CN113656809A - Mirror image security detection method, device, equipment and medium - Google Patents

Mirror image security detection method, device, equipment and medium Download PDF

Info

Publication number
CN113656809A
CN113656809A CN202111022432.9A CN202111022432A CN113656809A CN 113656809 A CN113656809 A CN 113656809A CN 202111022432 A CN202111022432 A CN 202111022432A CN 113656809 A CN113656809 A CN 113656809A
Authority
CN
China
Prior art keywords
file
mirror image
list
detection result
image
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111022432.9A
Other languages
Chinese (zh)
Inventor
胡竞允
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jingdong Technology Information Technology Co Ltd
Original Assignee
Jingdong Technology Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jingdong Technology Information Technology Co Ltd filed Critical Jingdong Technology Information Technology Co Ltd
Priority to CN202111022432.9A priority Critical patent/CN113656809A/en
Publication of CN113656809A publication Critical patent/CN113656809A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Abstract

The application provides a method, a device, equipment and a medium for security detection of a mirror image, wherein the method comprises the following steps: receiving a download address of the mirror image sent by the client, downloading the mirror image according to the download address, and analyzing a file directory structure in the mirror image; filtering the file directory structure according to a set rule to obtain at least one of an application software installation list, an executable file list and a webpage file list through screening; performing security detection on the mirror image according to at least one of the application software installation list, the executable file list and the webpage file list to obtain a security detection result; and sending the security detection result to the client. Therefore, the safety detection of the mirror image can be realized, so that a user can determine whether the mirror image is safe according to a safety detection result, the user can use the mirror image safely, and safety personnel can be helped to check the potential safety hazard of the mirror image more comprehensively.

Description

Mirror image security detection method, device, equipment and medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a medium for security detection of a mirror image.
Background
Compared with a virtual machine, the container has a more flexible deployment mode and higher performance, and has greater advantages and can be widely applied to various scenes under the condition of meeting the requirements of agile development, continuous delivery, cost saving and the like. The container image used by most applications at present is constructed based on a shared image disclosed by a network, and the security of the shared image used by the container is the basis of the application security. Therefore, how to perform security detection on the shared image is very important.
Disclosure of Invention
The present application is directed to solving, at least to some extent, one of the technical problems in the related art.
The application provides a method, a device, equipment and a medium for security detection of a mirror image, so that security detection of the mirror image is realized, a user can determine whether the mirror image is safe according to a security detection result, the mirror image used by the user is guaranteed to be safe, and security personnel can be helped to check potential safety hazards of the mirror image more comprehensively.
An embodiment of a first aspect of the present application provides a security detection method for an image, including:
receiving a downloading address of a mirror image sent by a client;
downloading the mirror image according to the download address, and analyzing a file directory structure in the mirror image;
filtering the file directory structure according to a set rule to obtain at least one of an application software installation list, an executable file list and a webpage file list through screening;
according to at least one item of the application software installation list, the executable file list and the webpage file list, carrying out security detection on the mirror image to obtain a security detection result;
and sending the security detection result to the client.
The embodiment of the second aspect of the present application provides a security detection apparatus for an image, including:
the receiving module is used for receiving the downloading address of the mirror image sent by the client;
the processing module is used for downloading the mirror image according to the downloading address and analyzing a file directory structure in the mirror image;
the screening module is used for filtering the file directory structure according to a set rule so as to screen and obtain at least one of an application software installation list, an executable file list and a webpage file list;
the detection module is used for carrying out security detection on the mirror image according to at least one item of the application software installation list, the executable file list and the webpage file list so as to obtain a security detection result;
and the sending module is used for sending the security detection result to the client.
An embodiment of a third aspect of the present application provides a computer device, including: the image security detection method comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein when the processor executes the program, the image security detection method is realized as set forth in the embodiment of the first aspect of the present application.
An embodiment of a fourth aspect of the present application provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for security detection of an image as set forth in the embodiment of the first aspect of the present application.
An embodiment of a fifth aspect of the present application provides a computer program product, where instructions of the computer program product, when executed by a processor, perform the method for security detection of an image as set forth in the embodiment of the first aspect of the present application.
One embodiment of the present application described above has at least the following advantages or benefits:
the method comprises the steps of downloading a mirror image according to a download address by receiving the download address of the mirror image sent by a client, and analyzing a file directory structure in the mirror image; filtering the file directory structure according to a set rule to obtain at least one of an application software installation list, an executable file list and a webpage file list through screening; performing security detection on the mirror image according to at least one of the application software installation list, the executable file list and the webpage file list to obtain a security detection result; and sending the security detection result to the client. Therefore, the safety detection of the mirror image can be realized, so that a user can determine whether the mirror image is safe according to a safety detection result, the user can use the mirror image safely, and safety personnel can be helped to check the potential safety hazard of the mirror image more comprehensively.
Additional aspects and advantages of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a schematic flowchart of a security detection method for an image according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a security detection method for an image according to a second embodiment of the present application;
fig. 3 is a schematic flowchart of a security detection method for an image according to a third embodiment of the present application;
fig. 4 is a schematic flowchart of a security detection method for an image according to a fourth embodiment of the present application;
fig. 5 is a schematic flowchart of a security detection method for an image according to a fifth embodiment of the present application;
fig. 6 is a schematic flowchart of a security detection method for an image according to a sixth embodiment of the present application;
FIG. 7 is a schematic diagram illustrating the detection principle of the embodiment of the present application;
fig. 8 is a schematic structural diagram of a mirrored security detection apparatus according to a seventh embodiment of the present application;
FIG. 9 illustrates a block diagram of an exemplary computer device suitable for use to implement embodiments of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining the present application and should not be construed as limiting the present application.
Currently, security detection can be performed on a mirror image based on the following ways: the method comprises the steps of acquiring data such as an operating system and an application version of a mirror image by using an open source tool, and matching a Common Vulnerabilities & Exposuers (Common vulnerability discovery) database according to the acquired data to determine the possible bugs of the installed application.
However, in the above manner, only the installed applications in the operating system are scanned for whether corresponding CVE vulnerabilities exist, and this detection scheme is obviously not comprehensive because: malicious image constructors can easily place viruses or code execution environment files (e.g., webshell files) in the image without being discovered by the user.
Therefore, in order to solve the above problems, the present application provides a method, an apparatus, a device, and a storage medium for security detection of an image.
A method, an apparatus, a device, and a medium for security detection of an image according to an embodiment of the present application are described below with reference to the accompanying drawings. Before describing the embodiments of the present application in detail, for the sake of understanding, common technical terms are first introduced:
CVEs, which are security vulnerability libraries, are also lists of standardized names for known vulnerabilities and security flaws, and their mission is to be able to more quickly and efficiently identify, discover, and fix security vulnerabilities of application software products.
The webshell is a code execution environment which exists in the form of web page files with suffixes of asp, php, jsp or cgi and the like, is mainly used for website management, server management, authority management and the like, and can also be used as a backdoor program by hackers so as to achieve the purpose of controlling a website server.
Digest, which is a deterministic generated hash value based on image construction. Digest may be used to determine if there is a change to the mirrored content.
Fig. 1 is a schematic flowchart of a security detection method for an image according to an embodiment of the present disclosure.
The execution main body of the embodiment of the application can be a server.
As shown in fig. 1, the security detection method of the image may include the following steps:
step 101, receiving a download address of the image sent by the client.
In the embodiment of the present application, the download address of the image may be a download link of the image, or an image repository address and a login password.
In the embodiment of the application, a user can input the downloading address of the mirror image at the client, the client can send the downloading address of the mirror image to the server after monitoring that the user inputs the downloading address of the mirror image, and correspondingly, the server can receive the downloading address of the mirror image sent by the client.
The input mode of the download address of the image includes, but is not limited to, touch input (such as sliding, clicking, etc.), keyboard input, voice input, etc.
And 102, downloading the mirror image according to the download address, and analyzing a file directory structure in the mirror image.
In the embodiment of the application, after receiving the download address of the mirror image, the server can download the mirror image according to the download address of the mirror image. And after downloading the mirror image, the server side can analyze the mirror image file in the mirror image to determine the file directory structure in the mirror image.
And 103, filtering the file directory structure according to a set rule to obtain at least one of an application software installation list, an executable file list and a webpage file list by screening.
In an embodiment of the present application, the application software installation list may include installation names and versions of each installed application in the mirrored operating system.
In an embodiment of the present application, the executable file list may include executable files in the image.
In the embodiment of the present application, the web page file list may include each web page file (i.e., web file) in the image, and the web page file may include web page files with suffixes of asp, php, jsp, or cgi.
In the embodiment of the present application, the rule is set to be a preset rule.
In the embodiment of the application, the file directory structure may be filtered according to a set rule to obtain at least one of an application software installation list, an executable file list and a web file list through screening.
And 104, performing security detection on the mirror image according to at least one of the application software installation list, the executable file list and the webpage file list to obtain a security detection result.
In the embodiment of the application, the server may perform security detection on the image according to at least one of the application software installation list, the executable file list and the web file list to obtain a security detection result, where the security detection result is used to indicate whether the image is secure or not, or to indicate whether an image file in the image is secure or not.
And 105, sending the security detection result to the client.
In the embodiment of the application, after the server side performs security detection on the mirror image and obtains a security detection result, the server side can send the security detection result to the client side so that a user can know whether the mirror image is safe or not in time.
According to the image safety detection method, the image is downloaded according to the download address by receiving the download address of the image sent by the client, and the file directory structure in the image is analyzed; filtering the file directory structure according to a set rule to obtain at least one of an application software installation list, an executable file list and a webpage file list through screening; performing security detection on the mirror image according to at least one of the application software installation list, the executable file list and the webpage file list to obtain a security detection result; and sending the security detection result to the client. Therefore, the safety detection of the mirror image can be realized, so that a user can determine whether the mirror image is safe according to a safety detection result, the user can use the mirror image safely, and safety personnel can be helped to check the potential safety hazard of the mirror image more comprehensively.
In a possible implementation manner of the embodiment of the present application, in order to verify the integrity of a file in an image to determine whether the file in the image is tampered, in the present application, a client may further send an abstract value of the image to a server, after the server downloads the image, the server may calculate an abstract value corresponding to the image file in the image, match the two abstract values, and only if the two abstract values are consistent, the server performs security detection on the image. The above process is described in detail below with reference to fig. 2.
Fig. 2 is a schematic flowchart of a security detection method for an image according to a second embodiment of the present application.
The execution main body of the embodiment of the application can be a server.
As shown in fig. 2, the method for security detection of an image may include the following steps:
step 201, receiving a download address and a first digest value of the image sent by the client.
In this embodiment, the first Digest value is a Digest value corresponding to a mirror image input by a user at a client, where the Digest value may be, for example, a Digest value.
In the embodiment of the application, a user can input the download address and the first abstract value of the mirror image at a client, the client can send the download address and the first abstract value of the mirror image to a server after monitoring that the download address and the first abstract value of the mirror image are input by the user, and correspondingly, the server can receive the download address and the first abstract value of the mirror image sent by the client.
And 202, downloading the mirror image according to the download address.
Step 203, determining a second digest value of the image file in the image.
In the embodiment of the application, after the server downloads the mirror image, the server can calculate the second digest value corresponding to the mirror image file in the mirror image.
And 204, under the condition that the second abstract numerical value is the same as the first abstract numerical value, analyzing the mirror image file in the mirror image to determine the file directory structure in the mirror image.
In the embodiment of the application, the server can compare the second digest value with the first digest value, and can determine that the image file in the image is tampered under the condition that the second digest value is different from the first digest value, and at the moment, the server can directly return a detection result that the image is unsafe to the client or return a detection result that the image is tampered to the client without performing security verification on the image; and under the condition that the second abstract numerical value is the same as the first abstract numerical value, analyzing the image file in the image to determine the file directory structure in the image, for example, analyzing the image file in the image layer by layer to obtain the file directory structure.
Step 205, filtering the file directory structure according to a set rule to obtain at least one of an application software installation list, an executable file list and a web page file list by screening.
And step 206, performing security detection on the mirror image according to at least one of the application software installation list, the executable file list and the webpage file list to obtain a security detection result.
And step 207, sending the security detection result to the client.
The execution process of steps 205 to 207 may refer to the execution process of any embodiment of the present application, and is not described herein again.
According to the method for detecting the safety of the mirror image, the download address and the first abstract value of the mirror image sent by a client side are received; downloading the mirror image according to the downloading address; determining a second abstract value of the mirror image file in the mirror image; and under the condition that the second abstract numerical value is the same as the first abstract numerical value, analyzing the mirror image file in the mirror image to determine the file directory structure. Therefore, the integrity of the file in the image can be verified, namely whether the file in the image is tampered or not can be determined.
In order to clearly illustrate how the application software installation list is obtained by screening and the security of the image is detected according to the application software installation list in the above embodiments of the present application, the present application further provides a security detection method for the image.
Fig. 3 is a schematic flowchart of a security detection method for an image according to a third embodiment of the present application.
The execution main body of the embodiment of the application can be a server.
As shown in fig. 3, the security detection method of the image may include the following steps:
step 301, receiving a download address of the image sent by the client.
And 302, downloading the mirror image according to the download address, and analyzing a file directory structure in the mirror image.
The execution process of steps 301 to 302 may refer to the execution process of any of the above embodiments, and is not described herein again.
Step 303, obtaining the mirror image file in the file directory structure under the first set directory.
In the embodiment of the present application, the first configuration directory is a predetermined directory, for example, the first configuration directory may be etc/release.
In the embodiment of the application, the mirror image file in the file directory structure under the first set directory can be obtained.
Step 304, the image file in the first set directory is analyzed to determine the name and version of the image operating system.
In the embodiment of the application, the image file in the first setting directory may be analyzed to determine the name and version of the image operating system.
Step 305, determining an application software installation list according to the name and version of the mirror image operating system.
In the embodiment of the application, the application software installation list can be determined according to the name and the version of the mirror image operating system.
In a possible implementation manner of the embodiment of the present application, different mirror operating systems may correspond to different software management tools, and in the present application, a target software management tool corresponding to a name and a version of a mirror operating system may be determined, an application installation history recorded by the target software management tool and a file depended by an installed application may be acquired, and an installation name and a version of each installed application in a current mirror layer may be determined by parsing the file depended by each installed application, so that an application installation list may be determined according to the installation name and the version of each installed application, where the application installation list includes the installation name and the version of the installed application.
And step 306, inquiring a universal vulnerability disclosure (CVE) database according to the installation name and the version of each installed application in the application software installation list so as to determine whether each installed application has a CVE vulnerability.
In the embodiment of the application, a plurality of installation names and corresponding relations between a plurality of versions and the CVE loopholes are stored in the CVE database.
In the embodiment of the application, the common vulnerability disclosure CVE database may be queried according to the installation name and version of each installed application in the application software installation list to determine whether each installed application has a corresponding CVE vulnerability.
Step 307, in response to the CVE vulnerability of the at least one installed application, generating a security detection result indicating that the image is not secure.
In the embodiment of the application, in the case that at least one installed application has a corresponding CVE vulnerability, a security detection result indicating that the image is not secure may be generated.
And 308, sending the security detection result to the client.
The execution process of step 308 may refer to the execution process of the above embodiments, which is not described herein again.
According to the mirror image security detection method, a general vulnerability disclosure CVE database is inquired according to the installation name and version of each installed application in an application software installation list, so that whether each installed application has a CVE vulnerability list or not is determined; and generating a security detection result indicating that the image is not secure in response to the CVE vulnerability list existing in at least one installed application. Therefore, CVE vulnerability detection can be performed on each installed application in the mirror image operating system.
In order to clearly illustrate how the executable file list is obtained by screening in the above embodiments of the present application, and the security of the image is detected according to the executable file list, the present application further provides a security detection method for the image.
Fig. 4 is a schematic flowchart of a security detection method for an image according to a fourth embodiment of the present application.
The execution main body of the embodiment of the application can be a server.
As shown in fig. 4, the security detection method of the image may include the following steps:
step 401, receiving a download address of the image sent by the client.
And step 402, downloading the mirror image according to the download address, and analyzing a file directory structure in the mirror image.
The execution process of steps 401 to 402 may refer to the execution process of any of the above embodiments, and is not described herein again.
In step 403, each executable file in the file directory structure under the second set directory is obtained.
In the embodiment of the present application, the second setting directory is a preset directory, for example, the second setting directory may be usr/local/bin and/or usr/bin/directory.
In the embodiment of the present application, each executable file in the file directory structure under the second set directory may be acquired, that is, each executable file (for example, binary file) under the directory of the target layer (for example, bin layer) may be acquired in the present application.
Step 404, determining an executable file list according to each executable file.
In the embodiment of the application, an executable file list may be determined according to each executable file, where the executable file list includes each executable file.
Step 405, saving each executable file in the executable file list to the local.
At step 406, for each executable file, a third digest value of the executable file is calculated.
In an embodiment of the present application, a Digest value of each executable file may be calculated, which is referred to as a third Digest value in the present application, and the third Digest value may be, for example, an MD5(Message Digest Algorithm, fifth edition) value.
Step 407, querying the first corresponding relationship stored locally to determine whether the first virus detection result corresponding to the third digest value is stored.
In the embodiment of the present application, the first correspondence is a correspondence between a digest value and a virus detection result, and the virus detection result is used to indicate whether a virus exists in the executable file.
In this embodiment of the application, for each executable file, according to the third digest value of the executable file, a first corresponding relationship between the locally stored digest value and the virus detection result may be queried to determine whether the first virus detection result corresponding to the third digest value is locally stored.
Step 408, in response to the first virus detection result being stored, generating a corresponding security detection result according to the first virus detection result.
In this embodiment of the application, for each executable file, in the case that a first virus detection result corresponding to the third digest value of the executable file is locally stored, a corresponding security detection result may be generated according to the first virus detection result.
As an example, when the first virus detection result of each executable file indicates that no virus exists in the corresponding executable file, the security detection result is used to indicate that the image is secure or used to indicate that no virus exists in the image; and when the first virus detection result of at least one executable file indicates that the corresponding executable file has a virus, the security detection result is used for indicating that the image is not secure or indicating that the image file has the virus.
Step 409, in response to that the first virus detection result is not stored, invoking a virus detection service to perform virus detection on the executable file to obtain a second virus detection result, and adding the corresponding relationship between the third digest value and the second virus detection result to the locally stored first corresponding relationship.
In this embodiment of the application, for each executable file, in the case that a first virus detection result corresponding to the third digest value of the executable file is not locally stored, a virus detection service may be invoked to perform virus detection on the executable file, so as to obtain a second virus detection result.
As an example, the virus detection service may integrate at least one virus detection module, and each virus detection module may output a corresponding detection value after performing virus detection on the executable file, perform weighted summation on the confidence degrees corresponding to the virus detection modules and the detection values of the virus detection modules to obtain a final target detection value, and generate a second virus detection result according to the target detection value. For example, in the case that the target detection value is low, the second virus detection result is used to indicate that the executable file has a virus, and in the case that the target detection value is high, the second virus detection result is used to indicate that the executable file has no virus.
In the embodiment of the present application, a correspondence between the third digest value and the second virus detection result may also be added to the first correspondence stored locally, so that dynamic maintenance of the first correspondence may be implemented.
And step 410, generating a corresponding safety detection result according to the second virus detection result.
In this embodiment of the present application, for each executable file, in the case of obtaining a second virus detection result of the executable file, a corresponding security detection result may be generated according to the second virus detection result.
As an example, when the second virus detection result of each executable file indicates that no virus exists in the corresponding executable file, the security detection result is used to indicate that the image is secure or used to indicate that no virus exists in the image; and when the second virus detection result of at least one executable file indicates that the corresponding executable file has a virus, the security detection result is used for indicating that the image is not secure or indicating that the image file has the virus.
Step 411, sending the security detection result to the client.
The execution process of step 411 may refer to the execution process of the above embodiment, and is not described herein again.
The mirror image security detection method provided by the embodiment of the application can also realize detection of the virus files in the mirror image, and can improve the comprehensiveness of mirror image security detection.
In order to clearly illustrate how the webpage file list is obtained by screening and the security detection is performed on the mirror image according to the webpage file list in the embodiment of the application, the application also provides a security detection method of the mirror image.
Fig. 5 is a schematic flowchart of a security detection method for an image according to the fifth embodiment of the present application.
The execution main body of the embodiment of the application can be a server.
As shown in fig. 5, the method for security detection of an image may include the following steps:
step 501, receiving a download address of the image sent by the client.
And 502, downloading the mirror image according to the download address, and analyzing a file directory structure in the mirror image.
The execution process of steps 501 to 502 may refer to the execution process of any of the above embodiments, and is not described herein again.
Step 503, obtaining the configuration file in the file directory structure under the third setting directory.
In the embodiment of the present application, the third setting directory is a predetermined directory, for example, the third setting directory may be/etc/php-fpm.
In the embodiment of the present application, a configuration file (i.e., conf file) in the file directory structure under the third setting directory may be obtained.
Step 504, determining a first working directory according to the value of the objective function in the configuration file, and acquiring a webpage file under the first working directory.
In embodiments of the present application, the objective function may comprise a chorot and/or a chr function.
In this embodiment of the present application, the first working directory may be determined according to a value of an objective function in the configuration file, for example, when the objective function is a root function and a chrir function, the first working directory may be a root directory. After the first work directory is determined, the webpage files in the first work directory can be acquired.
Step 505, the target file in the file directory structure under the fourth set directory is queried and analyzed to determine the target parameters in the target file.
In the embodiment of the present application, the fourth setting directory is a preset directory, for example, the fourth setting directory may be conf/, and/or conf/Catalina/localhost/directory.
In the embodiment of the present application, the target file may be a file with a suffix set, for example, the target file may include a file with an xml suffix. For example, the file of conf/server.xml and conf/Catalina/localhost/. xml can be searched, and the file of server.xml and/or xml can be used as the target file.
In the embodiment of the present application, the target parameter is a setting parameter, for example, the target parameter may be DocBase.
In the embodiment of the present application, the target file may be parsed to determine the target parameters in the target file.
Step 506, determining a second working directory according to the target parameter, and acquiring the webpage file in the second working directory.
In this embodiment, the second working directory may be determined according to the target parameter, for example, when the target parameter is a DocBase parameter, the second working directory may be a working directory of tomcat.
In this embodiment of the application, after the second working directory is determined, each web page file in the second working directory may be acquired.
Step 507, determining a web page file list according to the web page files in the first working directory and the web page files in the second working directory.
In the embodiment of the present application, the web page file list may be determined according to each web page file in the first work directory and each web page file in the second work directory, that is, the web page file list may include each web page file in the first work directory and/or each web page file in the second work directory.
Step 508, saving each web page file in the web page file list to the local.
In step 509, for each web page file, a fourth digest value of the web page file is calculated.
In the embodiment of the present application, a digest value of each web page file may be calculated, which is referred to as a fourth digest value in the present application, for example, the fourth digest value may be an MD5 value.
Step 510, the second corresponding relationship stored locally is queried to determine whether the first code execution environment detection result corresponding to the fourth digest value is stored.
In this embodiment of the application, the second correspondence is a digest value and a code execution environment detection result, where the code execution environment detection result is used to indicate whether the web page file is a code execution environment file, for example, taking the code execution environment as a webshell for example, and the code execution environment detection result is used to indicate whether the web page file is a webshell file.
In this embodiment of the present application, for each web page file, according to the fourth digest value of the web page file, a second correspondence between the locally stored digest value and the code execution environment detection result may be queried, so as to determine whether the first code execution environment detection result corresponding to the fourth digest value is locally stored.
Step 511, in response to the first code execution environment detection result being stored, generating a corresponding security detection result according to the first code execution environment detection result.
In this embodiment of the application, for each web page file, in the case that the first code execution environment detection result corresponding to the fourth digest value of the web page file is locally stored, the corresponding security detection result may be generated according to the first code execution environment detection result.
As an example, when the first code execution environment detection result of each web page file indicates that the corresponding web page file is not a code execution environment file, the security detection result is used to indicate mirror image security or to indicate that the mirror image file does not include the code execution environment file; and when the first code execution environment detection result of at least one webpage file indicates that the corresponding webpage file is the code execution environment file, the security detection result is used for indicating that the image is not secure or indicating that the image file comprises the code execution environment file.
Step 512, in response to the first code execution environment detection result is not stored, the code execution environment detection service is called to detect the webpage file to obtain a second code execution environment detection result, and the corresponding relationship between the fourth abstract value and the second code execution environment detection result is added to the second corresponding relationship stored locally.
In this embodiment of the present application, for each web page file, in a case that a first code execution environment detection result corresponding to the fourth digest value of the web page file is not locally stored, a code execution environment detection service may be invoked to detect the web page file, so as to obtain a second code execution environment detection result.
For example, taking the code execution environment as a webshell for example, a webshell detection service may be called to detect a webpage file to determine whether the webpage file is a webshell file, if the webpage file is the webshell file, the generated second code execution environment detection result is used to indicate that the webpage file is the webshell file, and if the webpage file is not the webshell file, the generated second code execution environment detection result is used to indicate that the webpage file is not the webshell file.
Step 513, generating a corresponding security detection result according to the detection result of the second code execution environment.
In this embodiment of the present application, for each web page file, in the case of obtaining a second code execution environment detection result of the web page file, a corresponding security detection result may be generated according to the second code execution environment detection result.
As an example, when the second code execution environment detection result of each web page file indicates that the corresponding web page file is not a code execution environment file, the security detection result is used to indicate mirror image security or to indicate that the code execution environment file is not included in the mirror image file; and when the second code execution environment detection result of at least one webpage file indicates that the corresponding webpage file is the code execution environment file, the security detection result is used for indicating that the image is not secure or indicating that the image file comprises the code execution environment file.
And step 514, sending the security detection result to the client.
The execution process of step 514 may refer to the execution process of the above embodiments, and is not described herein again.
The security detection method for the mirror image can also realize detection of the code execution environment file in the mirror image, and can further improve the comprehensiveness of security detection of the mirror image.
It should be noted that, the security detection of the mirror image is exemplarily described only according to one item of the application software installation list, the executable file list and the web file list, and the security detection of the mirror image may be performed in combination with the items in practical application. The above process is described in detail below with reference to fig. 6.
Fig. 6 is a schematic flowchart of a security detection method for an image according to a sixth embodiment of the present application.
The execution main body of the embodiment of the application can be a server.
As shown in fig. 6, the method for security detection of an image may include the following steps:
step 601, receiving a download address of the mirror image sent by the client.
Step 602, downloading the mirror image according to the download address, and analyzing the file directory structure in the mirror image.
The execution process of steps 601 to 602 may refer to the execution process of any of the above embodiments, which is not described herein again.
Step 603, filtering the file directory structure according to a set rule to obtain a plurality of items in an application software installation list, an executable file list and a webpage file list through screening.
In the embodiments of the present application, the application software installation list, the executable file list, and the web file list may be determined according to any of the embodiments described above, which is not described herein again.
And step 604, performing security detection on the mirror image according to a plurality of items in the application software installation list, the executable file list and the webpage file list to obtain a security detection result.
In a possible implementation manner of the embodiment of the application, security detection may be performed on the mirror image according to the application software installation list and the executable file list, so as to obtain a security detection result.
As an example, a common vulnerability disclosure CVE database may be queried according to an installation name and version of each installed application in an application software installation list to determine whether each installed application has a CVE vulnerability, and when none of the installed applications in the application software installation list has a CVE vulnerability, it may be further determined whether an executable file having a virus exists in an executable file list (see specifically execution processes from 406 to 409, which are not described herein), and when none of the executable files in the executable file list has a virus, a generated security detection result is used to indicate image security, or used to indicate that an image file has no virus and an installed application having no CVE vulnerability in the image; and in the case that at least one executable file contained in the executable file list has a virus, generating a security detection result for the insecurity of the image or indicating that the image has the virus.
Under the condition that at least one installed application has a CVE (virtual component environment) vulnerability in the application software installation list, if all executable files in the executable file list have no virus, the generated security detection result is used for indicating that the image is not safe, or indicating that the image contains the installed application with the CVE vulnerability and the image file has no virus; if at least one executable file in the executable file list has a virus, the generated security detection result is used for image insecurity or used for indicating that the image contains an installed application with a CVE vulnerability and the image file has the virus.
In another possible implementation manner of the embodiment of the application, the security of the mirror image may be detected according to the application software installation list and the web file list, so as to obtain a security detection result.
As an example, a common vulnerability disclosure CVE database may be queried according to an installation name and version of each installed application in an application software installation list to determine whether each installed application has a CVE vulnerability, and when none of the installed applications in the application software installation list have a CVE vulnerability, whether a code execution environment file exists in a web file list may be further determined (specifically, refer to the execution processes from 509 to 513, which are not described herein), and when none of the web files in the web file list are code execution environment files, a generated security detection result is used to indicate image security, or is used to indicate that an image file does not include a code execution environment file and an image does not include an installed application having a CVE vulnerability; and in the case that at least one code execution environment file exists in the webpage file list, the generated safety detection result is used for image insecurity or used for indicating that the code execution environment file is included in the image file.
Under the condition that at least one installed application has a CVE (virtual component environment) vulnerability in the application software installation list, if all the webpage files in the webpage file list are not code execution environment files, the generated security detection result is used for indicating that the image is not safe, or indicating that the image contains the installed application with the CVE vulnerability and the image file does not contain the code execution environment files; if at least one webpage file in the webpage file list is a code execution environment file, the generated security detection result is used for image insecurity, or is used for indicating that the image contains installed applications with CVE vulnerabilities and the image file contains the code execution environment file.
In another possible implementation manner of the embodiment of the present application, security detection may be performed on the mirror image according to the executable file list and the web file list to obtain a security detection result.
As an example, when all executable files in the executable file list have no virus, it may be determined whether a code execution environment file is included in the web file list, and if all web files in the web file list are not code execution environment files, the generated security detection result is used to indicate image security, or is used to indicate that an image file has no virus and does not include a code execution environment file in the image file; if at least one webpage file in the webpage file list is a code execution environment file, the generated security detection result is used for image insecurity, or is used for indicating that the image file does not have viruses and the image file comprises the code execution environment file.
Under the condition that at least one executable file in the executable file list has a virus, judging whether the webpage file list comprises a code execution environment file, if all the webpage files in the webpage file list are not the code execution environment file, generating a security detection result for indicating that the mirror image is unsafe, or indicating that the mirror image file has the virus and the mirror image file does not comprise the code execution environment file; if at least one webpage file in the webpage file list is a code execution environment file, the generated security detection result is used for image insecurity, or is used for indicating that the image file has viruses and the image file comprises the code execution environment file.
In another possible implementation manner of the embodiment of the application, the security of the mirror image may be detected according to the application software installation list, the executable file list and the web file list at the same time, so as to obtain a security detection result.
For example, in the case that all installed applications in the application software installation list do not have a CVE vulnerability, all executable files in the executable file list do not have a virus, and all web page files in the web page file list are not code execution environment files, the generated security detection result is used for indicating that the image is secure, and in other cases, the generated security detection result is used for indicating that the image is not secure.
Step 605, sending the security detection result to the client.
As an example, a code execution environment is taken as webshell for example, a schematic diagram of the present application may be as shown in fig. 7, a user may input a download address and a digest value of an image at a client, the client may send the download address and the digest value of the image to a server, the server may download the image according to the download address, and verify integrity of the image according to the digest value, that is, the server may calculate the digest value of the image, compare the calculated digest value with the received digest value in a consistent manner, and in a case that the calculated digest value is consistent with the received digest value, generate an image scanning task according to an image file, and issue the image scanning task to an image scanning client.
After receiving the mirror image scanning task, the mirror image scanning client can analyze the mirror image files in the mirror image according to layers to obtain a file directory structure, filter the analyzed file directory structure according to a set rule, and respectively extract an application software installation list, an executable file list and a webpage file list.
And then, inquiring a CVE vulnerability database according to the installation name and version of each installed application in the application software installation list to obtain the installed application with the CVE vulnerability.
According to the executable file list, virus checking and killing are executed, suspicious/determined virus files are obtained, wherein the executable files can be stored locally, md5 values of the executable files are calculated, an interface is called to inquire whether md5 values have detection results, and if yes, the detection results are directly obtained; if not, the executable file is uploaded to a file server, the file server calls a remote virus detection service to perform virus detection on the executable file, and a detection result is obtained.
Executing webshell detection according to the web page file list, and acquiring suspicious/determined webshell files, wherein the web page files can be stored locally, the md5 value of the web page files is calculated, an interface is called to inquire whether the md5 value has a detection result, and if so, the detection result is directly acquired; if not, uploading the webpage file to a file server, calling a remote webshell detection service by the file server to perform webshell detection on the webpage file, and acquiring a detection result.
And generating a final scanning detection report (namely a security detection result) according to the installed application with the CVE vulnerability, the suspicious/determined virus file and the suspicious/determined webshell file, and returning the final scanning detection report to the client.
The mirror image safety detection method can detect the CVE loopholes of the installed applications in the mirror image, can detect virus files and code execution environment files in the mirror image, can improve the comprehensiveness of mirror image safety detection, and can help security personnel to check potential safety hazards more comprehensively.
The present application also provides a security detection apparatus for a mirror image, which corresponds to the security detection method for a mirror image provided in the embodiments of fig. 1 to 6, and since the security detection apparatus for a mirror image provided in the embodiments of the present application corresponds to the security detection method for a mirror image provided in the embodiments of fig. 1 to 6, the implementation manner of the security detection method for a mirror image is also applicable to the security detection apparatus for a mirror image provided in the embodiments of the present application, and will not be described in detail in the embodiments of the present application.
Fig. 8 is a schematic structural diagram of a mirrored security detection apparatus according to a seventh embodiment of the present application.
As shown in fig. 8, the mirrored security detection apparatus 800 may include: a receiving module 801, a processing module 802, a screening module 803, a detecting module 804, and a sending module 805.
The receiving module 801 is configured to receive a download address of the image sent by the client.
The processing module 802 is configured to download the image according to the download address, and analyze a file directory structure in the image.
The filtering module 803 is configured to filter the file directory structure according to a set rule, so as to obtain at least one of an application software installation list, an executable file list, and a web file list by filtering.
The detecting module 804 is configured to perform security detection on the mirror image according to at least one of the application software installation list, the executable file list, and the web file list, so as to obtain a security detection result.
A sending module 805, configured to send the security detection result to the client.
In a possible implementation manner of the embodiment of the present application, the receiving module 801 is further configured to: and receiving a first abstract numerical value of the mirror image sent by the client.
The processing module 802 is specifically configured to: downloading the mirror image according to the downloading address; determining a second abstract value of the mirror image file in the mirror image; and under the condition that the second abstract numerical value is the same as the first abstract numerical value, analyzing the mirror image file in the mirror image to determine the file directory structure.
In a possible implementation manner of the embodiment of the present application, the screening module 803 is specifically configured to: acquiring a mirror image file in a file directory structure under a first set directory; analyzing the mirror image file under the first set directory to determine the name and version of the mirror image operating system; and determining an application software installation list according to the name and the version of the mirror image operating system.
In a possible implementation manner of the embodiment of the present application, the screening module 803 is specifically configured to: determining a target software management tool corresponding to the name and version of the mirror image operating system; acquiring files, recorded by a target software management tool, on which installed applications depend; analyzing files on which the installed applications depend to determine installation names and versions of the installed applications; and determining an application software installation list according to the installation name and the version of each installed application.
In a possible implementation manner of the embodiment of the present application, the screening module 803 is specifically configured to: acquiring executable files in a file directory structure under a second set directory; and determining an executable file list according to each executable file.
In a possible implementation manner of the embodiment of the present application, the screening module 803 is specifically configured to: acquiring a configuration file in a file directory structure under a third set directory; determining a first working directory according to the value of the target function in the configuration file; acquiring a webpage file under a first working directory; inquiring a target file in the file directory structure under a fourth set directory, and analyzing the target file to determine a target parameter in the target file; determining a second working directory according to the target parameters, and acquiring webpage files under the second working directory; and determining a webpage file list according to the webpage files in the first working directory and the webpage files in the second working directory.
In a possible implementation manner of the embodiment of the present application, the detecting module 804 is specifically configured to: inquiring a universal vulnerability disclosure (CVE) database according to the installation name and the version of each installed application in the application software installation list so as to determine whether each installed application has a CVE vulnerability; generating a security detection result indicating that the image is not secure in response to the CVE vulnerability of the at least one installed application; and storing the corresponding relation between a plurality of installation names and a plurality of versions and the CVE loophole in the CVE database.
In a possible implementation manner of the embodiment of the present application, the detecting module 804 is specifically configured to: storing each executable file in the executable file list to the local; for each executable file, calculating a third digest value of the executable file; inquiring the first corresponding relation of local storage to determine whether a first virus detection result corresponding to the third abstract numerical value is stored; responding to the first virus detection result, and generating a corresponding safety detection result according to the first virus detection result; responding to the situation that the first virus detection result is not stored, calling virus detection service to carry out virus detection on the executable file to obtain a second virus detection result, and adding a corresponding relation between a third abstract value and the second virus detection result into the first corresponding relation stored locally; and generating a corresponding safety detection result according to the second virus detection result.
In a possible implementation manner of the embodiment of the present application, the detecting module 804 is specifically configured to: storing each webpage file in the webpage file list to the local; calculating a fourth abstract numerical value of each webpage file; inquiring the second corresponding relation of the local storage to determine whether a first code execution environment detection result corresponding to the fourth abstract numerical value is stored; responding to the stored first code execution environment detection result, and generating a corresponding security detection result according to the first code execution environment detection result; responding to the situation that the first code execution environment detection result is not stored, calling a code execution environment detection service to detect the webpage file so as to obtain a second code execution environment detection result, and adding a corresponding relation between a fourth abstract numerical value and the second code execution environment detection result into a second corresponding relation which is locally stored; and generating a corresponding security detection result according to the detection result of the second code execution environment.
According to the image safety detection device, the image is downloaded according to the download address by receiving the download address of the image sent by the client, and the file directory structure in the image is analyzed; filtering the file directory structure according to a set rule to obtain at least one of an application software installation list, an executable file list and a webpage file list through screening; performing security detection on the mirror image according to at least one of the application software installation list, the executable file list and the webpage file list to obtain a security detection result; and sending the security detection result to the client. Therefore, the safety detection of the mirror image can be realized, so that a user can determine whether the mirror image is safe according to a safety detection result, the user can use the mirror image safely, and safety personnel can be helped to check the potential safety hazard of the mirror image more comprehensively.
In order to implement the foregoing embodiments, the present application also provides a computer device, including: the system comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein when the processor executes the program, the security detection method of the image is realized according to any embodiment of the application.
In order to implement the above embodiments, the present application also proposes a non-transitory computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the security detection method of an image as proposed in any of the foregoing embodiments of the present application.
In order to implement the foregoing embodiments, the present application also proposes a computer program product, wherein when the instructions in the computer program product are executed by a processor, the method for security detection of an image as proposed in any of the foregoing embodiments of the present application is executed.
FIG. 9 illustrates a block diagram of an exemplary computer device suitable for use to implement embodiments of the present application. The computer device 12 shown in fig. 9 is only an example, and should not bring any limitation to the function and the scope of use of the embodiments of the present application.
As shown in FIG. 9, computer device 12 is in the form of a general purpose computing device. The components of computer device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16.
Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. These architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus, to name a few.
Computer device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
Memory 28 may include computer system readable media in the form of volatile Memory, such as Random Access Memory (RAM) 30 and/or cache Memory 32. Computer device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 9, and commonly referred to as a "hard drive"). Although not shown in FIG. 9, a disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a Compact disk Read Only Memory (CD-ROM), a Digital versatile disk Read Only Memory (DVD-ROM), or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the application.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally perform the functions and/or methodologies of the embodiments described herein.
Computer device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with computer device 12, and/or with any devices (e.g., network card, modem, etc.) that enable computer device 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Moreover, computer device 12 may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public Network such as the Internet) via Network adapter 20. As shown, network adapter 20 communicates with the other modules of computer device 12 via bus 18. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with computer device 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 16 executes various functional applications and data processing, for example, implementing the methods mentioned in the foregoing embodiments, by executing programs stored in the system memory 28.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing steps of a custom logic function or process, and alternate implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. If implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc. Although embodiments of the present application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present application, and that variations, modifications, substitutions and alterations may be made to the above embodiments by those of ordinary skill in the art within the scope of the present application.

Claims (13)

1. A method for security detection of an image, the method comprising the steps of:
receiving a downloading address of a mirror image sent by a client;
downloading the mirror image according to the download address, and analyzing a file directory structure in the mirror image;
filtering the file directory structure according to a set rule to obtain at least one of an application software installation list, an executable file list and a webpage file list through screening;
according to at least one item of the application software installation list, the executable file list and the webpage file list, carrying out security detection on the mirror image to obtain a security detection result;
and sending the security detection result to the client.
2. The method of claim 1, further comprising:
receiving a first abstract numerical value of the mirror image sent by the client;
the downloading the mirror image according to the downloading address and analyzing the file directory structure in the mirror image comprises the following steps:
downloading the mirror image according to the download address;
determining a second digest value of a mirror image file in the mirror image;
and under the condition that the second abstract numerical value is the same as the first abstract numerical value, analyzing the mirror image file in the mirror image to determine the file directory structure.
3. The method of claim 1, wherein the filtering the file directory structure according to the set rule to filter at least one of an application installation list, an executable file list and a web page file list comprises:
acquiring a mirror image file in the file directory structure under a first set directory;
analyzing the mirror image file under the first set directory to determine the name and version of the mirror image operating system;
and determining the application software installation list according to the name and the version of the mirror image operating system.
4. The method of claim 3, wherein determining the application installation list based on the name and version of the mirrored operating system comprises:
determining a target software management tool corresponding to the name and version of the mirror image operating system;
acquiring files recorded by the target software management tool and depended by the installed applications;
analyzing the file depended by each installed application to determine the installation name and the version of each installed application;
and determining the application software installation list according to the installation name and the version of each installed application.
5. The method of claim 1, wherein the filtering the file directory structure according to the set rule to filter at least one of an application installation list, an executable file list and a web page file list comprises:
acquiring executable files in the file directory structure under a second set directory;
and determining the executable file list according to each executable file.
6. The method of claim 1, wherein the filtering the file directory structure according to the set rule to filter at least one of an application installation list, an executable file list and a web page file list comprises:
acquiring a configuration file in the file directory structure under a third set directory;
determining a first working directory according to the value of the target function in the configuration file;
acquiring a webpage file under the first working directory;
inquiring a target file in the file directory structure under a fourth set directory, and analyzing the target file to determine a target parameter in the target file;
determining a second working directory according to the target parameters, and acquiring webpage files under the second working directory;
and determining the webpage file list according to the webpage files in the first working directory and the webpage files in the second working directory.
7. The method of claim 1, wherein the performing security check on the image according to at least one of the application installation list, the executable file list, and the web file list to obtain a security check result comprises:
inquiring a universal vulnerability disclosure (CVE) database according to the installation name and the version of each installed application in the application software installation list so as to determine whether each installed application has a CVE vulnerability;
in response to a CVE vulnerability existing in at least one of the installed applications, generating a security detection result indicating that the image is insecure;
and storing the corresponding relation between a plurality of installation names and a plurality of versions and the CVE loophole in the CVE database.
8. The method of claim 1, wherein the performing security check on the image according to at least one of the application installation list, the executable file list, and the web file list to obtain a security check result comprises:
storing each executable file in the executable file list to the local;
for each executable file, calculating a third digest value of the executable file;
querying a first corresponding relation of local storage to determine whether a first virus detection result corresponding to the third abstract numerical value is stored;
responding to the first virus detection result stored, and generating a corresponding safety detection result according to the first virus detection result;
in response to that the first virus detection result is not stored, invoking a virus detection service to perform virus detection on the executable file to obtain a second virus detection result, and adding a corresponding relation between the third abstract numerical value and the second virus detection result to the locally stored first corresponding relation;
and generating the corresponding safety detection result according to the second virus detection result.
9. The method of claim 1, wherein the performing security check on the image according to at least one of the application installation list, the executable file list, and the web file list to obtain a security check result comprises:
storing each webpage file in the webpage file list to the local;
calculating a fourth abstract numerical value of each webpage file;
querying a second corresponding relation stored locally to determine whether a first code execution environment detection result corresponding to the fourth abstract numerical value is stored;
responding to the first code execution environment detection result stored, and generating a corresponding security detection result according to the first code execution environment detection result;
responding to the situation that the first code execution environment detection result is not stored, calling a code execution environment detection service to detect the webpage file so as to obtain a second code execution environment detection result, and adding a corresponding relation between the fourth abstract numerical value and the second code execution environment detection result into a second corresponding relation of the local storage;
and generating the corresponding security detection result according to the detection result of the second code execution environment.
10. A mirrored security detection apparatus, the apparatus comprising:
the receiving module is used for receiving the downloading address of the mirror image sent by the client;
the processing module is used for downloading the mirror image according to the downloading address and analyzing a file directory structure in the mirror image;
the screening module is used for filtering the file directory structure according to a set rule so as to screen and obtain at least one of an application software installation list, an executable file list and a webpage file list;
the detection module is used for carrying out security detection on the mirror image according to at least one item of the application software installation list, the executable file list and the webpage file list so as to obtain a security detection result;
and the sending module is used for sending the security detection result to the client.
11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a method for security detection of an image according to any one of claims 1 to 9 when executing the program.
12. A non-transitory computer-readable storage medium having stored thereon a computer program, wherein the program, when executed by a processor, implements a method for security detection of an image according to any one of claims 1 to 9.
13. A computer program product, characterized in that instructions in the computer program product, when executed by a processor, perform the method for security detection of an image according to any of claims 1-9.
CN202111022432.9A 2021-09-01 2021-09-01 Mirror image security detection method, device, equipment and medium Pending CN113656809A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111022432.9A CN113656809A (en) 2021-09-01 2021-09-01 Mirror image security detection method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111022432.9A CN113656809A (en) 2021-09-01 2021-09-01 Mirror image security detection method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN113656809A true CN113656809A (en) 2021-11-16

Family

ID=78493438

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111022432.9A Pending CN113656809A (en) 2021-09-01 2021-09-01 Mirror image security detection method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN113656809A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117076002A (en) * 2023-09-28 2023-11-17 飞腾信息技术有限公司 Safe starting method and related device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109977976A (en) * 2017-12-28 2019-07-05 腾讯科技(深圳)有限公司 Detection method, device and the computer equipment of executable file similarity
CN112395042A (en) * 2020-10-27 2021-02-23 国电南瑞科技股份有限公司 Method and device for carrying out security scanning facing to business container mirror image
CN112613041A (en) * 2020-12-25 2021-04-06 南方电网深圳数字电网研究院有限公司 Container mirror image detection method and device, electronic equipment and storage medium
CN113177204A (en) * 2021-04-14 2021-07-27 厦门服云信息科技有限公司 Container mirror image security detection method, terminal device and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109977976A (en) * 2017-12-28 2019-07-05 腾讯科技(深圳)有限公司 Detection method, device and the computer equipment of executable file similarity
CN112395042A (en) * 2020-10-27 2021-02-23 国电南瑞科技股份有限公司 Method and device for carrying out security scanning facing to business container mirror image
CN112613041A (en) * 2020-12-25 2021-04-06 南方电网深圳数字电网研究院有限公司 Container mirror image detection method and device, electronic equipment and storage medium
CN113177204A (en) * 2021-04-14 2021-07-27 厦门服云信息科技有限公司 Container mirror image security detection method, terminal device and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117076002A (en) * 2023-09-28 2023-11-17 飞腾信息技术有限公司 Safe starting method and related device
CN117076002B (en) * 2023-09-28 2024-01-02 飞腾信息技术有限公司 Safe starting method and related device

Similar Documents

Publication Publication Date Title
US9679136B2 (en) Method and system for discrete stateful behavioral analysis
US8701192B1 (en) Behavior based signatures
US8793682B2 (en) Methods, systems, and computer program products for controlling software application installations
US10318730B2 (en) Detection and prevention of malicious code execution using risk scoring
US8307434B2 (en) Method and system for discrete stateful behavioral analysis
JP5507176B2 (en) Method and apparatus for measuring software reliability
JP5793764B2 (en) Method and apparatus for reducing false detection of malware
US8484739B1 (en) Techniques for securely performing reputation based analysis using virtualization
US20120102568A1 (en) System and method for malware alerting based on analysis of historical network and process activity
US20130247190A1 (en) System, method, and computer program product for utilizing a data structure including event relationships to detect unwanted activity
US8078909B1 (en) Detecting file system layout discrepancies
US20180082061A1 (en) Scanning device, cloud management device, method and system for checking and killing malicious programs
US10127382B2 (en) Malware detection method
US20110283358A1 (en) Method and system to detect malware that removes anti-virus file system filter driver from a device stack
CN102663288A (en) Virus killing method and device thereof
CN103793649A (en) Method and device for cloud-based safety scanning of files
JP6000465B2 (en) Process inspection apparatus, process inspection program, and process inspection method
US11556652B2 (en) End-point visibility
US20180341770A1 (en) Anomaly detection method and anomaly detection apparatus
CN113656809A (en) Mirror image security detection method, device, equipment and medium
CN106407815B (en) Vulnerability detection method and device
US10880316B2 (en) Method and system for determining initial execution of an attack
US20140380491A1 (en) Endpoint security implementation
US8438637B1 (en) System, method, and computer program product for performing an analysis on a plurality of portions of potentially unwanted data each requested from a different device
US20220198012A1 (en) Method and System for Security Management on a Mobile Storage Device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination