CN111563257A - Data detection method and device, computer readable medium and terminal equipment - Google Patents

Data detection method and device, computer readable medium and terminal equipment Download PDF

Info

Publication number
CN111563257A
CN111563257A CN202010295391.XA CN202010295391A CN111563257A CN 111563257 A CN111563257 A CN 111563257A CN 202010295391 A CN202010295391 A CN 202010295391A CN 111563257 A CN111563257 A CN 111563257A
Authority
CN
China
Prior art keywords
file
detected
target
code
data detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010295391.XA
Other languages
Chinese (zh)
Other versions
CN111563257B (en
Inventor
彭冬炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Oppo Communication Technology Co ltd
Original Assignee
Chengdu Oppo Communication Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Oppo Communication Technology Co ltd filed Critical Chengdu Oppo Communication Technology Co ltd
Priority to CN202010295391.XA priority Critical patent/CN111563257B/en
Publication of CN111563257A publication Critical patent/CN111563257A/en
Application granted granted Critical
Publication of CN111563257B publication Critical patent/CN111563257B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Abstract

The present disclosure relates to the field of electronic device technologies, and in particular, to a data detection method, a data detection apparatus, a computer-readable medium, and a terminal device. The method comprises the following steps: acquiring a file to be detected, and unpacking the file to be detected to acquire an intermediate file in a target format; analyzing the intermediate file to obtain a corresponding code to be identified; and matching the code to be recognized based on a pre-configured detection item so as to judge whether the file to be detected contains a target function according to a matching result. The method can realize static detection of the hot update function in the SDK. And the accuracy of hot update function detection is improved.

Description

Data detection method and device, computer readable medium and terminal equipment
Technical Field
The present disclosure relates to the field of electronic device technologies, and in particular, to a data detection method, a data detection apparatus, a computer-readable medium, and a terminal device.
Background
Along with the increasing abundance of functions of intelligent terminal equipment, the dependence degree of people on the terminal equipment is also higher and higher. People can shop, talk and browse information and the like on terminal equipment such as mobile phones, tablet computers and the like through application programs. In some applications, multiple functions may be integrated, and the applications may be updated periodically or aperiodically to optimize the applications to enhance the user experience. In order to meet the functional requirements of the application program, developers of the application program increasingly use specialized SDKs (software development kits) developed by third parties to complete the functions of the application program.
However, in some prior art, most third party SDKs have hot-update functionality. Some third party SDKs utilize hot update functionality to add some malicious functionality, such as collecting user private data, downloading malicious code, and so forth. Bringing data risks to the user.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure provides a data detection method, a data detection apparatus, a computer-readable medium, and a terminal device, which can accurately identify and monitor a hot update function of an SDK, and reduce security risks.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to a first aspect of the present disclosure, there is provided a data detection method, comprising:
acquiring a file to be detected, and unpacking the file to be detected to acquire an intermediate file in a target format;
analyzing the intermediate file to obtain a corresponding code to be identified;
and matching the code to be recognized based on a pre-configured detection item so as to judge whether the file to be detected contains a target function according to a matching result.
According to a second aspect of the present disclosure, there is provided a data detection apparatus comprising:
the unpacking operation module is used for acquiring a file to be detected and unpacking the file to be detected to acquire an intermediate file in a target format;
the code analysis module is used for analyzing the intermediate file to obtain a corresponding code to be identified;
and the function detection module is used for matching the code to be identified based on a pre-configured detection item so as to judge whether the file to be detected contains a target function according to a matching result.
According to a third aspect of the present disclosure, there is provided a computer readable medium having stored thereon a computer program which, when executed by a processor, implements the data detection method described above.
According to a fourth aspect of the present disclosure, there is provided a terminal device comprising:
one or more processors;
a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the data detection method described above.
According to the data detection method provided by the embodiment of the disclosure, the SDK file to be detected is unpacked firstly, so that a corresponding intermediate file smali file can be obtained, and then the smali file is analyzed to obtain a corresponding code to be identified, so that the code to be identified can be matched according to a pre-configured detection item. When the matching result exists, the file to be detected is proved to have a hot updating function; and if the matching result does not exist, the file to be detected is proved not to contain the hot updating function. By using the mode of matching the SDK code with the pre-configured detection item, the static detection of the hot update function in the SDK can be realized. And the accuracy of hot update function detection is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
Fig. 1 schematically illustrates a flow chart of a data detection method in an exemplary embodiment of the present disclosure;
FIG. 2 schematically illustrates a schematic diagram of a system architecture in an exemplary embodiment of the present disclosure;
FIG. 3 schematically illustrates a schematic composition diagram of a data detection apparatus in an exemplary embodiment of the present disclosure;
fig. 4 schematically illustrates a system structure diagram of a terminal device in an exemplary embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
For an Android system, many developers of APK (Android application package) need to integrate specialized SDKs (Software Development kits) developed by a third party to complete functions of the developers. The third-party SDK is introduced into a double-edged sword, so that convenience is brought, and more security threats are brought. Especially, if the third-party SDKs with the hot updating function are not monitored safely, many malicious functions can be added after the SDKs are updated hot, and the third-party SDKs are used for collecting user privacy, downloading malicious codes of hackers, being used as backdoors, even attacking systems and the like. So that APK developers who integrate SDKs are also implicated. Therefore, there is an increasing need for detecting whether the third-party SDK has the function of hot update. When detecting that the third-party SDK has the hot updating function, the original APK developer can require the SDK supplier to remove the hot updating function.
Generally, the prior art can mainly include the following steps when implementing the hot update function: 1) loading a hot update Dex file by constructing a Dex Class Loader object; 2) obtaining default PathClass loader, PathList, dexElements of the system through reflection; 3) merging the hot update Dex with a system default Elements array, and simultaneously ensuring that the hot update Dex is before the system default Elements array; 4) the array after merging is set back to PathClass loader. The existing method for detecting whether the third-party SDK has the hot update function generally adopts a manual detection mode. For example, whether the APK integrated with the SDK downloads the dex file from the network in the running process is judged in a manual mode, the dex file is placed in a "/data/data/package name" or "/data/app/package name" directory or subdirectory of the APK, and whether the downloaded dex file is a hot update package is analyzed. The detection mode has low detection efficiency and low detection accuracy.
In view of the above drawbacks and deficiencies of the prior art, the exemplary embodiment provides a data detection method, which can achieve automatic detection of a hot update function and improve accuracy of a detection result. Referring to fig. 1, the data detection method described above may include the steps of:
s11, acquiring a file to be detected, and unpacking the file to be detected to acquire an intermediate file in a target format;
s12, analyzing the intermediate file to obtain a corresponding code to be identified;
s13, matching the code to be recognized based on the pre-configured detection item, so as to judge whether the file to be detected contains the target function according to the matching result.
In the data detection method provided by the exemplary embodiment, on one hand, the SDK file to be detected is first unpacked to obtain a corresponding intermediate file smali file, and then the smali file is analyzed to obtain a corresponding code to be identified, so that the code to be identified can be matched according to a pre-configured detection item. When the matching result exists, the file to be detected is proved to have a hot updating function; and if the matching result does not exist, the file to be detected is proved not to contain the hot updating function. On the other hand, by using the mode that the SDK code is matched with the pre-configured detection item, the static detection of the hot update function in the SDK can be realized. And the accuracy of hot update function detection is improved.
Hereinafter, each step of the data detection method in the present exemplary embodiment will be described in more detail with reference to the drawings and examples.
And step S11, acquiring the file to be detected, and unpacking the file to be detected to acquire the intermediate file in the target format.
In this exemplary embodiment, the data detection method described above may be applied to a server side. Referring to the system architecture shown in fig. 2, the system architecture may include a server side 202 (e.g., a tablet, a laptop or desktop computer, a server, etc.), a network 201, and an electronic device 203. The network 201 serves as a medium for providing a communication link between the server side 202 and the electronic device 203. Network 201 may include various connection types, such as wired communication links, wireless communication links, and so forth. It should be understood that the number of server-side, network and electronic devices in fig. 2 is merely illustrative. There may be any number of control terminals, networks, and electronic devices, as desired for implementation. For example, multiple electronic devices may be monitored and detected simultaneously.
In the electronic device 203, a plurality of applications integrated with the third party SDK may be installed. The user may input control commands at the server side 202 to select one or more target applications. And monitoring the directories or subdirectories corresponding to the target application programs in the storage space to acquire one or more Dex files corresponding to the target application programs. And configuring the Dex file as a file to be detected. When a plurality of files to be detected are available, a plurality of detection tasks which are executed in parallel can be established at the server side, so that the plurality of files to be detected can be detected simultaneously.
After the Dex file to be detected is obtained, unpacking processing can be performed on the Dex file. For example, a bak2smali tool may be used to unpack a Dex file of the SDK to obtain all the smali files in the Dex file.
Alternatively, in other example embodiments of the present disclosure, the Dex file may be unpacked into a file in another format. For example, a Dex2jar tool is used to convert a Dex file into a Java file, and the Java file is used as an intermediate file.
And step S12, analyzing the intermediate file to obtain the corresponding code to be identified.
In the embodiment of the example, after the smali file or the java file is unpacked and obtained, the smali file or the java file can be analyzed to obtain code data corresponding to each intermediate file, and the code data is used as a code to be identified.
And step S13, matching the code to be recognized based on the pre-configured detection item, so as to judge whether the file to be detected contains the target function according to the matching result.
In this exemplary embodiment, the preconfigured detection items described above may employ: any one item or any combination of multiple items in executable target file path information, target class information, target function information, target loader information and executable authority information of the target function.
For example, a user may pre-configure specific functions, classes, loaders, arrays, file paths, execution permissions, and the like necessary for implementing the hot-update function, and use the functions, classes, loaders, arrays, file paths, execution permissions, and the like as detection items; and matching the detection items in the codes to be identified line by line respectively to judge whether corresponding matching results exist. If the corresponding matching result exists, the Dex file is indicated to have a hot updating function; or, if the corresponding matching item does not exist, it indicates that the hot update function does not exist in the Dex file.
In this exemplary embodiment, specifically, the step S13 may include:
s21, generating an XML configuration file according to the pre-configured detection items;
s22, calling a scanner to match the codes to be identified line by line according to the XML configuration file;
s22, when a matching item exists in the code to be recognized, the matching item is recorded so as to generate the matching result according to the matching item.
For example, the configuration file may include five test items, each test item including a corresponding description (desc) and code (item). For example, the code corresponding to the configuration file may include the following:
Figure BDA0002451986520000061
Figure BDA0002451986520000071
for example, it may be matched whether the code has a "getDecleardField" function; whether a "basedexcsloader" Dex loader function exists; whether a Dex array of "dexElements" exists; whether the execution authority information of 'setAccessible' exists or not; whether there is path information of the Dex file executable by "dexpathList".
When there are a plurality of detection items, the execution order of the detection items may be configured. For example, it may be configured to first perform matching of execution paths of executable Dex files, such as: the code is matched using the "dexpathList" field. If the matching result exists, the corresponding code is stored, and the position of the code section is recorded. The class of the Dex loader may then be matched, for example, to the code using the "dalvik. The Dex array function may then be matched, for example, to the code using the "dexElements" field. Then, the specified function names may be matched; for example, use is made of "Ljava/lang/Class; the Ljava/lang/reflex/Field matches the code. Finally, the matching can be performed by using the execution authority information, for example, using' Ljava/lang/reflex/Field; match the field of setaccessbile (Z) V "with the code. The above embodiments are provided as exemplary illustrations, and the user may configure other detection items and other matching orders.
When a plurality of the smali files exist, matching can be carried out on each line of codes of the smali files respectively. And when the matching is successful, recording the name and the line of the smali file. When each item of the detection items is executed, if the matching result exists or part of the matching result exists, the SDK can be judged to have the code of the hot update, and the SDK has the function of the hot update.
In the present exemplary embodiment, based on the above, the obtaining may further include: calculating the risk grade of the file to be detected according to the following formula, including:
P=a·f1+b·f2+c·f3+d·f4+e·f5
wherein a, b, c, d, e are coefficients, f1、f2、f3、f4、f5Executable authority information of the executable target file path information matching result, the target class information matching result, the target function information matching result, the target loader information matching result and the target function matching result is respectively obtained.
For example, the matching result of each detection item may be scored according to a certain rule, so as to obtain the score of the matching result of each detection item. And then obtaining the risk grade score of the Dex file according to the score of each matching result. For example, when the scoring result is greater than 0.8, the Dex file can be used as a high-risk file and marked as a first mark; when the scoring result is 0.5-0.8, the Dex file can be used as a middle risk file and marked as a second mark; when the scoring result is less than 0.5, the Dex file can be used as a low-risk file. The first mark, the second mark and the third mark can be different mark modes for distinguishing.
In addition, in some exemplary embodiments of the present disclosure, after determining that the hot update function exists, the second parsing may be performed on the to-be-identified code, and further parsing is performed to identify a specific execution task of the Dex file, such as a task of collecting data, uploading information, or downloading information. And generating prompt information according to the risk level and the data,
in other exemplary embodiments of the present disclosure, the data detection method may be executed on a smart terminal such as a mobile phone or a tablet computer, for example, running independently on the smart terminal in the form of an application program without being configured through a server. When the method is executed on the intelligent terminal side, a user can configure the application program needing to be detected in the interactive interface. Therefore, the corresponding file directory and subdirectory of the application program to be detected can be monitored and read, the existing Dex file is extracted, and the scanner is called to execute the pre-configured XML configuration file for detection and matching. So that the above-described method can be performed on the smart terminal.
In addition, for the intelligent terminal, when the to-be-detected file is judged to contain the target function, the directory corresponding to the to-be-detected file is configured as a monitoring target so as to monitor the monitoring directory in real time; and when monitoring a new target type file in the monitoring directory, executing deletion operation on the new target type file, or transferring the new target type file to an isolated storage area.
For example, the SDK determined to have the hot update function may be monitored in real time, and the Dex file may be deleted or isolated; or isolate the SDK.
According to the method provided by the embodiment of the disclosure, the corresponding smali file is obtained by unpacking the Dex file, and then the smali file is analyzed to obtain the corresponding code; therefore, the codes can be automatically matched by using the detection items, and the judgment result of the hot updating function is automatically generated according to the matching result. The detection items are used in the form of the configuration file, so that a user can conveniently and quickly adjust the detection items according to actual requirements, and the detection accuracy is improved. And further static detection and dynamic monitoring of the hot update function are realized.
It is to be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the method according to an exemplary embodiment of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Further, referring to fig. 3, in the present exemplary embodiment, a data detection apparatus 30 is further provided, configured on an electronic device or a server side, and includes: an unpacking operation module 301, a code analysis module 302 and a function detection module 303. Wherein the content of the first and second substances,
the unpacking operation module 301 may be configured to acquire a file to be detected, and perform unpacking processing on the file to be detected to acquire an intermediate file in a target format.
The code parsing module 302 may be configured to parse the intermediate file to obtain a corresponding code to be identified.
The function detection module 303 is configured to match the code to be identified based on a preconfigured detection item, so as to determine whether the file to be detected includes a target function according to a matching result.
In one example of the present disclosure, the apparatus may further include: a risk level calculation module (not shown in the figures).
The risk level calculation module may be configured to determine a risk level of the to-be-detected file according to the matching result when it is determined that the to-be-detected file includes the target function.
In one example of the present disclosure, the preconfigured detection item may include: any one item or any combination of multiple items in executable target file path information, target class information, target function information, target loader information and executable authority information of the target function.
In one example of the present disclosure, calculating the risk level of the file to be detected according to the following formula includes:
P=a·f1+b·f2+c·f3+d·f4+e·f5
wherein a, b, c, d, e are coefficients, f1、f2、f3、f4、f5Respectively executable target file path information, target class information, target function information, target loader information and executable authority information of the target function.
In one example of the present disclosure, the apparatus may further include: and a prompt message generation module (not shown in the figure).
The prompt information generation module can be used for marking the application program corresponding to the file to be detected according to the risk grade of the file to be detected; and generating corresponding prompt information according to the risk level.
In one example of the present disclosure, the apparatus is applied to a terminal device, and the apparatus may further include: a monitoring execution module (not shown).
The monitoring execution module can be used for configuring the directory corresponding to the file to be detected as a monitoring target when the file to be detected is judged to contain the target function, so as to monitor the monitoring directory in real time; and when monitoring a new target type file in the monitoring directory, executing deletion operation on the new target type file, or transferring the new target type file to an isolated storage area.
In one example of the present disclosure, the function detecting module may include: a configuration file generating unit, a matching executing unit and a matching result processing unit (not shown in the figure). Wherein the content of the first and second substances,
the configuration file generating unit may be configured to generate an XML configuration file according to the preconfigured detection item.
The matching execution unit may be configured to invoke a scanner to match the code to be identified line by line according to the XML configuration file.
The matching result processing unit may be configured to record a matching item when the matching item exists in the code to be identified, so as to generate the matching result according to the matching item.
The specific details of each module in the data detection apparatus have been described in detail in the corresponding data detection method, and therefore are not described herein again.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Fig. 4 illustrates a schematic block diagram of a computer system suitable for use with a wireless communication device to implement an embodiment of the present invention.
It should be noted that the computer system 800 of the electronic device shown in fig. 4 is only an example, and should not bring any limitation to the function and the scope of the application of the embodiment of the present invention.
As shown in fig. 4, the computer system 800 includes a Central Processing Unit (CPU)801 that can perform various appropriate actions and processes according to a program stored in a Read-Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data necessary for system operation are also stored. The CPU 801, ROM802, and RAM 803 are connected to each other via a bus 804. An Input/Output (I/O) interface 805 is also connected to bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a Network interface card such as a LAN (Local Area Network) card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as necessary. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that a computer program read out therefrom is mounted on the storage section 808 as necessary.
In particular, according to an embodiment of the present invention, the processes described below with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the invention include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. When the computer program is executed by the Central Processing Unit (CPU)801, various functions defined in the system of the present application are executed.
It should be noted that the computer readable medium shown in the embodiment of the present invention may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present invention may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.
As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by an electronic device, cause the electronic device to implement the method as described in the embodiments below. For example, the electronic device may implement the steps shown in fig. 1.
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
It should be noted that, as another aspect, the present application also provides a computer-readable medium, which may be included in the electronic device described in the above embodiment; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by an electronic device, cause the electronic device to implement the method as described in the embodiments below. For example, the electronic device may implement the steps shown in fig. 1.
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is to be limited only by the terms of the appended claims.

Claims (10)

1. A method for data detection, comprising:
acquiring a file to be detected, and unpacking the file to be detected to acquire an intermediate file in a target format;
analyzing the intermediate file to obtain a corresponding code to be identified;
and matching the code to be recognized based on a pre-configured detection item so as to judge whether the file to be detected contains a target function according to a matching result.
2. The data detection method of claim 1, further comprising:
and when the file to be detected is judged to contain the target function, determining the risk grade of the file to be detected according to the matching result.
3. The data detection method of claim 2, wherein the preconfigured detection terms comprise:
any one item or any combination of multiple items in executable target file path information, target class information, target function information, target loader information and executable authority information of the target function.
4. The data detection method according to claim 3, wherein calculating the risk level of the document to be detected according to the following formula comprises:
P=a·f1+b·f2+c·f3+d·f4+e·f5
wherein a, b, c, d, e are coefficients, f1、f2、f3、f4、f5Respectively executable target file path information, target class information, target function information, target loader information and executable authority information of the target function.
5. The data detection method of claim 2, further comprising:
marking the application program corresponding to the file to be detected according to the risk grade of the file to be detected; and generating corresponding prompt information according to the risk level.
6. The data detection method of claim 1 or 2, wherein the method further comprises:
when the file to be detected is judged to contain the target function, configuring the directory corresponding to the file to be detected as a monitoring target so as to monitor the monitoring directory in real time;
and when monitoring a new target type file in the monitoring directory, executing deletion operation on the new target type file, or transferring the new target type file to an isolated storage area.
7. The data detection method of claim 1, wherein matching the code to be identified based on the preconfigured detection terms comprises:
generating an XML configuration file according to the pre-configured detection items;
calling a scanner to match the codes to be identified line by line according to the XML configuration file;
and when a matching item exists in the code to be recognized, recording the matching item so as to generate the matching result according to the matching item.
8. A data detection apparatus, comprising:
the unpacking operation module is used for acquiring a file to be detected and unpacking the file to be detected to acquire an intermediate file in a target format;
the code analysis module is used for analyzing the intermediate file to obtain a corresponding code to be identified;
and the function detection module is used for matching the code to be identified based on a pre-configured detection item so as to judge whether the file to be detected contains a target function according to a matching result.
9. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the data detection method according to any one of claims 1 to 7.
10. A terminal device, comprising:
one or more processors;
storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement a data detection method as claimed in any one of claims 1 to 7.
CN202010295391.XA 2020-04-15 2020-04-15 Data detection method and device, computer readable medium and terminal equipment Active CN111563257B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010295391.XA CN111563257B (en) 2020-04-15 2020-04-15 Data detection method and device, computer readable medium and terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010295391.XA CN111563257B (en) 2020-04-15 2020-04-15 Data detection method and device, computer readable medium and terminal equipment

Publications (2)

Publication Number Publication Date
CN111563257A true CN111563257A (en) 2020-08-21
CN111563257B CN111563257B (en) 2023-07-21

Family

ID=72071753

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010295391.XA Active CN111563257B (en) 2020-04-15 2020-04-15 Data detection method and device, computer readable medium and terminal equipment

Country Status (1)

Country Link
CN (1) CN111563257B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112732581A (en) * 2021-01-12 2021-04-30 京东数字科技控股股份有限公司 SDK detection method, device, electronic equipment, system and storage medium
CN112948830A (en) * 2021-03-12 2021-06-11 哈尔滨安天科技集团股份有限公司 File risk identification method and device
CN112988287A (en) * 2021-03-15 2021-06-18 上海益世界信息技术集团有限公司广州分公司 Application program running method and device
CN117806688A (en) * 2024-03-01 2024-04-02 腾讯科技(深圳)有限公司 Thermal update detection method, thermal update detection device, computer equipment and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013025429A (en) * 2011-07-19 2013-02-04 Mitsubishi Electric Corp Security evaluation apparatus, security evaluation method of security evaluation apparatus, security evaluation program
US20140215614A1 (en) * 2013-01-30 2014-07-31 Samsung Electronics Co., Ltd. System and method for a security assessment of an application uploaded to an appstore
CN104715196A (en) * 2015-03-27 2015-06-17 北京奇虎科技有限公司 Static analysis method and system of smart phone application program
CN105631334A (en) * 2015-12-25 2016-06-01 北京奇虎科技有限公司 Application security detecting method and system
CN106650452A (en) * 2016-12-30 2017-05-10 北京工业大学 Mining method for built-in application vulnerability of Android system
CN108416216A (en) * 2018-02-28 2018-08-17 阿里巴巴集团控股有限公司 leak detection method, device and computing device
CN108875688A (en) * 2018-06-28 2018-11-23 北京旷视科技有限公司 A kind of biopsy method, device, system and storage medium
CN109543444A (en) * 2018-10-25 2019-03-29 深圳壹账通智能科技有限公司 A kind of file signature method, apparatus, storage medium and server

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013025429A (en) * 2011-07-19 2013-02-04 Mitsubishi Electric Corp Security evaluation apparatus, security evaluation method of security evaluation apparatus, security evaluation program
US20140215614A1 (en) * 2013-01-30 2014-07-31 Samsung Electronics Co., Ltd. System and method for a security assessment of an application uploaded to an appstore
CN104715196A (en) * 2015-03-27 2015-06-17 北京奇虎科技有限公司 Static analysis method and system of smart phone application program
CN105631334A (en) * 2015-12-25 2016-06-01 北京奇虎科技有限公司 Application security detecting method and system
CN106650452A (en) * 2016-12-30 2017-05-10 北京工业大学 Mining method for built-in application vulnerability of Android system
CN108416216A (en) * 2018-02-28 2018-08-17 阿里巴巴集团控股有限公司 leak detection method, device and computing device
CN108875688A (en) * 2018-06-28 2018-11-23 北京旷视科技有限公司 A kind of biopsy method, device, system and storage medium
US20200005019A1 (en) * 2018-06-28 2020-01-02 Beijing Kuangshi Technology Co., Ltd. Living body detection method, system and non-transitory computer-readable recording medium
CN109543444A (en) * 2018-10-25 2019-03-29 深圳壹账通智能科技有限公司 A kind of file signature method, apparatus, storage medium and server

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
MINGHUI SUN 等: ""Watch Your Step": Precise Obstacle Detection and Navigation for Mobile Users Through Their Mobile Service", 《IEEE ACCESS》, vol. 7 *
管铭: "基于程序分析的软件安全漏洞检测技术研究", 《中国优秀所示学位论文全文数据库 信息科技辑》 *
霍跃: "基于函数相似度的恶意软件研究" *
马杰: "Android系统外部SDK安全漏洞检测研究", 《信息技术与网络安全》, vol. 38, no. 8 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112732581A (en) * 2021-01-12 2021-04-30 京东数字科技控股股份有限公司 SDK detection method, device, electronic equipment, system and storage medium
CN112732581B (en) * 2021-01-12 2023-03-10 京东科技控股股份有限公司 SDK detection method, device, electronic equipment, system and storage medium
CN112948830A (en) * 2021-03-12 2021-06-11 哈尔滨安天科技集团股份有限公司 File risk identification method and device
CN112948830B (en) * 2021-03-12 2023-11-10 安天科技集团股份有限公司 File risk identification method and device
CN112988287A (en) * 2021-03-15 2021-06-18 上海益世界信息技术集团有限公司广州分公司 Application program running method and device
CN112988287B (en) * 2021-03-15 2022-07-08 上海益世界信息技术集团有限公司广州分公司 Application program running method and device
CN117806688A (en) * 2024-03-01 2024-04-02 腾讯科技(深圳)有限公司 Thermal update detection method, thermal update detection device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN111563257B (en) 2023-07-21

Similar Documents

Publication Publication Date Title
US11151024B2 (en) Dynamic automation of DevOps pipeline vulnerability detecting and testing
US10515212B1 (en) Tracking sensitive data in a distributed computing environment
CN111563257B (en) Data detection method and device, computer readable medium and terminal equipment
US8468391B2 (en) Utilizing log event ontology to deliver user role specific solutions for problem determination
CN111625473B (en) Interface test case generation method and device, storage medium and electronic equipment
US20120030516A1 (en) Method and system for information processing and test care generation
US10360004B2 (en) Using dynamic information to refine control flow graphs
US11507655B1 (en) Automatic and predictive source code generation
CN111563015B (en) Data monitoring method and device, computer readable medium and terminal equipment
CN115033894B (en) Software component supply chain safety detection method and device based on knowledge graph
US9329979B2 (en) Derivation of generalized test cases
CN110858172A (en) Automatic test code generation method and device
CN111654495B (en) Method, apparatus, device and storage medium for determining traffic generation source
US9569335B1 (en) Exploiting software compiler outputs for release-independent remote code vulnerability analysis
CN113449310A (en) Application program vulnerability detection method, device and equipment
CN109460363B (en) Automatic testing method and device, electronic equipment and computer readable medium
CN107368407B (en) Information processing method and device
CN111324510A (en) Log processing method and device and electronic equipment
CN110866031B (en) Database access path optimization method and device, computing equipment and medium
CN111666201A (en) Regression testing method, device, medium and electronic equipment
CN112379967B (en) Simulator detection method, device, equipment and medium
US20220122038A1 (en) Process Version Control for Business Process Management
CN112860538A (en) Method and device for performing interface regression test based on online log
CN112579428A (en) Interface testing method and device, electronic equipment and storage medium
CN112988528B (en) Log processing method, device and container group

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant