CN114662097A

CN114662097A - CSV file injection attack detection method and device, electronic equipment and storage medium

Info

Publication number: CN114662097A
Application number: CN202210411365.8A
Authority: CN
Inventors: 尹奋强
Original assignee: Suzhou Inspur Intelligent Technology Co Ltd
Current assignee: Suzhou Inspur Intelligent Technology Co Ltd
Priority date: 2022-04-19
Filing date: 2022-04-19
Publication date: 2022-06-24

Abstract

The application provides a detection method and a detection device for CSV file injection attack, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring a CSV file to be detected; reading data of the CSV file through a data security reading scheme to obtain a target text; detecting the target text by using a preset detection scheme, and determining the target position of attack data in the CSV file under the condition of determining that the attack data is injected into the target text; and sending an alarm signal based on the target position to prompt that attack data is contained in the CSV file. By the method and the device, the problem that a detection means for CSV injection attack is lacked in the related technology is solved.

Description

CSV file injection attack detection method and device, electronic equipment and storage medium

Technical Field

The present application relates to the field of network security, and in particular, to a method and an apparatus for detecting CSV file injection attack, an electronic device, and a storage medium.

Background

Many times, in the practical application management of network security, people raise vigilance for external input and ignore some security problems of internal data, a CSV (Comma-separated values) file is regarded as a simple text file and cannot be regarded as a serious one, and many derived table data come from user control, such as: voting application, mailbox derivation. Furthermore, when a export function is encountered in infiltration, the tester will typically focus on: any file downloading or unauthorized viewing and the like have actual harm behaviors to the website, and CSV injection is ignored, because the CSV injection does not cause harm to the website, and causes other harm such as any OS command execution, information leakage and the like to the terminal user. In some more common uses, CSV injection can also serve the purpose of phishing by jumping to a webpage.

Since Excel, Word, Rtf, and Outlook all use a communication mechanism of DDE (dynamic data exchange), contents are updated according to a processing result of an external application. Therefore, if an attacker makes a CSV file containing the DDE formula, when the user opens the file, Excel will try to execute an external application for its attack purpose.

At present, a plurality of detection methods for common injection attacks such as SQL injection, command injection and the like exist, but the attack conditions of CSV injection attacks are harsh, the attention of the industry is not high, and therefore relevant detection means are deficient.

Disclosure of Invention

The application provides a CSV file injection attack detection method and device, electronic equipment and a storage medium, which are used for at least solving the problem that the related technology lacks a detection means for CSV injection attack.

According to an aspect of an embodiment of the present application, there is provided a method for detecting a CSV file injection attack, the method including:

acquiring a CSV file to be detected;

performing data reading on the CSV file through a data security reading scheme to obtain a target text;

detecting the target text by using a preset detection scheme, and determining the target position of attack data in the CSV file under the condition of determining that the attack data is injected into the target text;

and sending an alarm signal based on the target position to prompt that the CSV file contains the attack data.

According to another aspect of the embodiments of the present application, there is also provided a detection apparatus for CSV file injection attack, the apparatus including:

the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a CSV file to be detected;

the reading unit is used for reading the data of the CSV file through a data security reading scheme to obtain a target text;

the detection unit is used for detecting the target text by using a preset detection scheme and determining the target position of the attack data in the CSV file under the condition that the attack data is injected into the target text;

and the sending unit is used for sending an alarm signal based on the target position so as to prompt that the CSV file contains the attack data.

Optionally, the detection unit comprises:

the acquisition module is used for acquiring a plurality of preset codes and a plurality of preset characters which are correspondingly set by a dynamic data exchange protocol, wherein the preset codes are character strings which are related to the dynamic data exchange protocol and are used for representing the executable file and an external application program, and the preset characters are used for representing first characters of commands to be executed when the CSV file is opened;

the matching module is used for matching the target text with the preset characters and the preset codes to obtain a matching result;

and the judging module is used for judging whether the attack data is injected into the CSV file or not according to the matching result.

Optionally, the matching module comprises:

a detection subunit, configured to detect a separation value included in the target text;

and the matching subunit is used for performing character matching on the reference data behind the separation value and the preset code under the condition that the separation value is determined to be the same as any preset character, so as to obtain the matching result.

Optionally, the apparatus further comprises:

and the determining unit is used for circularly detecting the next separation value under the condition that the separation value is determined to be different from any preset character after the detection is performed on the separation value contained in the target text, matching the next separation value with the preset character, and determining that the attack data is not injected into the CSV file if the separation value which is matched with the preset character is not the same as the separation value when the number of times of executing circulation is equal to a preset threshold.

Optionally, the apparatus further comprises:

a second obtaining unit, configured to obtain file information of the CSV file, where the file information includes an occupied space value of the CSV file, an original storage address of the CSV file, a detected time of the CSV file, whether the CSV file injects attack data, and a target position where the target text of the CSV file injects the attack data;

and the storage unit is used for storing the file information into a log.

Optionally, the apparatus further comprises:

and the isolation unit is used for isolating the target file from a target system by utilizing an isolation tool before the CSV file is subjected to data reading through a data security reading scheme.

Optionally, the apparatus further comprises:

and the starting unit is used for starting a target program where the CSV file is located after the attack data is determined not to be injected into the CSV file, and opening the CSV file based on the target program so that a user can normally use the CSV file.

According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory communicate with each other through the communication bus; wherein the memory is used for storing the computer program; a processor for performing the method steps in any of the above embodiments by running the computer program stored on the memory.

According to a further aspect of the embodiments of the present application, there is also provided a computer-readable storage medium, in which a computer program is stored, wherein the computer program is configured to perform the method steps of any of the above embodiments when the computer program is executed.

In the embodiment of the application, the CSV file to be detected is obtained; reading data of the CSV file through a data security reading scheme to obtain a target text; detecting the target text by using a preset detection scheme, and determining the target position of the attack data in the target text under the condition of determining that the attack data is injected into the target text; and sending an alarm signal based on the target position to prompt that attack data is contained in the CSV file. According to the embodiment of the application, the CSV file can be detected before the user opens the CSV file by using a target program (such as Excel), whether the CSV injection attack exists or not is checked, and early warning is given to the user, so that the user is effectively prevented from being influenced and damaged by the CSV injection attack, and the problem that a detection means for the CSV injection attack is lacked in the related technology is solved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.

Fig. 1 is a schematic diagram of a hardware environment of an alternative CSV file injection attack detection method according to an embodiment of the present invention;

fig. 2 is a schematic flowchart of an alternative CSV file injection attack detection method according to an embodiment of the present application;

FIG. 3 is a flow chart illustrating an alternative overall usage process of a user opening a CSV file according to an embodiment of the present application;

FIG. 4 is a flow diagram illustrating an alternative CSV file injection attack detection process according to an embodiment of the application;

fig. 5 is a block diagram of an alternative detection apparatus for CSV file injection attack according to an embodiment of the present application;

fig. 6 is a block diagram of an alternative electronic device according to an embodiment of the present application.

Detailed Description

In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, some basic concepts are introduced:

CSV file:

CSV is a comma separated value, sometimes also called a character separated value, because the separated character may not be a comma, and its CSV file stores table data (numbers and text) in plain text form. Plain text means that the file is a sequence of characters, containing no data that must be interpreted like binary digits. CSV files are composed of any number of records, and the records are separated by a certain linefeed character; each record is made up of fields, and separators between fields are other characters or strings, most commonly commas or tabs. Typically, all records have identical field sequences. Typically a plain text file.

CSV injection attack:

the CSV injection attack is to insert an Excel formula containing a malicious command into a text capable of exporting formats such as CSV or xls, and when a user opens a CSV file in Excel, the file is converted into the Excel format and provides an execution function of the Excel formula, so that the malicious code command is executed, and a user computer is controlled.

DDE：

DDE is an interprocess communication protocol under Windows, and is a dynamic data exchange mechanism, two Windows applications are needed for using DDE communication, one of which is used as a server to process information, and the other is used as a client to obtain information from the server. DDE (one DDE dialog is identified by a window handle that participates in the session) supports Microsoft Excel, LibreOffice and Apache OpenOffice. One use of DDE in Excel is to update the contents of cells according to the results of external applications, and CSV injection attacks are based on this mechanism.

The regular expression is as follows:

a regular expression is a text pattern that includes normal characters (e.g., letters between a and z) and special characters (called "meta characters"). Regular expressions use a single string to describe, match a series of strings that match a certain syntactic rule.

According to one aspect of the embodiment of the application, a method for detecting CSV file injection attack is provided. Optionally, in this embodiment, the detection method of CSV file injection attack may be applied to a hardware environment as shown in fig. 1. As shown in fig. 1, the terminal 102 may include a memory 104, a processor 106, and a display 108 (optional components). The terminal 102 may be communicatively coupled to a server 112 via a network 110, the server 112 may be configured to provide services (e.g., application services, etc.) for the terminal or clients installed on the terminal, and a database 114 may be provided on the server 112 or separate from the server 112 for providing data storage services for the server 112. Additionally, a processing engine 116 may be run in the server 112, and the processing engine 116 may be used to perform the steps performed by the server 112.

Alternatively, the terminal 102 may be, but is not limited to, a terminal capable of calculating data, such as a mobile terminal (e.g., a mobile phone, a tablet Computer), a notebook Computer, a PC (Personal Computer) Computer, and the like, and the network may include, but is not limited to, a wireless network or a wired network. Wherein, this wireless network includes: bluetooth, WIFI (Wireless Fidelity), and other networks that enable Wireless communication. Such wired networks may include, but are not limited to: wide area networks, metropolitan area networks, and local area networks. The server 112 may include, but is not limited to, any hardware device capable of performing computations.

In addition, in this embodiment, the detection method for CSV file injection attack may also be applied to, but not limited to, an independent processing device with a relatively high processing capability without data interaction. For example, the processing device may be, but is not limited to, a terminal device with a relatively high processing capability, that is, each operation in the above-mentioned detection method for CSV file injection attack may be integrated into a single processing device. The above is merely an example, and this is not limited in this embodiment.

Optionally, in this embodiment, the detection method for the CSV file injection attack may be executed by the server 112, may also be executed by the terminal 102, and may also be executed by both the server 112 and the terminal 102. The method for detecting the CSV file injection attack performed by the terminal 102 according to the embodiment of the present application may also be performed by a client installed thereon.

Taking an operation in a server as an example, fig. 2 is a schematic flowchart of an optional detection method for a CSV file injection attack according to an embodiment of the present application, and as shown in fig. 2, the flow of the method may include the following steps:

step S201, obtaining a CSV file to be detected;

step S202, reading data of the CSV file through a data security reading scheme to obtain a target text;

step S203, detecting the target text by using a preset detection scheme, and determining the target position of the attack data in the CSV file under the condition of determining that the attack data is injected into the target text;

and step S204, sending an alarm signal based on the target position to prompt that attack data is contained in the CSV file.

Optionally, in this embodiment of the application, the server determines and acquires the CSV file to be detected, before detecting the CSV file, the CSV file needs to be isolated by using an isolation tool, such as a sandbox isolation method, to prevent the CSV file from being implemented by a combined attack means with other attacks, a secure environment is provided during file detection, and then data reading is performed on the CSV file by using a secure data text reading method (or scheme) of a data stream, so as to read a target text.

And then, detecting attack data of the target text by using a preset detection scheme set by the embodiment of the application, wherein the preset detection scheme is a scheme for detecting and analyzing the target text generated in the execution of the data security reading scheme so as to determine whether malicious codes of CSV injection attack exist.

If the attack data (namely malicious codes) are determined to be injected into the target text, the server positions the position of the attack data in the target text, so that the target position of the attack data in the CSV file is obtained, and then an alarm signal is sent to a user based on the target position to inform the user that the attack data are injected into the CSV file, so that the CSV file cannot be opened.

And if the security of the CSV file is detected, automatically starting an object program, such as Excel, which is used by the current user, and directly opening the Excel.

In the embodiment of the application, the CSV file to be detected is obtained; reading data of the CSV file through a data security reading scheme to obtain a target text; detecting the target text by using a preset detection scheme, and determining the target position of attack data in the target text under the condition of determining that the attack data is injected into the target text; and sending an alarm signal based on the target position to prompt that attack data is contained in the CSV file. According to the embodiment of the application, the CSV file can be detected before the user opens the CSV file by using a target program (such as Excel), whether the CSV injection attack exists or not is checked, and early warning is given to the user, so that the user is effectively prevented from being influenced and damaged by the CSV injection attack, and the problem that a detection means for the CSV injection attack is lacked in the related technology is solved.

As an alternative embodiment, as shown in fig. 3, fig. 3 is a schematic flow chart of an alternative use process of opening a CSV file by a user according to an embodiment of the present application, specifically:

when the CSV file is detected to have the injection statement of CSV injection attack, the CSV file is isolated into a sandbox and the user is reminded that the file is unsafe to use. And when the statement of CSV injection attack is not detected, the method automatically starts the Excel program and opens the CSV file by using the Excel program for the normal use of the user.

As an alternative embodiment, the detecting the target text by using the preset detection scheme includes:

acquiring a plurality of preset codes and a plurality of preset characters which are correspondingly set by a dynamic data exchange protocol, wherein the preset codes are character strings which are related to the dynamic data exchange protocol and used for representing executable files and external application programs, and the preset characters are used for representing first characters of commands to be executed when a CSV file is opened;

matching the target text with preset characters and preset codes to obtain a matching result;

and judging whether the attack data is injected into the CSV file or not according to the matching result.

Alternatively, the implementation of CSV injection attacks is based on Excel's invocation of other programs by DDE (i.e. dynamic data exchange protocol) when opening a CSV file, which itself is simply a plain text file. The detection of whether there is CSV injection determines whether there is a relevant code with DEE protocol implementation in the CSV file.

Specifically, the server obtains a plurality of preset codes and a plurality of characters preset by a dynamic data exchange protocol, wherein the preset codes may be some file suffix characters, such as cmd, msExcel, msiexexec and the like; it may also be any external application character string of a file name that is globally available in some environments, for example, "regsvr 32", "certutil", "rundil 32", etc., and the preset character may be some Excel executing the preset character, i.e. an initial character of a running command for opening the CSV file, such as "═, +", "-", and "@", etc., and then matching all data in the target text with the preset character and preset code, and according to the matching result, determining whether to inject attack data into the CSV file.

When the target text is matched with the preset characters and the preset codes, the preset characters need to be matched, and only when the preset characters exist in the target text, the target text is further matched with the preset codes, for example, a regular expression is matched, and finally a matching result is obtained.

Further, a separation value contained in the target text is detected, under the condition that the separation value is determined to be the same as any preset character, character matching is carried out on the reference data behind the separation value and a preset code, and then when complete matching or the matching degree is greater than a matching degree threshold (preset, which can be 90% or the like), it is considered that attack data is injected into the CSV file, otherwise, it is considered that the attack data is not injected into the CSV file.

Meanwhile, when the separation value contained in the target text is detected, if the separation value which is the same as the preset character is not found in the target text in the detection, the next separation value is detected, and when the number of executed cycles is equal to a preset threshold value, the target text is considered to have no preset character, and at this time, the CSV file is directly judged to have no attack data injected.

The processing mode for the non-injected attack data in the CSV file is as follows: starting a target program where the CSV file is located, and opening the CSV file based on the target program so that a user can normally use the CSV file.

In the embodiment of the application, the user opens the detection mode of the injection attack set by the embodiment of the application by setting the default opening mode of the CSV file, so that the file can be safely detected while the file can not be opened by other dangerous modes in normal use at ordinary times, and the convenience in use is ensured and the safety is ensured.

As an alternative embodiment, the method further comprises:

acquiring file information of the CSV file, wherein the file information comprises an occupied space value of the CSV file, an original storage address of the CSV file, detected time of the CSV file, whether the CSV file injects attack data or not and a target position of target text of the CSV file injecting the attack data;

and storing the file information into the log.

Optionally, the server in the embodiment of the present application includes a log recording module, and the server obtains and records some file information of the CSV file, such as: the size of the detected file (namely the occupied space value), the original storage address of the file, the detection time, the existence of CSV injection attack, the positioning of the injection attack and other information are recorded so as to facilitate the user to check and the positioning analysis of security personnel on the attack.

Based on the above flow, referring to fig. 4, fig. 4 is a schematic flow chart of another optional detection process of a CSV file injection attack according to the embodiment of the present application, specifically:

when the CSV file is opened, the CSV file is isolated from a target system through sandbox isolation, and safe data reading is performed through a data safety reading scheme in an isolated safe environment. After the file in the CSV file is read safely, the detection method for injection attack according to the embodiment of the present application performs injection detection on the read data to see whether the injected malicious code exists. If the file exists, the branch 1 is entered, the detected malicious code is positioned and an alarm is given to prompt the user that the file is unsafe, and information such as the positioning information of the malicious code is recorded into a log. If not, entering branch 2, and normally opening the CSV file by an Excel starting module by using an Excel program for normal use of a user.

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.

Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., a ROM (Read-Only Memory)/RAM (Random Access Memory), a magnetic disk, an optical disk) and includes several instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the methods of the embodiments of the present application.

According to another aspect of the embodiments of the present application, there is also provided a detection apparatus for CSV file injection attack, which is used for implementing the detection method for CSV file injection attack. Fig. 5 is a block diagram of an alternative detection apparatus for CSV file injection attack according to an embodiment of the present application, and as shown in fig. 5, the apparatus may include:

a first obtaining unit 501, configured to obtain a CSV file to be detected;

a reading unit 502, configured to perform data reading on the CSV file through a data security reading scheme to obtain a target text;

the detection unit 503 is configured to detect the target text by using a preset detection scheme, and determine a target position of attack data in the CSV file when the attack data is injected into the target text;

a sending unit 504, configured to send an alarm signal based on the target location to prompt that the CSV file contains attack data.

It should be noted that the first obtaining unit 501 in this embodiment may be configured to execute the step S201, the reading unit 502 in this embodiment may be configured to execute the step S202, the detecting unit 503 in this embodiment may be configured to execute the step S203, and the reading unit 504 in this embodiment may be configured to execute the step S204.

Through the module, the CSV file can be detected before a user opens the CSV file by using a target program (such as Excel), whether CSV injection attack exists or not is checked, and early warning is given to the user, so that the user is effectively prevented from being influenced and harmed by the CSV injection attack, and the problem that the related technology lacks a detection means for the CSV injection attack is solved.

As an alternative embodiment, the detection unit comprises:

the acquisition module is used for acquiring a plurality of preset codes and a plurality of preset characters which are correspondingly set by a dynamic data exchange protocol, wherein the preset codes are character strings which are related to the dynamic data exchange protocol and are used for representing executable files and external application programs, and the preset characters are used for representing command first characters which need to be executed when the CSV file is opened;

the matching module is used for matching the target text with preset characters and preset codes to obtain a matching result;

and the judging module is used for judging whether attack data is injected into the CSV file or not according to the matching result.

As an alternative embodiment, the matching module comprises:

the detection subunit is used for detecting the separation value contained in the target text;

and the matching subunit is used for performing character matching on the reference data behind the separation value and the preset code under the condition that the separation value is determined to be the same as any preset character, so as to obtain a matching result.

As an alternative embodiment, the apparatus further comprises:

and the determining unit is used for circularly detecting the next separation value under the condition that the separation value is different from any preset character after the separation value contained in the target text is detected, matching the next separation value with the preset character until the execution cycle number is equal to a preset threshold value, and determining that attack data is not injected into the CSV file if the separation value which is matched with the preset character does not exist.

As an alternative embodiment, the apparatus further comprises:

the second obtaining unit is used for obtaining file information of the CSV file, wherein the file information comprises an occupied space value of the CSV file, an original storage address of the CSV file, detected time of the CSV file, whether the CSV file injects attack data or not and a target position of target text injection attack data of the CSV file;

and the storage unit is used for storing the file information into the log.

As an alternative embodiment, the apparatus further comprises:

and the isolation unit is used for isolating the target file from the target system by utilizing an isolation tool before the data of the CSV file is read by the data security reading scheme.

As an alternative embodiment, the apparatus further comprises:

and the starting unit is used for starting the target program where the CSV file is located after the attack data is determined not to be injected into the CSV file, and opening the CSV file based on the target program so that the user can normally use the CSV file.

It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may be operated in a hardware environment as shown in fig. 1, and may be implemented by software, or may be implemented by hardware, where the hardware environment includes a network environment.

According to another aspect of the embodiments of the present application, there is also provided an electronic device for implementing the detection method of CSV file injection attack, where the electronic device may be a server, a terminal, or a combination thereof.

Fig. 6 is a block diagram of an alternative electronic device according to an embodiment of the present application, as shown in fig. 6, including a processor 601, a communication interface 602, a memory 603, and a communication bus 604, where the processor 601, the communication interface 602, and the memory 603 complete communication with each other through the communication bus 604, where,

a memory 603 for storing a computer program;

the processor 601, when executing the computer program stored in the memory 603, implements the following steps:

acquiring a CSV file to be detected;

reading data of the CSV file through a data security reading scheme to obtain a target text;

and sending an alarm signal based on the target position to prompt that attack data is contained in the CSV file.

Alternatively, in this embodiment, the communication bus may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 6, but this is not intended to represent only one bus or type of bus.

The communication interface is used for communication between the electronic equipment and other equipment.

The memory may include RAM, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory. Alternatively, the memory may be at least one memory device located remotely from the processor.

As an example, as shown in fig. 6, the memory 603 may include, but is not limited to, a first obtaining unit 501, a reading unit 502, a detecting unit 503, and a sending unit 504 in the detection apparatus for CSV file injection attack. In addition, the detection apparatus may further include, but is not limited to, other module units in the detection apparatus for CSV file injection attack, which is not described in detail in this example.

The processor may be a general-purpose processor, and may include but is not limited to: a CPU (Central Processing Unit), an NP (Network Processor), and the like; but also a DSP (Digital Signal Processing), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.

In addition, the electronic device further includes: and the display is used for displaying the detection result of the CSV file injection attack.

Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.

It can be understood by those skilled in the art that the structure shown in fig. 6 is only an illustration, and the device implementing the method for detecting CSV file injection attack may be a terminal device, and the terminal device may be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 6 is a diagram illustrating a structure of the electronic device. For example, the terminal device may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 6, or have a different configuration than shown in FIG. 6.

Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disk, ROM, RAM, magnetic or optical disk, and the like.

According to still another aspect of an embodiment of the present application, there is also provided a storage medium. Optionally, in this embodiment, the storage medium may be a program code for executing a method for detecting a CSV file injection attack.

Optionally, in this embodiment, the storage medium may be located on at least one of a plurality of network devices in a network shown in the above embodiment.

Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:

acquiring a CSV file to be detected;

Optionally, the specific example in this embodiment may refer to the example described in the above embodiment, which is not described again in this embodiment.

Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing program codes, such as a U disk, a ROM, a RAM, a removable hard disk, a magnetic disk, or an optical disk.

According to yet another aspect of an embodiment of the present application, there is also provided a computer program product or a computer program comprising computer instructions stored in a computer readable storage medium; the processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions to make the computer device execute the steps of the detection method for the CSV file injection attack in any of the embodiments.

The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.

The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions to enable one or more computer devices (which may be personal computers, servers, or network devices) to execute all or part of the steps of the detection method for CSV file injection attack according to the embodiments of the present application.

In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a division of a logic function, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, and may also be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution provided in this embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims

1. A method for detecting CSV file injection attack, the method comprising:

acquiring a CSV file to be detected;

detecting the target text by using a preset detection scheme, and determining the target position of the attack data in the CSV file under the condition of determining that the attack data is injected into the target text;

and sending an alarm signal based on the target position to prompt that the attack data is contained in the CSV file.

2. The method of claim 1, wherein the detecting the target text using a preset detection scheme comprises:

acquiring a plurality of preset codes and a plurality of preset characters which are correspondingly set by a dynamic data exchange protocol, wherein the preset codes are character strings which are related to the dynamic data exchange protocol and used for representing executable files and external application programs, and the preset characters are used for representing command first characters which need to be executed when the CSV file is opened;

matching the target text with the preset characters and the preset codes to obtain a matching result;

3. The method according to claim 2, wherein the matching the target text with the preset character and the preset code to obtain a matching result comprises:

detecting a separation value contained in the target text;

and under the condition that the separation value is determined to be the same as any preset character, character matching is carried out on the reference data behind the separation value and the preset code, and the matching result is obtained.

4. The method according to claim 3, wherein after the detecting of the separation value contained in the target text, the method comprises:

and under the condition that the separation value is determined to be different from any preset character, circularly detecting the next separation value, matching the next separation value with the preset character, and determining that the attack data is not injected into the CSV file if the separation value which is matched with the preset character does not exist when the number of times of executing circulation is equal to a preset threshold.

5. The method of claim 1, further comprising:

acquiring file information of the CSV file, wherein the file information comprises an occupied space value of the CSV file, an original storage address of the CSV file, detected time of the CSV file, whether the CSV file injects attack data or not, and the target text of the CSV file injects the target position of the attack data;

and storing the file information into a log.

6. The method according to claim 1, wherein prior to the data reading of the CSV file by a data security reading scheme, the method further comprises:

and isolating the target file from the target system by utilizing an isolation tool.

7. The method of claim 4, wherein after the determining that the attack data is not injected in the CSV file, the method further comprises:

starting a target program where the CSV file is located, and opening the CSV file based on the target program so that a user can normally use the CSV file.

8. An apparatus for detecting CSV file injection attacks, the apparatus comprising:

the device comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a CSV file to be detected;

the detection unit is used for detecting the target text by using a preset detection scheme, and determining the target position of the attack data in the CSV file under the condition that the attack data is injected into the target text;

9. An electronic device comprising a processor, a communication interface, a memory and a communication bus, wherein said processor, said communication interface and said memory communicate with each other via said communication bus,

the memory for storing a computer program;

the processor for performing the method steps of any one of claims 1 to 7 by running the computer program stored on the memory.

10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method steps of any one of claims 1 to 7.