CN107608339B - Interface protection method and device for automobile machine - Google Patents
Interface protection method and device for automobile machine Download PDFInfo
- Publication number
- CN107608339B CN107608339B CN201710945066.1A CN201710945066A CN107608339B CN 107608339 B CN107608339 B CN 107608339B CN 201710945066 A CN201710945066 A CN 201710945066A CN 107608339 B CN107608339 B CN 107608339B
- Authority
- CN
- China
- Prior art keywords
- calling
- call
- interface
- node
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 74
- 238000012544 monitoring process Methods 0.000 claims abstract description 92
- 230000006870 function Effects 0.000 claims description 74
- 238000004891 communication Methods 0.000 claims description 13
- 230000006399 behavior Effects 0.000 description 30
- 230000003068 static effect Effects 0.000 description 8
- 230000004044 response Effects 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000002159 abnormal effect Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 4
- 238000013459 approach Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000009434 installation Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 238000004378 air conditioning Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000008485 antagonism Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Abstract
The invention discloses an interface protection method and device for an automobile machine, wherein the method comprises the following steps: determining a calling path corresponding to the interface and each calling node contained in the calling path; monitoring each calling node contained in the calling path to generate monitoring result data containing the calling record of each calling node; when a call instruction generated aiming at an interface is monitored, judging whether a call record of each call node contained in monitoring result data is matched with a call path corresponding to the interface; if not, intercepting the call instruction. By using the scheme provided by the invention, the IDR Tools in the automobile guard client are used for monitoring the interface of the automobile machine of the automobile, and the illegal calling behavior is found and blocked in time so as to ensure that the interface is not called by the illegal program.
Description
Technical Field
The invention relates to the technical field of computers, in particular to an interface protection method and device for an automobile machine.
Background
The interface of the automobile machine is an entrance for information transmission, and the function control of the automobile machine can be realized by calling the interface of the automobile machine; meanwhile, static interface protection is the most basic guarantee for interface call security, such as a signature mechanism, which depends on that the bottom layer is not cracked.
However, an attacker can destroy the existing static protection system by a direct mode of modifying the source program file, once the root authority is obtained, the security mechanism of the automobile vehicle machine system is destroyed, and a hacker can forge a user identification (user identification, UID for short) by a deceptive means to directly call the dynamic link library file at the bottom layer to achieve the purpose of controlling the automobile vehicle machine, or disguise other applications into an application with a system signature to directly call an interface of the automobile vehicle machine.
Meanwhile, the prior art does not provide a method for protecting the interface of the automobile machine under the condition that a static interface protection system fails.
Disclosure of Invention
In view of the above, the present invention is proposed to provide an interface protection method and apparatus for a vehicle machine of an automobile, which overcomes or at least partially solves the above problems.
According to one aspect of the invention, an interface protection method of an automobile machine is provided, which comprises the following steps:
determining a calling path corresponding to the interface and each calling node contained in the calling path;
monitoring each calling node contained in the calling path to generate monitoring result data containing the calling record of each calling node;
when a call instruction generated aiming at an interface is monitored, judging whether a call record of each call node contained in monitoring result data is matched with a call path corresponding to the interface;
if not, intercepting the call instruction.
According to another aspect of the present invention, there is provided an interface protection device for a vehicle, including:
the determining module is suitable for determining a calling path corresponding to the interface and each calling node contained in the calling path;
the monitoring module is suitable for monitoring each calling node contained in the calling path and generating monitoring result data containing the calling record of each calling node;
the judging module is suitable for judging whether the calling record of each calling node contained in the monitoring result data is matched with the calling path corresponding to the interface or not when the calling instruction generated aiming at the interface is monitored; if not, intercepting the call instruction.
According to still another aspect of the present invention, there is provided an electronic apparatus including: the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the interface protection method of the automobile machine.
According to another aspect of the present invention, a computer storage medium is provided, where at least one executable instruction is stored in the storage medium, and the executable instruction enables a processor to execute operations corresponding to the interface protection method for the vehicle machine of the above-mentioned vehicle.
According to the interface protection method and device for the automobile machine, the IDR Tools in the automobile guard client side are used for monitoring the interface of the automobile machine, and illegal calling behaviors are found and blocked in time so as to ensure that the interface is not called by illegal programs. By utilizing the scheme provided by the invention, with the help of the capability of IDR Tools to resist illegal attack behaviors in the Root environment, the IDR tool can still monitor the calling condition of the interface under the condition that a static protection system is invalid, and the monitoring result can quickly sense and position the abnormal call behaviors through the analysis function of the cloud, and the IDR tool can quickly respond, block the attack behaviors and stop the loss in time, thereby realizing the dynamic protection of the vehicle-machine interface of the automobile.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart illustrating an interface protection method for a vehicle machine of an automobile according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a call chain of an air conditioning interface of a vehicle machine according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating an interface protection method for a vehicle machine of an automobile according to another embodiment of the present invention;
fig. 4 is a flowchart illustrating an interface protection method for a vehicle-mounted device according to another embodiment of the present invention;
fig. 5 is a schematic structural diagram illustrating an interface protection device of a vehicle machine of an automobile according to an embodiment of the present invention;
fig. 6 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
In the automobile guard client, DR Tools are important components of terminal dynamic defense, and are divided into EDR Tools, NDR Tools and IDR Tools according to the characteristics of the automobile.
Wherein, EDR Tools is terminal monitoring Response instrument (Endpoint Detection Response), and EDRTools uses car machine system as the control dimension, ensures car machine system's operation safety. The EDR Tools acquire system data, application data, file systems and other data of the vehicle machine in real time, quickly respond to the alarm of the vehicle guard platform and block the attack to the terminal.
NDR Tools is a Network monitoring Response tool (Network Detection Response), and NDRTools uses a Network as a monitoring dimension to ensure the networking safety of the vehicle machine. NDR Tools discovers abnormal networking behaviors in the vehicle through monitoring network flow and network behaviors and combining network threat information in an automobile guard platform, and manages and controls the networking behaviors.
IDR Tools are Interface monitoring Response Tools (Interface Detection Response), and IDR Tools use the control Interface of the automobile machine as the dimension, and ensure the Interface safety of the automobile machine. The IDR Tools monitor the calling behavior of the vehicle body interface in a manner of monitoring the embedded points in the interface calling process, find illegal calling conditions, directly block corresponding calling behaviors and ensure that the interface is not called by illegal programs.
In the invention, in order to monitor the calling condition of the automobile machine interface and block illegal calling behaviors under the condition that a static protection system fails, IDR Tools in an automobile guard client are utilized to dynamically monitor the calling condition of the automobile machine interface in real time.
Fig. 1 shows a flowchart of an interface protection method for a vehicle-mounted device of an automobile according to an embodiment of the present invention. As shown in fig. 1, the method includes:
step S110, determining a call path corresponding to the interface and each call node included in the call path.
When the interface of the automobile machine is called, different calling paths are provided corresponding to different interfaces. The call path refers to a call chain which needs to be executed when different functions are correspondingly realized and/or different interfaces are called, and the call node refers to each node in the call chain.
Fig. 2 shows a schematic diagram of a call chain of an air conditioner interface of an automotive vehicle according to an embodiment of the present invention. As shown in fig. 2, a general call chain for calling an air conditioner interface of an automotive vehicle is as follows: the method comprises the steps that firstly, an air conditioner APK is called according to a user or system request, namely an installation package of an air conditioner application is called; secondly, calling a Framework API (application program interface) by a corresponding method in the APK (air conditioner application K), namely calling a Framework interface of an air conditioner application program; step three, calling a corresponding method in the Framework API, wherein the so file is a dynamic link library file at the bottom layer of the system; fourth, the so file generates a control command corresponding to the request and sends it to the hardware (hardware) that executes the command. It can be seen that the call is a call flow from the application layer to the system bottom layer, and correspondingly, the call node includes an installation package node, an application program interface node, a dynamic link library node, and a hardware node.
Under the condition of legal interface calling, a calling path for realizing different functions and/or calling different interfaces and each calling node contained in the calling path are determined, namely, each calling node has a corresponding calling method when a control command for realizing a certain function or calling a certain interface is found.
Step S120, monitoring each calling node included in the calling path, and generating monitoring result data including a calling record of each calling node.
And setting monitoring measures aiming at each calling node in the calling path by using IDR Tools to monitor the calling condition of the method of each calling node and obtain monitoring result data, wherein the monitoring result data comprises the calling record of each calling node, and the calling method, the calling parameter and the like of each calling of the corresponding calling node are recorded in the calling record of each calling node.
Step S130, when a call instruction generated aiming at the interface is monitored, judging whether the call record of each call node contained in the monitoring result data is matched with the call path corresponding to the interface; if not, intercepting the call instruction.
When it is detected that a control command is sent to the hardware to control the hardware to perform a specific function, it is necessary to determine whether the control command is generated through a legitimate call. For calling the same interface, the legal calling manner is to generate a control command for calling the interface through sequential calling of each calling node in the calling path corresponding to the interface determined in step S110, and the illegal calling manner is to generate a control command by skipping at least one calling node in each calling node in the calling path corresponding to the interface determined in step S110, that is: compared with a legal calling mode, the calling chain of the control command generated by the illegal calling mode is incomplete. Aiming at the illegal interface calling condition, IDRTools directly blocks the corresponding calling behavior to ensure that the interface is not called by the illegal program.
Specifically, if the call corresponding to the control command is illegal, the call record of the corresponding method is absent on at least one call node included in the call path. For example, in the case of directly calling the underlying dynamic link library file to achieve the purpose of controlling the car machine, the corresponding calling method can only be detected in the dynamic link library file corresponding to the system underlying, and the corresponding calling method cannot be detected in the application layer, such as the installation package of the application and the framework interface of the application program.
In this embodiment, whether the call chain is complete is determined by determining whether the call record of each call node included in the monitoring result data matches the call path corresponding to the interface, and it can be further determined whether the call is legal. Specifically, for a call instruction generated by an interface, if a call record for calling the interface is queried in monitoring result data, a call chain is complete.
According to the interface protection method for the automobile machine, the interface of the automobile machine is monitored by using the IDRTools in the automobile guard client, and illegal calling behaviors are found and blocked in time so as to ensure that the interface is not called by illegal programs. In this embodiment, before monitoring by using IDR Tools, a call path called by each interface and each call node in the call path are determined first, and then a complete call chain is determined, and the call chains must be consistent if the same interface is called; when monitoring is carried out by using IDR Tools, monitoring is carried out aiming at each calling node contained in a calling path, and monitoring result data containing calling records of each calling node is generated; when a call instruction generated aiming at an interface is monitored, whether a call chain is complete is determined by judging whether a call record of each call node contained in monitoring result data is matched with a call path corresponding to the interface, if the call chain is matched with the determined call path for calling the interface, the call of the call instruction is generated to be legal, and if not, the corresponding call behavior is directly blocked by IDR Tools to ensure that the interface is not called by illegal programs. The scheme provided by the implementation is utilized, the capability of resisting illegal attack behaviors can be realized under the Root environment by means of the IDR Tools, under the condition that a static protection system is invalid, the IDR Tools can still monitor the calling condition of the interface, the monitoring result is subjected to the analysis function of the cloud, the abnormal calling behaviors are quickly sensed and positioned, the IDR Tools are used for quickly responding, the attack behaviors are blocked, the damage is stopped in time, and then the dynamic protection of the car machine interface is realized.
Fig. 3 is a flowchart illustrating an interface protection method for an automotive vehicle according to another embodiment of the present invention, where the method performs interface protection for a single interface of an air conditioner in the automotive vehicle, where the interface includes: an air conditioner on-off interface and/or an air conditioner temperature adjusting interface. As shown in fig. 3, the method includes:
step S310, determining a call path corresponding to the interface and each call node included in the call path.
When the interface of the automobile machine is called, different calling paths are provided corresponding to different interfaces. The call path refers to a call chain which needs to be executed when different functions are correspondingly realized and/or different interfaces are called, and the call node refers to each node in the call chain.
There are two possible situations for the invocation of an air conditioning interface of an automotive vehicle: in one case, calling the air conditioner interface can only implement one function, for example, the function of turning on the air conditioner; in another case, different functions can be realized by calling the air conditioner interface with different types of call instructions, wherein one type of call instruction correspondingly realizes one function, for example, functions of turning on and turning off an air conditioner, and the following takes a general call chain for calling the air conditioner interface of the car machine shown in fig. 2 as an example, and this step corresponding to the two cases is described separately.
For the case that only one function can be implemented by calling the air conditioner interface, if the one function is implemented by legal calling, the one function has a unique calling sequence between the calling nodes, for example, the calling path in fig. 2 includes 4 calling nodes, and the calling sequence is: the method comprises the steps of installing a package node, an application program interface node, a dynamic link library node and a hardware node connected with an interface, wherein each calling node is provided with a unique corresponding calling method for realizing the function. In this case, the step of determining the call path corresponding to the interface and each call node included in the call path only needs to determine the number and name of the call nodes included in the call path.
For the case that different functions can be realized by calling the air conditioner interface with different types of call instructions, if each function is realized by legal call, the function corresponds to the different function, the call methods of each call node in the call path are different, the call methods include a call function and a call parameter, for example, the call chain in fig. 2 can realize the functions of starting and stopping the air conditioner, and the 4 call nodes respectively have different call methods for realizing the two functions. In this case, since the call paths and the call interfaces required for implementing the plurality of functions are all consistent, if only the number and the names of the call nodes included in the call paths are determined, it cannot be determined that the interface call is a legal call, and therefore, it is necessary to determine various types of call instructions corresponding to the interfaces, determine, for each type of call instruction, the call path corresponding to the type of call instruction and each call node included in the call path, and further confirm the call function and/or call parameter corresponding to each call node, so as to determine the call method in each call node as a call method for correspondingly implementing a certain function.
In addition, the call chain shown in fig. 2 can realize the call interface and realize the corresponding function only by calling 4 call nodes, but in practice, there is a case that the call interface and the corresponding function can be realized only by calling more than 4 call nodes, and the number of the corresponding call nodes are the same, and only the call sequence between the call nodes is different. In this case, the call order between the respective call nodes needs to be further determined to distinguish the difference between interface calls implementing different functions.
The three cases are exemplary cases, and are only used to illustrate that, in various different cases, the feature that the interface call is a legal call can be made clear by determining the call path corresponding to the interface and the call nodes included in the call path, and are not limited in this embodiment. The calling path comprises the number and the name of calling nodes, the calling sequence among the calling nodes, and/or calling functions and/or calling parameters corresponding to the calling nodes.
Step S320, for each calling node included in the calling path, monitoring the calling node by setting a hook function at the calling node, and/or monitoring the calling node by obtaining and analyzing a node log corresponding to the calling node.
And monitoring each calling node contained in the calling path to obtain a calling record of each calling node, wherein the calling record records a calling function, a calling parameter and the like of each calling of the corresponding calling node. Specifically, the method for monitoring each calling node included in the calling path may adopt a method of setting a hook function, and/or a method of acquiring and analyzing a node log corresponding to the calling node.
Wherein, adopt the mode of setting up the couple function, promptly: before a calling method is used for calling a specified interface or file in the next calling node, the Hook technology is adopted to intercept the calling process in the current calling node and obtain the calling record of the calling process, such as the called calling method, the interface specified by the calling and the like, so that the monitoring of the calling process is realized.
The method for acquiring and analyzing the node log corresponding to the calling node comprises the following steps: and acquiring a node log of each calling node, and analyzing calling behaviors from the node log by using IDR Tools so as to monitor a calling record corresponding to each calling behavior of each calling node.
Taking monitoring each calling node in the calling chain given in fig. 2 as an example, monitoring each operation of the corresponding air conditioner in the air conditioner APK and the Framework API in a Hook manner, monitoring a calling source and a calling target thereof, wherein the calling source refers to a previous calling node, and the calling target refers to an interface or a file of a next calling node which is specified to be called by a calling method; for the monitoring of the so file, a mode of acquiring and analyzing a node log can be adopted, the so library can output the calling behavior of the Framework API to a specified path in a log form, and an IDR Tools analyzes the node log to monitor the calling behavior of the so library.
Step S330, generating monitoring result data including the call records of each call node.
And generating monitoring result data according to the call records of the call nodes, wherein the result data in the monitoring result data comprises the number and the name of the call nodes in the whole call chain, the call sequence among the call nodes, and/or call functions and/or call parameters corresponding to the call nodes recorded in the call records.
Determining a calling path corresponding to a legal calling interface mode and each calling node contained in the calling path through step S310, monitoring a real-time calling record of each calling node through step S320 and step S330, and obtaining monitoring result data including the real-time calling record of each node, when the interface calling mode is a legal mode, matching the calling path and each calling node determined in step S310 with the monitoring result data obtained in step S330, specifically including the same number and name of the calling nodes contained in the calling path, the same calling sequence among the calling nodes, and/or matching calling functions and/or calling parameters corresponding to each calling node
Step S340, when a call instruction generated aiming at the interface is monitored, judging whether the call record of each call node contained in the monitoring result data is matched with the call path corresponding to the interface; if not, intercepting the call instruction.
When it is monitored that a call instruction is generated in a call node in the call chain before the hardware node connected to the interface, which corresponds to fig. 2, that is, the so call node generates the call instruction, it is determined whether the call instruction is generated in a legal call manner.
In a specific embodiment of the present invention, the manner of determining whether the call instruction generated for the interface is legal is: and judging whether the number and the name of the calling nodes related to the calling instruction are matched with those of the calling nodes contained in the calling path or not, and determining whether the calling record of each calling node is matched with the calling path corresponding to the interface or not according to the judgment result.
Specifically, the calling node related to the call instruction is a calling node included in an actual call chain for generating the call instruction, for example, a direct call. In this case, the number and name of the call node associated with the call instruction are not matched with those of the call nodes included in the call path, and specifically, if there is a missing call node associated with the call instruction, it may be determined that the call instruction is generated by an illegal program, and the control of the call instruction on the interface should be immediately blocked.
In another specific embodiment of the present invention, the manner of determining whether the call instruction generated for the interface is legal is: judging whether the calling function and/or calling parameter corresponding to each calling node related to the calling instruction is matched with the calling function and/or calling parameter corresponding to each calling node contained in the calling path, and determining that the calling record of each calling node is matched with the calling path corresponding to the interface according to the judgment result.
Specifically, a calling function and/or a calling parameter corresponding to each calling node related to the calling instruction are determined according to the calling record of each calling node, that is, the calling function and/or the calling parameter actually used by each calling node when the calling instruction is generated correspondingly can be found in the monitoring result data; the calling function and/or calling parameter corresponding to each calling node in the calling path means that when the calling instruction is generated in a legal manner, each calling node in the calling path needs to use the calling function and/or calling parameter; through the matching of the two, if the calling function and/or the calling parameter of at least one calling node are not consistent, the calling instruction can be determined to be generated by an illegal program, and the control of the calling instruction on the interface should be immediately blocked. This is particularly effective in the case where one interface can be called by different call instructions to implement different functions, in which case, if only the number and name of the call nodes are matched, interference is easily caused by the call instruction to implement another function, and the matching of the call function and/or the call parameter can eliminate the interference.
In another specific embodiment of the present invention, the manner of determining whether the call instruction generated for the interface is legal is: judging whether the calling sequence between the calling nodes related to the calling instruction is matched with the calling sequence between the calling nodes contained in the calling path or not, and determining whether the calling record of each calling node is matched with the calling path corresponding to the interface or not according to the judgment result.
Specifically, determining a calling sequence between calling nodes related to the calling instruction according to the calling record of each calling node, namely finding the calling sequence between each calling node when the instruction is correspondingly generated in the monitoring result data; the calling sequence among all calling nodes in the calling path refers to the calling sequence among all calling nodes in the calling path when the calling instruction is generated in a legal mode; through the matching of the two, if the calling sequence between the calling nodes related to the calling instruction is not consistent with the calling sequence between each calling node in the calling path when the calling instruction is generated in a legal manner, the calling instruction can be determined to be generated by an illegal program, and the control of the calling instruction on the interface should be immediately blocked. The method has obvious effect particularly under the condition that the number of the calling nodes in the calling path for generating the calling instruction is large, in this case, if the calling functions and/or the calling parameters of the calling nodes are matched one by one, the calculation amount is large, the calculation amount can be greatly reduced by matching the calling sequence among the calling nodes, and the efficiency of identifying illegal calling is improved.
In addition, in other embodiments of the present invention, the three embodiments may be combined to determine whether the call instruction generated for the interface is legal, so as to find the behavior of the illegal call interface in time and block the illegal call behavior to avoid the car-in-vehicle system or the application being attacked.
In this embodiment, the IDR tool may also upload the monitoring result data to the automobile guardian platform to perform interface calling behavior analysis, and alarm the behavior deviating from the normal calling path, so that the IDR tool responds to the corresponding measure according to the alarm information; and the automobile guard platform updates the interface calling white list according to the analysis result, wherein the calling white list is a calling path for legal calling of the interface, and specifically comprises the number and the name of calling nodes, calling among the calling nodes, and/or calling functions and/or calling parameters corresponding to the calling nodes, and the white list is updated to the IDR tool at the same time, so that the white list can be directly blocked when the same attack occurs again, and the interface calling safety is protected.
According to the interface protection method for the automobile machine, the interface of the automobile machine is monitored by using the IDRTools in the automobile guard client, and illegal calling behaviors are found and blocked in time so as to ensure that the interface is not called by illegal programs. In this embodiment, before monitoring by using IDR Tools, a call path called by each interface and each call node in the call path are determined, and then a complete call chain legally called for each interface is determined, specifically, the call path includes the number and name of call nodes, a call sequence between each call node, and/or a call function and/or a call parameter corresponding to each call node; when monitoring is carried out by using IDR Tools, monitoring is carried out aiming at each calling node contained in a calling path, and monitoring result data containing calling records of each calling node is generated; when a call instruction generated for an interface is monitored, whether a call chain is complete is determined by judging whether a call record of each call node contained in monitoring result data is matched with a call path corresponding to the interface, for example, whether the number and the name of the call nodes are the same, whether the call sequence among the call nodes is consistent, and/or a call function and/or a call parameter corresponding to each call node are the same, if the call chain is matched with the determined call path for calling the interface, the call of the call instruction is generated to be legal, and if the call chain is not matched, the corresponding call behavior is directly blocked by using IDR Tools to ensure that the interface is not called by illegal programs. The scheme provided by the implementation is utilized, the capability of resisting illegal attack behaviors can be realized under the Root environment by means of the IDR Tools, under the condition that a static protection system is invalid, the IDR Tools can still monitor the calling condition of the interface, the monitoring result is subjected to the analysis function of the cloud, the abnormal calling behaviors are quickly sensed and positioned, the IDR Tools are used for quickly responding, the attack behaviors are blocked, the damage is stopped in time, and then the dynamic protection of the car machine interface is realized.
Fig. 4 is a flowchart illustrating an interface protection method for a car machine according to another embodiment of the present invention, where the method performs interface protection for multiple interfaces in the car machine, and as shown in fig. 3, the method includes:
step S410, for a plurality of interfaces, respectively determining a call path corresponding to each interface and each call node included in the call path, and storing the call path corresponding to each interface and the interface identifier of the interface in a preset path library in an associated manner.
Before interface protection is carried out on a plurality of interfaces by using IDR Tools, for each interface, a calling path corresponding to the interface and each calling node contained in the calling path are determined, and the interface, the calling path corresponding to the interface and each calling node contained in the calling path are stored in a preset path library as a data association.
Step S420, monitoring each calling node included in the calling path of each interface, and generating monitoring result data corresponding to each interface and including the calling record of each calling node.
Step S430, when a call instruction generated for an interface is monitored, determining an interface identifier of the interface corresponding to the call instruction, acquiring a call path stored in association with the interface identifier from the path library, and determining whether a call record of each call node included in the monitoring result data matches the acquired call path. If not, intercepting the call instruction.
When the IDR Tools are used to perform interface protection on multiple interfaces, the interfaces are firstly distinguished, and in this embodiment, each piece of data stored in the preset path library is associated with an interface identifier of an interface.
Specifically, stored data associated with an interface identifier of an interface corresponding to the generated call instruction is searched in a preset path library, the call path for the interface and each call node included in the call path are acquired from the stored data, and are matched with actually monitored monitoring result data, so that whether a call mode corresponding to the call instruction is legal or not is judged.
According to the interface protection method of the automobile machine, interface protection is performed on a plurality of interfaces, the interfaces of the automobile machine are monitored by using IDR Tools in the automobile guard client, and illegal calling behaviors are found and blocked in time so as to ensure that the interfaces are not called by illegal programs. The scheme that utilizes this embodiment to provide, with the help of IDR Tools can carry out the ability of antagonism with illegal attack action under the Root environment, under the condition that static protection system became invalid, the IDR instrument still can monitor the calling condition of interface to with the analysis function of monitoring result through the high in the clouds, unusual calling action is perceived and fixed a position fast, carry out quick response through the IDR instrument, block attack action, in time the loss stopping, and then realized the dynamic protection of a plurality of interfaces of car machine.
Fig. 5 is a schematic structural diagram of an interface protection device of a vehicle machine of an automobile according to an embodiment of the present invention. As shown in fig. 5, the apparatus includes: a determination module 510, a monitoring module 520, and a determination module 530.
A determining module 510, adapted to determine a call path corresponding to the interface and each call node included in the call path;
the monitoring module 520 is adapted to monitor each calling node included in the calling path and generate monitoring result data including a calling record of each calling node;
a judging module 530, adapted to, when a call instruction generated for the interface is monitored, judge whether a call record of each call node included in the monitoring result data matches a call path corresponding to the interface; if not, intercepting the call instruction.
In an alternative approach, the calling node includes at least one of: installing a package node, an application program interface node, a dynamic link library node and a hardware node connected with an interface;
the monitoring module 520 is further adapted to: the calling node is monitored by setting a hook function at the calling node, and/or the calling node is monitored by acquiring and analyzing a node log corresponding to the calling node.
In an alternative manner, the determining module 530 is further adapted to: determining the number and the name of calling nodes contained in a calling path corresponding to an interface;
determining the number and the name of the calling nodes related to the calling instruction according to the calling record of each calling node;
and judging whether the number and the name of the calling nodes related to the calling instruction are matched with those of the calling nodes contained in the calling path or not, and determining whether the calling record of each calling node is matched with the calling path corresponding to the interface or not according to the judgment result.
In an alternative manner, the call path further includes a call sequence between the call nodes, and the determining module 530 is further adapted to:
determining a calling sequence between calling nodes related to the calling instruction according to the calling record of each calling node;
judging whether the calling sequence between the calling nodes related to the calling instruction is matched with the calling sequence between the calling nodes contained in the calling path or not, and determining whether the calling record of each calling node is matched with the calling path corresponding to the interface or not according to the judgment result.
In an optional manner, wherein the call path further includes a call function and/or a call parameter corresponding to each call node, the determining module 530 is further adapted to:
determining a calling function and/or a calling parameter corresponding to each calling node related to the calling instruction according to the calling record of each calling node;
judging whether the calling function and/or calling parameter corresponding to each calling node related to the calling instruction is matched with the calling function and/or calling parameter corresponding to each calling node contained in the calling path, and determining that the calling record of each calling node is matched with the calling path corresponding to the interface according to the judgment result.
In an alternative approach, the determining module 510 is further adapted to:
determining various types of call instructions corresponding to the interface, and respectively determining a call path corresponding to the type of call instruction and each call node contained in the call path aiming at each type of call instruction;
the step of determining whether the call record of each call node included in the monitoring result data matches the call path corresponding to the interface specifically includes:
and determining a calling path corresponding to the type of the calling instruction according to the type of the calling instruction, and judging whether the calling record of each calling node is matched with the calling path corresponding to the type of the calling instruction.
In an alternative approach, the determining module 510 is further adapted to:
respectively determining a calling path corresponding to each interface and each calling node contained in the calling path aiming at a plurality of interfaces, and storing the calling path corresponding to each interface and the interface identifier of the interface into a preset path library in an associated manner;
the determining module 530 is further adapted to: and determining an interface identifier of an interface corresponding to the call instruction, acquiring a call path stored in association with the interface identifier from a path library, and judging whether the call record of each call node contained in the monitoring result data is matched with the acquired call path.
In an optional manner, wherein the interface includes: an air conditioner on-off interface and/or an air conditioner temperature adjusting interface.
The structure, the working principle and the action of each module in the interface protection device of the automotive vehicle machine correspond to the steps in the method embodiment one to one, and specific reference may be made to the description in the method embodiment, which is not described herein again.
The embodiment of the application provides a nonvolatile computer storage medium, wherein at least one executable instruction is stored in the computer storage medium, and the computer executable instruction can execute the interface protection method of the automobile machine in any method embodiment.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the electronic device.
As shown in fig. 6, the electronic device may include: a processor (processor)602, a communication Interface 604, a memory 606, and a communication bus 608.
Wherein:
the processor 602, communication interface 604, and memory 606 communicate with one another via a communication bus 608.
A communication interface 604 for communicating with network elements of other devices, such as clients or other servers.
The processor 602 is configured to execute the program 610, and may specifically execute relevant steps in the above embodiment of the interface protection method for the car machine.
In particular, program 610 may include program code comprising computer operating instructions.
The processor 602 may be a central processing unit CPU or an application specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention. The electronic device comprises one or more processors, which can be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 606 for storing a program 610. Memory 606 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 610 may specifically be configured to cause the processor 602 to perform the following operations:
determining a calling path corresponding to the interface and each calling node contained in the calling path;
monitoring each calling node contained in the calling path to generate monitoring result data containing the calling record of each calling node;
when a call instruction generated aiming at an interface is monitored, judging whether a call record of each call node contained in monitoring result data is matched with a call path corresponding to the interface;
if not, intercepting the call instruction.
In an alternative approach, the calling node includes at least one of: installing a package node, an application program interface node, a dynamic link library node and a hardware node connected with an interface;
the program 610 may specifically be further configured to cause the processor 602 to perform the following operations:
the calling node is monitored by setting a hook function at the calling node, and/or the calling node is monitored by acquiring and analyzing a node log corresponding to the calling node.
In an alternative manner, the program 610 may specifically be further configured to cause the processor 602 to perform the following operations:
determining the number and the name of calling nodes contained in a calling path corresponding to an interface;
determining the number and the name of the calling nodes related to the calling instruction according to the calling record of each calling node;
and judging whether the number and the name of the calling nodes related to the calling instruction are matched with those of the calling nodes contained in the calling path or not, and determining whether the calling record of each calling node is matched with the calling path corresponding to the interface or not according to the judgment result.
In an alternative manner, the program 610 may specifically be further configured to cause the processor 602 to perform the following operations:
determining a calling sequence between calling nodes related to the calling instruction according to the calling record of each calling node;
judging whether the calling sequence between the calling nodes related to the calling instruction is matched with the calling sequence between the calling nodes contained in the calling path or not, and determining whether the calling record of each calling node is matched with the calling path corresponding to the interface or not according to the judgment result.
In an optional manner, the call path further includes a call function and/or a call parameter corresponding to each call node, and the program 610 may specifically be further configured to cause the processor 602 to perform the following operations:
determining a calling function and/or a calling parameter corresponding to each calling node related to the calling instruction according to the calling record of each calling node;
judging whether the calling function and/or calling parameter corresponding to each calling node related to the calling instruction is matched with the calling function and/or calling parameter corresponding to each calling node contained in the calling path, and determining that the calling record of each calling node is matched with the calling path corresponding to the interface according to the judgment result.
In an alternative manner, the program 610 may specifically be further configured to cause the processor 602 to perform the following operations:
determining various types of call instructions corresponding to the interface, and respectively determining a call path corresponding to the type of call instruction and each call node contained in the call path aiming at each type of call instruction;
in an alternative manner, the program 610 may specifically be further configured to cause the processor 602 to perform the following operations:
and determining a calling path corresponding to the type of the calling instruction according to the type of the calling instruction, and judging whether the calling record of each calling node is matched with the calling path corresponding to the type of the calling instruction.
In an alternative manner, the program 610 may specifically be further configured to cause the processor 602 to perform the following operations:
respectively determining a calling path corresponding to each interface and each calling node contained in the calling path aiming at a plurality of interfaces, and storing the calling path corresponding to each interface and the interface identifier of the interface into a preset path library in an associated manner;
when a call instruction generated for the interface is monitored, the step of judging whether the call record of each call node included in the monitoring result data matches the call path corresponding to the interface specifically includes:
and determining an interface identifier of an interface corresponding to the call instruction, acquiring a call path stored in association with the interface identifier from a path library, and judging whether the call record of each call node contained in the monitoring result data is matched with the acquired call path.
In an alternative form, the interface includes: an air conditioner on-off interface and/or an air conditioner temperature adjusting interface.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the interface guard of the automotive vehicle machine according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (16)
1. An interface protection method of an automobile machine comprises the following steps:
determining a calling path corresponding to the interface and each calling node contained in the calling path;
monitoring each calling node contained in the calling path to generate monitoring result data containing the calling record of each calling node;
when a call instruction generated aiming at the interface is monitored, judging whether a call record of each call node contained in the monitoring result data is matched with a call path corresponding to the interface;
if not, intercepting the calling instruction;
the step of determining whether the call record of each call node included in the monitoring result data matches the call path corresponding to the interface specifically includes:
determining the number and the name of calling nodes contained in a calling path corresponding to the interface;
determining the number and the name of the calling nodes related to the calling instruction according to the calling record of each calling node;
and judging whether the number and the name of the calling node related to the calling instruction are matched with those of the calling nodes contained in the calling path or not, and determining whether the calling record of each calling node is matched with the calling path corresponding to the interface or not according to the judgment result.
2. The method of claim 1, wherein the calling node comprises at least one of: installing a package node, an application program interface node, a dynamic link library node and a hardware node connected with the interface;
the step of monitoring each calling node included in the calling path specifically includes: the calling node is monitored by setting a hook function at the calling node, and/or the calling node is monitored by acquiring and analyzing a node log corresponding to the calling node.
3. The method according to claim 1, wherein the call path further includes a call sequence between each call node, and the step of determining whether the call record of each call node included in the monitoring result data matches the call path corresponding to the interface specifically includes:
determining a calling sequence between calling nodes related to the calling instruction according to the calling record of each calling node;
judging whether the calling sequence between the calling nodes related to the calling instruction is matched with the calling sequence between the calling nodes contained in the calling path or not, and determining whether the calling record of each calling node is matched with the calling path corresponding to the interface or not according to the judgment result.
4. The method according to claim 3, wherein the call path further includes a call function and/or a call parameter corresponding to each call node, and the step of determining whether the call record of each call node included in the monitoring result data matches the call path corresponding to the interface specifically includes:
determining a calling function and/or a calling parameter corresponding to each calling node related to the calling instruction according to the calling record of each calling node;
judging whether the calling function and/or calling parameter corresponding to each calling node related to the calling instruction is matched with the calling function and/or calling parameter corresponding to each calling node contained in the calling path, and determining whether the calling record of each calling node is matched with the calling path corresponding to the interface according to the judgment result.
5. The method according to claim 4, wherein the step of determining the call path corresponding to the interface and each call node included in the call path specifically includes:
determining various types of call instructions corresponding to the interface, and respectively determining a call path corresponding to the type of call instruction and each call node contained in the call path aiming at each type of call instruction;
the step of determining whether the call record of each call node included in the monitoring result data matches the call path corresponding to the interface specifically includes:
and determining a calling path corresponding to the type of the calling instruction according to the type of the calling instruction, and judging whether the calling record of each calling node is matched with the calling path corresponding to the type of the calling instruction.
6. The method according to any one of claims 1 to 5, wherein the step of determining the call path corresponding to the interface and each call node included in the call path specifically includes:
aiming at a plurality of interfaces, respectively determining a calling path corresponding to each interface and each calling node contained in the calling path, and storing the calling path corresponding to each interface and the interface identifier of the interface into a preset path library in an associated manner;
when a call instruction generated for the interface is monitored, the step of determining whether the call record of each call node included in the monitoring result data matches the call path corresponding to the interface specifically includes:
determining an interface identifier of an interface corresponding to the call instruction, acquiring a call path stored in association with the interface identifier from the path library, and judging whether a call record of each call node contained in the monitoring result data is matched with the acquired call path.
7. The method of any of claims 1-5, wherein the interface comprises: an air conditioner on-off interface and/or an air conditioner temperature adjusting interface.
8. An interface protection device of a car machine, comprising:
the determining module is suitable for determining a calling path corresponding to the interface and each calling node contained in the calling path;
the monitoring module is suitable for monitoring each calling node contained in the calling path and generating monitoring result data containing the calling record of each calling node;
the judging module is suitable for judging whether the calling record of each calling node contained in the monitoring result data is matched with the calling path corresponding to the interface or not when the calling instruction generated aiming at the interface is monitored; if not, intercepting the calling instruction;
wherein the judging module further comprises: determining the number and the name of calling nodes contained in a calling path corresponding to the interface;
determining the number and the name of the calling nodes related to the calling instruction according to the calling record of each calling node;
and judging whether the number and the name of the calling node related to the calling instruction are matched with those of the calling nodes contained in the calling path or not, and determining whether the calling record of each calling node is matched with the calling path corresponding to the interface or not according to the judgment result.
9. The apparatus of claim 8, wherein the calling node comprises at least one of: installing a package node, an application program interface node, a dynamic link library node and a hardware node connected with the interface;
the monitoring module is further adapted to: the calling node is monitored by setting a hook function at the calling node, and/or the calling node is monitored by acquiring and analyzing a node log corresponding to the calling node.
10. The apparatus of claim 8, wherein the call path further includes a call order between the call nodes, and the determining module is further adapted to:
determining a calling sequence between calling nodes related to the calling instruction according to the calling record of each calling node;
judging whether the calling sequence between the calling nodes related to the calling instruction is matched with the calling sequence between the calling nodes contained in the calling path or not, and determining whether the calling record of each calling node is matched with the calling path corresponding to the interface or not according to the judgment result.
11. The apparatus according to claim 10, wherein the call path further includes a call function and/or a call parameter corresponding to each call node, and the determining module is further adapted to:
determining a calling function and/or a calling parameter corresponding to each calling node related to the calling instruction according to the calling record of each calling node;
judging whether the calling function and/or calling parameter corresponding to each calling node related to the calling instruction is matched with the calling function and/or calling parameter corresponding to each calling node contained in the calling path, and determining whether the calling record of each calling node is matched with the calling path corresponding to the interface according to the judgment result.
12. The apparatus of claim 11, wherein the determination module is further adapted to:
determining various types of call instructions corresponding to the interface, and respectively determining a call path corresponding to the type of call instruction and each call node contained in the call path aiming at each type of call instruction;
the step of determining whether the call record of each call node included in the monitoring result data matches the call path corresponding to the interface specifically includes:
and determining a calling path corresponding to the type of the calling instruction according to the type of the calling instruction, and judging whether the calling record of each calling node is matched with the calling path corresponding to the type of the calling instruction.
13. The apparatus of any of claims 8-12, wherein the determination module is further adapted to:
aiming at a plurality of interfaces, respectively determining a calling path corresponding to each interface and each calling node contained in the calling path, and storing the calling path corresponding to each interface and the interface identifier of the interface into a preset path library in an associated manner;
the determination module is further adapted to: determining an interface identifier of an interface corresponding to the call instruction, acquiring a call path stored in association with the interface identifier from the path library, and judging whether a call record of each call node contained in the monitoring result data is matched with the acquired call path.
14. The apparatus of any of claims 8-12, wherein the interface comprises: an air conditioner on-off interface and/or an air conditioner temperature adjusting interface.
15. An electronic device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the interface protection method of the automobile machine of any one of claims 1-7.
16. A computer storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the interface protection method for a vehicle machine of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710945066.1A CN107608339B (en) | 2017-09-30 | 2017-09-30 | Interface protection method and device for automobile machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710945066.1A CN107608339B (en) | 2017-09-30 | 2017-09-30 | Interface protection method and device for automobile machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107608339A CN107608339A (en) | 2018-01-19 |
| CN107608339B true CN107608339B (en) | 2020-02-25 |
Family
ID=61069093
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710945066.1A Active CN107608339B (en) | 2017-09-30 | 2017-09-30 | Interface protection method and device for automobile machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107608339B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109254864A (en) * | 2018-09-11 | 2019-01-22 | 北京奇艺世纪科技有限公司 | A kind of application failure restorative procedure, device and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1908832A (en) * | 2006-08-16 | 2007-02-07 | 中山大学 | Vehicle mounted intelligent control device and method |
| CN104268471A (en) * | 2014-09-10 | 2015-01-07 | 珠海市君天电子科技有限公司 | Method and device for detecting return-oriented programming attack |
| CN104794059A (en) * | 2015-05-08 | 2015-07-22 | 北京理工大学 | Defect positioning method and device based on function calling records |
| CN105893846A (en) * | 2016-04-22 | 2016-08-24 | 北京金山安全软件有限公司 | Method and device for protecting target application program and electronic equipment |
| CN106790718A (en) * | 2017-03-16 | 2017-05-31 | 北京搜狐新媒体信息技术有限公司 | Service call link analysis method and system |
-
2017
- 2017-09-30 CN CN201710945066.1A patent/CN107608339B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1908832A (en) * | 2006-08-16 | 2007-02-07 | 中山大学 | Vehicle mounted intelligent control device and method |
| CN104268471A (en) * | 2014-09-10 | 2015-01-07 | 珠海市君天电子科技有限公司 | Method and device for detecting return-oriented programming attack |
| CN104794059A (en) * | 2015-05-08 | 2015-07-22 | 北京理工大学 | Defect positioning method and device based on function calling records |
| CN105893846A (en) * | 2016-04-22 | 2016-08-24 | 北京金山安全软件有限公司 | Method and device for protecting target application program and electronic equipment |
| CN106790718A (en) * | 2017-03-16 | 2017-05-31 | 北京搜狐新媒体信息技术有限公司 | Service call link analysis method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107608339A (en) | 2018-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10657251B1 (en) | Multistage system and method for analyzing obfuscated content for malware | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN109766700A (en) | Access control method and device, the storage medium, electronic device of file | |
| CN106778242B (en) | Kernel vulnerability detection method and device based on virtual machine | |
| CN104081404A (en) | Application sandboxing using a dynamic optimization framework | |
| TW201104489A (en) | Method and system for cleaning malicious software and computer program product and storage medium | |
| CN113632432B (en) | Method and device for judging attack behaviors and computer storage medium | |
| US20170155683A1 (en) | Remedial action for release of threat data | |
| CN111447167B (en) | Safety protection method and device for vehicle-mounted system | |
| CN105678164A (en) | Method and device for detecting malicious software | |
| CN110674496A (en) | Method and system for program to counter invading terminal and computer equipment | |
| CN110839025A (en) | Centralized web penetration detection honeypot method, device and system and electronic equipment | |
| CN105791250B (en) | Application program detection method and device | |
| CN107608339B (en) | Interface protection method and device for automobile machine | |
| CN111444511A (en) | Safety protection method and system for vehicle-mounted system | |
| WO2021084961A1 (en) | Analysis device and analysis method | |
| JP7176569B2 (en) | Information processing device, log analysis method and program | |
| CN110276193B (en) | Risk feature output method, application operation control method, system and device | |
| US9881155B2 (en) | System and method for automatic use-after-free exploit detection | |
| CN112395593A (en) | Instruction execution sequence monitoring method and device, storage medium and computer equipment | |
| CN111444510A (en) | CPU vulnerability detection method and system based on virtual machine | |
| CN112989355B (en) | Vulnerability threat perception method, device, storage medium and equipment | |
| CN112953895B (en) | Attack behavior detection method, device and equipment and readable storage medium | |
| CN115033879A (en) | Detection method for malicious Trojan horse of Internet of things | |
| CN105631317B (en) | A kind of system call method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220324 Address after: 100020 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231121 Address after: 1739, 17th Floor, 15th Floor, Building 3, No.10 Jiuxianqiao Road, Chaoyang District, Beijing, 100000 Patentee after: Anxinxing (Beijing) Technology Co.,Ltd. Address before: 100020 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing Patentee before: Sanliu0 Digital Security Technology Group Co.,Ltd. |