each call, the number of remaining virtual tokens in the token set is 0, and if there is a new request to call the flow entry function, the token set is insufficient to allocate virtual tokens for the new request, and the probe is controlled to enter the fusing state.

Further, if the virtual tokens in the token set are insufficient for the functions allocated in the unit time, the virtual tokens in the next unit time can be deployed in the token set in advance, and if no call request aiming at the function type is available when the next unit time arrives, the virtual tokens are not allocated to the token set; if the virtual token is still needed, the virtual token of the next unit time can be deployed in the token set in advance until the total number of the virtual tokens deployed in the token set reaches the upper limit of the preset number of tokens. At this point, if the virtual token is still insufficient for dispensing, the probe may be controlled to enter a blown state. If the virtual token of the next unit time is deployed in the token set in advance in the current unit time, but the allocation requirement of the virtual token is still not met, the probe can be controlled to enter the fusing state.

Or, for any function type, a token set can be directly deployed for the function type, the token set can contain a fixed number of virtual tokens, and the number of the virtual tokens in the token set is reset by taking a preset duration as a period. In this way, the number of times the function is called can be limited within each preset time period.

When a call request for a function is detected and virtual tokens are allocated, a target weight corresponding to the function can be determined based on the sub-function type of the function, and then the number of virtual tokens allocated to the function can be determined based on the target weight and a preset basic allocation amount.

In one possible implementation, since the traffic entry function is a function that needs to be invoked for each request, the total number of requests can be determined by counting the calls to the traffic entry function. Thus, the sub-function type of the flow entry may be set to be none, and for the flow entry function, the target weight of the flow entry function may be directly determined to be 1, and when the flow entry function is called, the virtual token of the basic allocation amount may be directly allocated to the function.

For high-resource-occupancy functions, the sub-function types of the high-resource-occupancy functions may include a file operation function (open), a network request function (request), a database write function (insert), and so on. The target weights corresponding to different sub-function types may be determined based on the computational resource occupancy of the sub-function types. For example, the file operation function (open), the network request function (request), and the database write function (insert) occupy high resources, the target weights when virtual tokens are consumed may be 5, 3, and 5, respectively, and the target weights of other high-resource occupying functions may be 2.

The basic allocation amount can be determined according to practical situations. By way of example, the base allocation amount may be set to 1.

Optionally, embodiments of the present disclosure may also control the fusing of the probe according to the computational resource footprint of the probe. For example, the terminal device may periodically or in real time determine the occupation amount of the computing resource of the probe, and control the probe to enter the fusing state when the occupation amount of the computing resource of the probe is higher than the preset occupation amount.

The above-mentioned occupied amount of the computing resource of the probe may refer to the amount of the computing resource of the terminal device occupied by the probe, and the computing resource may include a CPU and a memory.

In one possible implementation, the computing resource occupation amount may be replaced by a computing resource occupation ratio, and when the computing resource occupation ratio of the probe is higher than a preset occupation ratio, the probe is controlled to enter a fusing state.

Further, under the condition that the calculated resource occupation amount of the probe is higher than the preset occupation amount, a first duration time that the calculated resource occupation amount of the probe is higher than the preset occupation amount can be determined; and under the condition that the first duration is longer than or equal to the first preset duration, controlling the probe to enter a fusing state.

When detecting the occupied amount of the computing resources of the probe, a daemon thread can be established to monitor the cpu and the memory occupation condition data in the current application process, for example, the computing resources occupied by the application process are acquired at intervals (for example, 10 s).

In one detection, if the computing resource occupation amount of the probe is found to be higher than the preset occupation amount, a first duration time when the computing resource occupation amount of the probe is higher than the preset occupation amount can be determined according to the detection result of the last time, for example, if the time interval of detecting the computing resource occupation amount of the probe is 10s and the first preset duration time is 30s, when the computing resource occupation amount of the probe is detected to be higher than the preset occupation amount, the computing resource occupation amount of the probe can be determined according to the previous two times and the current time, and if the computing resource occupation amount detected for three times is higher than the preset occupation amount, whether the first duration time is greater than or equal to the first preset duration time can be determined.

In the implementation process, if the probe should be triggered to fuse according to the occupation amount of the computing resource of the probe, even if the virtual token remains in the token set, the probe can be directly controlled to enter the fusing state.

After the probe enters the fusing state, the probe can be controlled to enter the working state again when the computing resources of the terminal equipment are sufficient. For example, when the probe is in the fusing state, a second duration of time that the probe is in the fusing state may be determined, and when the second duration of time is longer than a second preset duration of time, and the computing resource occupation amount of the probe is less than or equal to the preset occupation amount, the probe is controlled to enter the working state. In this way, the probability of repeatedly triggering a fuse can be reduced.

The IAST and RASP probe control method based on the code vaccine can deploy token sets for different function types, consume token sets corresponding to the function types when a call request of the function is detected, and realize counting of calls of different types of functions; under the condition that the remaining unassigned virtual tokens in the token set are not enough to be assigned to any function, the probe is controlled to enter a fusing state, so that the working state of the probe is limited by the number of tokens in the token set, the probe stops working under the condition that the calling request is more, normal operation of the target service is ensured, the probability of fusing the probe due to other reasons can be reduced, and the stability of the probe security service is improved.

Referring to fig. 2, a schematic diagram of another IAST and RASP probe control method based on a code vaccine according to an embodiment of the disclosure is shown. The method can judge whether the fusing monitoring is started or not when the request of the user is obtained, and if the fusing monitoring is started, the flow entry function, the high resource occupation function, the CPU of the process and the memory occupation are monitored respectively. The CPU and memory occupation of the process can be monitored by the daemon in a mode of newly creating the daemon, and the flow entry function and the high resource occupation function are monitored in a mode of pre-inserting the flow entry function and the high resource occupation function. When the CPU and memory occupation of the monitoring process exceeds a threshold value, whether the duration of the monitoring process exceeding the threshold value exceeds a preset duration time or not can be determined, and if so, the probe is fused; when the flow entry function is called, the number of tokens corresponding to the flow entry function is +1, and when the number of tokens is greater than the corresponding current limiting value, the probe is triggered to fuse; when the high-resource occupation function is called, the token usage number of the high-resource occupation function is +n (n can be determined according to the type of the high-resource occupation function), and when the token usage number of the high-resource occupation function is higher than the corresponding current limiting value, the probe is triggered to be fused. When the duration of probe fusing meets the requirement, whether the CPU and memory occupation of the process exceeds a threshold value can be judged again, and if the CPU and memory occupation of the process does not exceed the threshold value, the probe fusing can be released. After the probe is fused, the reason of the probe fusing (such as that the CPU and the memory exceed the threshold, or the flow inlet function reaches the current limiting value, or the high resource occupation function exceeds the current limiting value) can be recorded, and the reason of the probe fusing is reported to the server.

It will be appreciated by those skilled in the art that in the above-described method of the specific embodiments, the written order of steps is not meant to imply a strict order of execution but rather should be construed according to the function and possibly inherent logic of the steps.

Based on the same inventive concept, the embodiments of the present disclosure further provide an IAST and RASP probe control device based on a code vaccine corresponding to the IAST and RASP probe control method based on a code vaccine, and since the principle of solving the problem of the device in the embodiments of the present disclosure is similar to that of the IAST and RASP probe control method based on the code vaccine described in the embodiments of the present disclosure, the implementation of the device may refer to the implementation of the method, and the repetition is omitted.

Referring to fig. 3, a schematic diagram of an IAST and RASP probe control device based on a code vaccine according to an embodiment of the disclosure is shown, where the device includes:

a first control module 310, configured to control, in response to a start of a target service, a probe corresponding to the target service to enter a working state; the probe is used for providing security services for a plurality of functions in the target service;

a deployment module 320, configured to deploy a token set for any function type corresponding to the functions for the function type; the token set comprises a plurality of virtual tokens used for representing the occupation amount of computing resources;

An allocation module 330, configured to determine, in response to detecting a call request for any one of the functions, a number of virtual tokens allocated to the any one function from a token set of a function type to which the any one function belongs;

a second control module 340, configured to control the probe to enter the fusing state in a case where the unassigned virtual token remaining in the token set is insufficient to be assigned to the any function.

In an alternative embodiment, the deployment module 320 is specifically configured to:

In an alternative embodiment, the allocation module 330 is specifically configured to:

In an alternative embodiment, the second control module 340 is further configured to:

determining the computational resource occupancy of the probe;

In an alternative embodiment, the second control module 340 is configured to, when the computing resource occupancy of the probe is higher than the preset occupancy, control the probe to enter the fusing state:

The process flow of each module in the apparatus and the interaction flow between the modules may be described with reference to the related descriptions in the above method embodiments, which are not described in detail herein.

The embodiment of the disclosure further provides a computer device, as shown in fig. 4, which is a schematic structural diagram of the computer device provided by the embodiment of the disclosure, including:

a processor 41 and a memory 42; the memory 42 stores machine readable instructions executable by the processor 41, the processor 41 being configured to execute the machine readable instructions stored in the memory 42, the machine readable instructions when executed by the processor 41, the processor 41 performing the steps of:

In an alternative embodiment, the deploying the token set for the function type in the instructions executed by the processor 41 includes:

In an alternative embodiment, in the instructions executed by the processor 41, the function types of the functions include a traffic entry function and/or a high-resource occupation function; the high resource occupation function occupies computing resources higher than a preset resource amount when called.

In an alternative embodiment, the determining, in the instruction executed by the processor 41, the number of virtual tokens allocated to the any function from the token set of the function type to which the any function belongs includes:

In an alternative embodiment, in the instructions executed by the processor 41, the deploying a token set for any function type corresponding to the functions for the function type includes:

In an alternative embodiment, the instructions executed by the processor 41 further include:

determining the computational resource occupancy of the probe;

In an alternative embodiment, in the instructions executed by the processor 41, when the computing resource occupancy of the probe is higher than the preset occupancy, the controlling the probe to enter the fusing state includes:

The memory 42 includes a memory 421 and an external memory 422; the memory 421 is also referred to as an internal memory, and is used for temporarily storing operation data in the processor 41 and data exchanged with the external memory 422 such as a hard disk, and the processor 41 exchanges data with the external memory 422 via the memory 421.

The specific execution process of the above instruction may refer to the steps of the IAST and RASP probe control method based on the code vaccine described in the embodiments of the present disclosure, which are not described herein.

The disclosed embodiments also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the code vaccine based IAST, RASP probe control method described in the method embodiments above. Wherein the storage medium may be a volatile or nonvolatile computer readable storage medium.

The embodiments of the present disclosure further provide a computer program product, where the computer program product carries program codes including instructions for executing the steps of the method for controlling an IAST and RASP probe based on a code vaccine described in the foregoing method embodiments, and specific reference may be made to the foregoing method embodiments, which are not repeated herein.

Wherein the above-mentioned computer program product may be realized in particular by means of hardware, software or a combination thereof. In an alternative embodiment, the computer program product is embodied as a computer storage medium, and in another alternative embodiment, the computer program product is embodied as a software product, such as a software development kit (Software Development Kit, SDK), or the like.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described system and apparatus may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again. In the several embodiments provided in the present disclosure, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present disclosure may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on such understanding, the technical solution of the present disclosure may be embodied in essence or a part contributing to the prior art or a part of the technical solution, or in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in the embodiments of the present disclosure. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

Finally, it should be noted that: the foregoing examples are merely specific embodiments of the present disclosure, and are not intended to limit the scope of the disclosure, but the present disclosure is not limited thereto, and those skilled in the art will appreciate that while the foregoing examples are described in detail, it is not limited to the disclosure: any person skilled in the art, within the technical scope of the disclosure of the present disclosure, may modify or easily conceive changes to the technical solutions described in the foregoing embodiments, or make equivalent substitutions for some of the technical features thereof; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the disclosure, and are intended to be included within the scope of the present disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.

Claims

1. An IAST and RASP probe control method based on a code vaccine is characterized by comprising the following steps:

2. The method of claim 1, wherein said deploying a set of tokens for said function type comprises:

3. The method according to claim 1, wherein the function types of the plurality of functions comprise a traffic entry function and/or a high resource occupancy function; the high resource occupation function occupies computing resources higher than a preset resource amount when called.

4. The method according to claim 1, wherein determining the number of virtual tokens allocated to the arbitrary function from the token set of the function type to which the arbitrary function belongs includes:

5. The method of claim 1, wherein the deploying the token set for the function type for any of the function types corresponding to the plurality of functions comprises:

6. The method of claim 1, wherein the deploying the token set for the function type for any of the function types corresponding to the plurality of functions comprises:

7. The method according to claim 1, wherein the method further comprises:

determining the computational resource occupancy of the probe;

8. The method of claim 7, wherein controlling the probe to enter a blown state if the computational resource occupancy of the probe is greater than a predetermined occupancy amount comprises:

9. The method according to claim 1, wherein the method further comprises:

10. An IAST, RASP probe control device based on a coded vaccine, comprising:

11. A computer device, comprising: a processor, a memory storing machine readable instructions executable by the processor for executing the machine readable instructions stored in the memory, which when executed by the processor, perform the steps of the code vaccine based IAST, RASP probe control method as claimed in any one of claims 1 to 9.

12. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when run by a computer device, performs the steps of the code vaccine based IAST, RASP probe control method as claimed in any one of claims 1 to 9.