CN114896596A - Safety protection method and device - Google Patents

Safety protection method and device Download PDF

Info

Publication number
CN114896596A
CN114896596A CN202210452044.2A CN202210452044A CN114896596A CN 114896596 A CN114896596 A CN 114896596A CN 202210452044 A CN202210452044 A CN 202210452044A CN 114896596 A CN114896596 A CN 114896596A
Authority
CN
China
Prior art keywords
class
loaded
legal
matching
matching result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210452044.2A
Other languages
Chinese (zh)
Inventor
慕逍寒
龙良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Qianxin Safety Technology Zhuhai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Qianxin Safety Technology Zhuhai Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202210452044.2A priority Critical patent/CN114896596A/en
Publication of CN114896596A publication Critical patent/CN114896596A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The embodiment of the invention provides a safety protection method and a safety protection device, wherein the method further comprises the following steps: acquiring a class to be loaded through a monitoring point; matching the class to be loaded with legal class information included in a white list to obtain a matching result; and determining whether the class to be loaded is safe or not based on the matching result. The safety protection method and the safety protection device provided by the embodiment of the invention only allow the known legal class information in the white list to be loaded, but not allow the unknown class to be loaded, and belong to the protection idea of the white list, so that the attack of the unknown class to be loaded on the network can be avoided, and the safety protection of the network is realized.

Description

Safety protection method and device
Technical Field
The invention relates to the technical field of safety protection, in particular to a safety protection method and a safety protection device.
Background
The Java script attack can construct a malicious Java class object by accessing a web service system and utilizing known or unknown bugs, and further initiate various attack requests to targets such as a service system, an operating system, a Java Virtual Machine (JVM) server and the like, wherein the attack comprises file operation, JVM behavior change or service class modification and the like, and the damage is extremely large; therefore, protection against the security of Java scripts is required.
In the related art, a blacklist matching is usually performed on a common vulnerability setting monitoring point through OpenRASP, and when a command is executed, a behavior of hitting the blacklist is alarmed. However, only known vulnerabilities can be protected based on blacklist matching, and when a new vulnerability occurs, a monitoring point cannot be set for the new vulnerability, so that the new vulnerability cannot be protected, and an attacker can achieve the purpose of attacking by using a new vulnerability loading class.
Disclosure of Invention
To solve the problems in the prior art, embodiments of the present invention provide a security protection method and apparatus.
Specifically, the embodiment of the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides a safety protection method, including:
acquiring a class to be loaded through a monitoring point;
matching the class to be loaded with legal class information included in a white list to obtain a matching result;
and determining whether the class to be loaded is safe or not based on the matching result.
Further, the legal class information includes legal static class information, and the legal static class information includes a class name of a legal static class and a byte code of the corresponding legal static class;
the matching the class to be loaded with the legal class information included in the white list to obtain a matching result includes:
and when the class name of the legal static class in the white list is determined to contain the class name of the class to be loaded, matching the byte code of the class to be loaded with the byte code of the legal static class to obtain a first matching result.
Further, the matching the bytecode of the class to be loaded with the bytecode of the legal static class to obtain a first matching result, including:
when determining that the byte codes of the legal static classes in the white list contain the byte codes of the classes to be loaded, determining that the first matching result is successful in matching;
and when determining that the byte codes of the legal static classes in the white list do not contain the byte codes of the classes to be loaded, determining that the first matching result is matching failure.
Further, the determining whether the class to be loaded is safe based on the matching result includes:
when the first matching result is that matching is successful, determining that the class to be loaded is a safe static class;
and when the first matching result is matching failure, determining that the class to be loaded is an unsafe static class.
Further, the legal class information also comprises legal dynamic class information;
the determining whether the class to be loaded is safe based on the matching result includes:
when the class name of the legal static class in the white list does not contain the class name of the class to be loaded, matching the class to be loaded with the legal dynamic class information in the white list to obtain a second matching result;
and determining whether the class to be loaded is safe or not based on the second matching result.
Further, the legal dynamic class information includes a legal sequence corresponding to the legal dynamic class;
the matching the class to be loaded with the legal dynamic class information in the white list to obtain a second matching result, including:
acquiring stack information of the thread running the class to be loaded;
when determining that the legal sequence in the white list does not contain the sequence in the stack information, determining that the second matching result is a matching failure;
and when the legal sequence in the white list contains the sequence in the stack information, determining that the second matching result is successful in matching.
Further, the determining whether the class to be loaded is safe based on the second matching result includes:
and when the second matching result is that the matching fails, determining that the class to be loaded is an unsafe dynamic class.
Further, the legal dynamic class information also includes byte codes of the legal dynamic class; the determining whether the class to be loaded is safe based on the second matching result includes:
when the second matching result is successful, matching the byte code of the class to be loaded with the byte code of the legal dynamic class in the white list to obtain a third matching result;
and determining whether the class to be loaded is safe or not based on the third matching result.
Further, the matching the bytecode of the class to be loaded with the bytecode of the legal dynamic class in the white list to obtain a third matching result, including:
when determining that the byte codes of the legal dynamic classes in the white list contain the byte codes of the classes to be loaded, determining that the third matching result is successful in matching;
and when determining that the byte codes of the legal dynamic classes in the white list do not contain the byte codes of the classes to be loaded, determining that the third matching result is matching failure.
Further, the determining whether the class to be loaded is safe based on the third matching result includes:
when the third matching result is that the matching is successful, determining that the class to be loaded is a safe dynamic class;
and when the third matching result is that the matching fails, determining that the class to be loaded is an unsafe dynamic class.
Further, before the matching the class to be loaded with the legal class information included in the white list to obtain a matching result, the method further includes:
and scanning deployment codes and deployment middleware codes to obtain the legal static type information, and recording the legal static type information in the white list.
Further, before the matching the class to be loaded with the legal dynamic class information in the white list to obtain a second matching result, the method further includes:
acquiring byte codes of legal dynamic classes and stack information of threads running the dynamic classes;
performing security analysis on the stack information of the thread running the dynamic class to obtain a legal sequence included in the stack information of the thread running the dynamic class;
and recording the legal sequence and the byte codes of the legal dynamic class in the white list.
In a second aspect, an embodiment of the present invention further provides a safety protection device, including:
the first acquisition unit is used for acquiring the class to be loaded through the monitoring point;
the matching unit is used for matching the class to be loaded with the legal class information included in the white list to obtain a matching result;
and the determining unit is used for determining whether the class to be loaded is safe or not based on the matching result.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the security protection method according to the first aspect.
In a fourth aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the security protection method according to the first aspect.
In a fifth aspect, an embodiment of the present invention further provides a computer program product, on which executable instructions are stored, and when executed by a processor, the instructions cause the processor to implement the safety protection method according to the first aspect.
According to the safety protection method and device provided by the embodiment of the invention, the class to be loaded is obtained through the monitoring point, the class to be loaded is matched with the legal class information included in the white list, and finally whether the class to be loaded is safe or not is determined based on the matching result. Therefore, the method only allows the known legal class information in the white list to be loaded, and does not allow the unknown class to be loaded, and belongs to the protection idea of the white list, so that the attack of the unknown class to be loaded on the network can be avoided, and the safety protection of the network is realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a safety protection method provided by the present invention;
FIG. 2 is a second schematic flow chart of the security protection method provided by the present invention;
FIG. 3 is a third schematic flow chart of a safety protection method provided by the present invention;
FIG. 4 is a fourth schematic flow chart of the safety protection method provided by the present invention;
FIG. 5 is a fifth flowchart illustrating a safety protection method provided by the present invention;
FIG. 6 is a sixth schematic flow chart of the safety protection method provided by the present invention;
FIG. 7 is a schematic structural diagram of a safety protection method provided by the present invention;
fig. 8 is a schematic physical structure diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow chart of a safety protection method provided by the present invention, as shown in fig. 1, the safety protection method includes the following steps:
step 101, obtaining a class to be loaded through a monitoring point.
For example, when a Java Virtual Machine (JVM) loads a class, a class transformer is called back to notify the class transformer, where the class transformer is a preset monitoring point, and a class to be loaded in a class loading process is obtained through the monitoring point, where a file of the class to be loaded may be a class file.
And 102, matching the class to be loaded with the legal class information included in the white list to obtain a matching result.
Illustratively, when the class to be loaded is obtained through the monitoring point, the security of the class to be loaded is analyzed by using a protection idea of the white list, that is, the class to be loaded is matched with the legal class information in the white list stored in advance, and the specific matching mode is that all the legal class information in the white list is traversed to find out whether all the legal class information contains the class to be loaded, so as to obtain a matching result.
And 103, determining whether the class to be loaded is safe or not based on the matching result.
Exemplarily, when the matching result is that the matching is successful, determining that the class to be loaded is safe; and when the matching result is matching failure, determining that the class to be loaded is unsafe.
According to the safety protection method provided by the embodiment of the invention, the class to be loaded is obtained through the monitoring point, the class to be loaded is matched with the legal class information included in the white list, and finally whether the class to be loaded is safe or not is determined based on the matching result. Therefore, the method only allows the known legal class information in the white list to be loaded, and does not allow the unknown class to be loaded, and belongs to the protection idea of the white list, so that the attack of the unknown class to be loaded on the network can be avoided, and the safety protection of the network is realized.
Optionally, the legal class information includes legal static class information, where the legal static class information includes a class name of a legal static class and a bytecode of the corresponding legal static class; fig. 2 is a second schematic flow chart of the safety protection method provided by the present invention, and as shown in fig. 2, step 102 can be specifically implemented by the following steps:
step 1021, when it is determined that the class name of the legal static class in the white list includes the class name of the class to be loaded, matching the byte code of the class to be loaded with the byte code of the legal static class to obtain a first matching result.
The static class exists before the JVM runs, can be found in a storage memory of an operating system, and can be a class file with a suffix name.
Exemplarily, the obtaining of the class to be loaded includes obtaining a class name of the class to be loaded and a bytecode of the class to be loaded, determining whether the class name of the legal static class included in the white list includes the class name of the class to be loaded, and when it is determined that the class name of the legal static class does not include the class name of the class to be loaded, indicating that the class to be loaded does not belong to the legal static class in the white list; when the class name of the legal static class is determined to include the type of the class to be loaded, the class to be loaded is indicated to belong to the legal static class in the white list, and at this time, the byte code of the class to be loaded needs to be further matched with the byte code of the legal static class to obtain a first matching result.
Optionally, the matching of the bytecode of the class to be loaded with the bytecode of the legal static class to obtain a first matching result may be specifically implemented in the following manner:
when determining that the byte codes of the legal static classes in the white list contain the byte codes of the classes to be loaded, determining that the first matching result is successful in matching;
and when determining that the byte codes of the legal static classes in the white list do not contain the byte codes of the classes to be loaded, determining that the first matching result is a matching failure.
Specifically, as shown in fig. 2, step 103 may be specifically implemented by the following steps:
step 1031, when the first matching result is that the matching is successful, determining that the class to be loaded is a safe static class.
Step 1032, when the first matching result is a matching failure, determining that the class to be loaded is an unsafe static class.
Exemplarily, whether the byte codes of the legal static classes included in the white list include the byte codes of the class to be loaded is determined, when the byte codes of the legal static classes include the byte codes of the class to be loaded, the class to be loaded is indicated to be a safe static class, and the first matching result is that the matching is successful; when the bytecode of the legal static class does not include the bytecode of the class to be loaded, the class to be loaded is determined to be an unsafe static class, the first matching result is a matching failure, and alarm interception is required.
It should be noted that the alarm mode may be displaying alarm information, or sending the alarm information to an operator, so that the operator can know unsafe static classes in time and take corresponding interception measures in time.
According to the safety protection method provided by the invention, when the class to be loaded is determined to belong to the legal static class in the white list, the byte code of the class to be loaded is further matched with the byte code of the legal static class, and whether the class to be loaded is the safe static class is determined based on the obtained first matching result, so that the safety protection of the network is realized.
Optionally, the legal class information further includes legal dynamic class information; fig. 3 is a third schematic flow chart of the security protection method provided by the present invention, and as shown in fig. 3, when it is determined that the class name of the legal static class in the white list does not include the class name of the class to be loaded, step 103 may be specifically implemented by the following steps:
step 1033, when it is determined that the class name of the legal static class in the white list does not include the class name of the class to be loaded, matching the class to be loaded with the legal dynamic class information in the white list to obtain a second matching result.
The dynamic class is only generated in the running process of the JVM, the JVM is not generated when not running, the dynamic class usually exists in a running memory of an operating system, and class files are not formed; some third party frameworks, however, provide parameter settings that export dynamic classes into system storage in the form of class files.
Step 1034, determining whether the class to be loaded is safe based on the second matching result.
Illustratively, when it is determined that the class name of the legal static class in the white list does not include the class name of the class to be loaded, it is indicated that the class to be loaded does not belong to the legal static class in the white list, but belongs to the dynamic class, at this time, it is necessary to further match the class to be loaded with the legal dynamic class information in the white list, and determine whether the class to be loaded is safe based on a second matching result obtained by matching.
Optionally, the legal dynamic class information includes a legal sequence corresponding to the legal dynamic class; step 1033 may be specifically implemented by:
acquiring stack information of the thread running the class to be loaded;
and when determining that the legal sequence in the white list does not contain the sequence in the stack information, determining that the second matching result is a matching failure.
And when the legal sequence in the white list contains the sequence in the stack information, determining that the second matching result is successful in matching.
Specifically, when the second matching result is that matching fails, it is determined that the class to be loaded is an unsafe dynamic class.
The stack information is composed of a plurality of nodes, each node comprises a class name and a corresponding class method, and the class names and the corresponding class methods form a sequence in the stack information.
Illustratively, when the class to be loaded is determined to be the dynamic class, a sequence in stack information of a thread running the class to be loaded is obtained, whether a legal sequence in a white list contains a sequence in the stack information of the thread is determined, and when the legal sequence in the white list does not contain the sequence in the stack information of the thread, the class to be loaded is indicated to be the malicious dynamic class, namely the unsafe dynamic class, and the second matching result is matching failure; when the legal sequence in the white list contains the sequence in the stack information of the thread, the second matching result is that the matching is successful, and at this time, whether the class to be loaded is credible needs to be further judged.
According to the safety protection method provided by the invention, when the class to be loaded is determined to be the dynamic class, the class to be loaded is matched with the legal dynamic class information in the white list, and whether the class to be loaded is the safe dynamic class is determined based on the second matching result obtained by matching, so that the safety protection of the network is further realized, and the accuracy of the safety protection of the network is improved.
Optionally, the legal dynamic class information further includes a bytecode of the legal dynamic class; fig. 4 is a fourth schematic flow chart of the safety protection method provided by the present invention, as shown in fig. 4, when the second matching result is a successful matching, step 1034 can be specifically implemented by the following steps:
step 10341, when the second matching result is a successful matching, matching the bytecode of the class to be loaded with the bytecode of the legal dynamic class in the white list to obtain a third matching result.
Step 10342, determining whether the class to be loaded is safe based on the third matching result.
Illustratively, when the second matching result is that the matching is successful, it is further required to analyze whether the class to be loaded is trusted, that is, to check whether the content of the bytecode of the class to be loaded matches the content of the bytecode of the legal dynamic class in the white list, to obtain a third matching result, and to determine whether the class to be loaded is the safe dynamic class based on the third matching result.
Alternatively, step 10341 may be specifically implemented by:
when determining that the byte code of the legal dynamic class in the white list contains the byte code of the class to be loaded, determining that the third matching result is successful; and when determining that the byte code of the class to be loaded is not contained in the byte codes of the legal dynamic classes in the white list, determining that the third matching result is matching failure.
Specifically, when the third matching result is that the matching is successful, determining that the class to be loaded is a safe dynamic class; and when the third matching result is that the matching fails, determining that the class to be loaded is an unsafe dynamic class.
Illustratively, when the second matching result is that the matching is successful, it is further required to analyze whether the class to be loaded is trusted, that is, to check whether the content of the bytecode of the class to be loaded conforms to the content of the bytecode of the legal dynamic class in the white list, and when it is determined that the content of the bytecode of the class to be loaded conforms to the content of the bytecode of the legal dynamic class in the white list, it is determined that the class to be loaded is a trusted dynamic class, that is, a secure dynamic class, and the third matching result is that the matching is successful; when the content of the bytecode of the class to be loaded is determined not to be in accordance with the content of the bytecode of the legal dynamic class in the white list, the class to be loaded is determined to be an untrusted dynamic class, namely, an unsecure dynamic class, and the third matching result is that the matching fails, and alarm interception needs to be performed.
According to the safety protection method provided by the invention, when the second matching result is successful, the byte code of the class to be loaded is further matched with the byte code of the legal dynamic class in the white list, and finally whether the class to be loaded is a safe and credible dynamic class is determined based on the third matching result obtained by matching, so that the safety protection of the network is further realized, and the accuracy of the network safety protection is improved.
Optionally, fig. 5 is a fifth schematic flowchart of the safety protection method provided by the present invention, as shown in fig. 5, before step 102, the method further includes the following steps:
and step 104, scanning deployment codes and deployment middleware codes to obtain the legal static type information, and recording the legal static type information in the white list.
Illustratively, the static class collection module is responsible for scanning the deployed target program, the deployed target program comprises deployment codes and deployment middleware codes, the deployment codes and the deployment middleware codes are compressed files in a jar format, the compressed files are analyzed to obtain each static class file included in the compressed files, the type and the bytecode content of each static class file are marked, and the type and the bytecode of each marked static class file are determined to be legal static class information and recorded in a white list.
It should be noted that, the step 104 may be executed before the step 102, or may be executed before the step 101, which is not limited by the present invention.
The safety protection method provided by the invention records the types and byte codes of the static class files obtained by scanning the deployment codes and the deployment middleware codes in the white list in advance, so that whether the class to be loaded is a safe static class or not is conveniently judged based on the white list.
Optionally, fig. 6 is a sixth schematic flow chart of the safety protection method provided by the present invention, as shown in fig. 6, the method further includes the following steps:
105, acquiring byte codes of legal dynamic classes and stack information of threads operating the dynamic classes, and performing security analysis on the stack information of the threads operating the dynamic classes to obtain legal sequences included in the stack information of the threads operating the dynamic classes; and recording the legal sequence and the byte codes of the legal dynamic class in the white list.
Illustratively, the dynamic class generation trusted sequence collection module is responsible for collecting generation information of various dynamic classes in advance, that is, analyzing a software Development Kit (Java Development Kit, JDK) of Java language and source codes (deployment codes and deployment middleware codes) of various other third-party frameworks, when a dynamic class is generated, obtaining stack information of a thread running the dynamic class, analyzing each sequence included in the stack information to obtain each sequence in the stack information, and determining each sequence in the stack information as a trusted sequence, that is, a legal sequence is recorded in a white list; in addition, the byte code of each collected dynamic class needs to be recorded in a white list as the byte code of the legal dynamic class.
According to the safety protection method provided by the invention, the legal sequence obtained by scanning the deployment codes and the deployment middleware codes of the JDK and other various third-party frameworks and the byte codes of the legal dynamic classes are recorded in the white list, so that whether the to-be-loaded dynamic classes are safe or not can be conveniently judged based on the white list.
Fig. 7 is a schematic structural diagram of a safety protection device provided by the present invention, and as shown in fig. 7, the safety protection device includes a first obtaining unit 701, a matching unit 702, and a determining unit 703; wherein:
a first obtaining unit 701, configured to obtain a class to be loaded through a monitoring point;
a matching unit 702, configured to match the class to be loaded with the legal class information included in the white list, so as to obtain a matching result;
a determining unit 703 is configured to determine whether the class to be loaded is safe based on the matching result.
According to the safety protection device provided by the embodiment of the invention, the class to be loaded is obtained through the monitoring point, the class to be loaded is matched with the legal class information included in the white list, and finally whether the class to be loaded is safe or not is determined based on the matching result. Therefore, the method only allows the known legal class information in the white list to be loaded, and does not allow the unknown class to be loaded, and belongs to the protection idea of the white list, so that the attack of the unknown class to be loaded on the network can be avoided, and the safety protection of the network is realized.
Based on any of the above embodiments, the legal class information includes legal static class information, and the legal static class information includes a class name of a legal static class and a bytecode of the corresponding legal static class; the matching unit 702 shown is specifically configured to:
and when the class name of the legal static class in the white list is determined to contain the class name of the class to be loaded, matching the byte code of the class to be loaded with the byte code of the legal static class to obtain a first matching result.
Based on any of the above embodiments, the matching unit 702 is further specifically configured to:
when determining that the byte codes of the legal static classes in the white list contain the byte codes of the classes to be loaded, determining that the first matching result is successful in matching;
and when determining that the byte codes of the legal static classes in the white list do not contain the byte codes of the classes to be loaded, determining that the first matching result is matching failure.
Based on any of the above embodiments, the determining unit 703 is specifically configured to:
when the first matching result is that matching is successful, determining that the class to be loaded is a safe static class;
and when the first matching result is matching failure, determining that the class to be loaded is an unsafe static class.
Based on any of the above embodiments, the legal class information further includes legal dynamic class information; the determining unit 703 is further specifically configured to:
when the class name of the legal static class in the white list does not contain the class name of the class to be loaded, matching the class to be loaded with the legal dynamic class information in the white list to obtain a second matching result;
and determining whether the class to be loaded is safe or not based on the second matching result.
Based on any of the above embodiments, the legal dynamic class information includes a legal sequence corresponding to the legal dynamic class; the determining unit 703 is further specifically configured to:
acquiring stack information of the thread running the class to be loaded;
when determining that the legal sequence in the white list does not contain the sequence in the stack information, determining that the second matching result is a matching failure;
and when the legal sequence in the white list contains the sequence in the stack information, determining that the second matching result is successful in matching.
Based on any of the above embodiments, the determining unit 703 is further specifically configured to:
and when the second matching result is that matching fails, determining that the class to be loaded is an unsafe dynamic class.
Based on any of the above embodiments, the legal dynamic class information further includes a bytecode of the legal dynamic class; the determining unit 703 is further specifically configured to:
when the second matching result is successful, matching the byte code of the class to be loaded with the byte code of the legal dynamic class in the white list to obtain a third matching result;
and determining whether the class to be loaded is safe or not based on the third matching result.
Based on any of the above embodiments, the determining unit 703 is further specifically configured to:
when determining that the byte codes of the legal dynamic classes in the white list contain the byte codes of the classes to be loaded, determining that the third matching result is successful in matching;
and when determining that the byte codes of the legal dynamic classes in the white list do not contain the byte codes of the classes to be loaded, determining that the third matching result is matching failure.
Based on any of the above embodiments, the determining unit 703 is further specifically configured to:
when the third matching result is that the matching is successful, determining that the class to be loaded is a safe dynamic class;
and when the third matching result is that the matching fails, determining that the class to be loaded is an unsafe dynamic class.
Based on any embodiment above, the apparatus further comprises:
and the scanning unit is used for scanning the deployment code and the deployment middleware code to obtain the legal static type information and recording the legal static type information in the white list.
Based on any embodiment above, the apparatus further comprises:
the second acquisition unit is used for acquiring the byte codes of the legal dynamic classes and the stack information of the threads for operating the dynamic classes;
the analysis unit is used for carrying out security analysis on the stack information of the thread running the dynamic class to obtain a legal sequence included in the stack information of the thread running the dynamic class; and recording the legal sequence and the byte codes of the legal dynamic class in the white list.
Fig. 8 illustrates a physical structure diagram of an electronic device, and as shown in fig. 8, the electronic device may include: a processor (processor)810, a communication Interface 820, a memory 830 and a communication bus 840, wherein the processor 810, the communication Interface 820 and the memory 830 communicate with each other via the communication bus 840. The processor 810 may call logic instructions in the memory 830 to perform the following method: acquiring classes to be loaded through a monitoring point;
matching the class to be loaded with legal class information included in a white list to obtain a matching result;
and determining whether the class to be loaded is safe or not based on the matching result.
In addition, the logic instructions in the memory 830 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, where the computer program product includes a computer program, the computer program may be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, a computer can execute the security protection method provided by the above methods, where the method includes: acquiring a class to be loaded through a monitoring point;
matching the class to be loaded with legal class information included in a white list to obtain a matching result;
and determining whether the class to be loaded is safe or not based on the matching result.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, the computer program being implemented by a processor to perform the security protection method provided by the above methods, the method including: acquiring a class to be loaded through a monitoring point;
matching the class to be loaded with legal class information included in a white list to obtain a matching result;
and determining whether the class to be loaded is safe or not based on the matching result.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (16)

1. A method of safety protection, comprising:
acquiring a class to be loaded through a monitoring point;
matching the class to be loaded with legal class information included in a white list to obtain a matching result;
and determining whether the class to be loaded is safe or not based on the matching result.
2. The security protection method according to claim 1, wherein the legal class information includes legal static class information, and the legal static class information includes a class name of a legal static class and a corresponding bytecode of the legal static class;
the matching the class to be loaded with the legal class information included in the white list to obtain a matching result includes:
and when the class name of the legal static class in the white list is determined to contain the class name of the class to be loaded, matching the byte code of the class to be loaded with the byte code of the legal static class to obtain a first matching result.
3. The security protection method according to claim 2, wherein the matching the bytecode of the class to be loaded with the bytecode of the legal static class to obtain a first matching result, includes:
when determining that the byte codes of the legal static classes in the white list contain the byte codes of the classes to be loaded, determining that the first matching result is successful in matching;
and when determining that the byte codes of the legal static classes in the white list do not contain the byte codes of the classes to be loaded, determining that the first matching result is matching failure.
4. The security protection method according to claim 3, wherein the determining whether the class to be loaded is secure based on the matching result comprises:
when the first matching result is that matching is successful, determining that the class to be loaded is a safe static class;
and when the first matching result is matching failure, determining that the class to be loaded is an unsafe static class.
5. The security protection method according to claim 2, wherein the legal class information further includes legal dynamic class information;
the determining whether the class to be loaded is safe based on the matching result includes:
when the class name of the legal static class in the white list does not contain the class name of the class to be loaded, matching the class to be loaded with the legal dynamic class information in the white list to obtain a second matching result;
and determining whether the class to be loaded is safe or not based on the second matching result.
6. The security protection method according to claim 5, wherein the legal dynamic class information includes a legal sequence corresponding to the legal dynamic class;
the matching the class to be loaded with the legal dynamic class information in the white list to obtain a second matching result, including:
acquiring stack information of the thread running the class to be loaded;
when determining that the legal sequence in the white list does not contain the sequence in the stack information, determining that the second matching result is a matching failure;
and when the legal sequence in the white list contains the sequence in the stack information, determining that the second matching result is successful in matching.
7. The security protection method of claim 6, wherein the determining whether the class to be loaded is secure based on the second matching result comprises:
and when the second matching result is that the matching fails, determining that the class to be loaded is an unsafe dynamic class.
8. The method of claim 6, wherein the legal dynamic class information further comprises a bytecode of the legal dynamic class; the determining whether the class to be loaded is safe based on the second matching result includes:
when the second matching result is successful, matching the byte code of the class to be loaded with the byte code of the legal dynamic class in the white list to obtain a third matching result;
and determining whether the class to be loaded is safe or not based on the third matching result.
9. The security protection method according to claim 8, wherein the matching the bytecode of the class to be loaded with the bytecode of the legal dynamic class in the whitelist to obtain a third matching result includes:
when determining that the byte codes of the legal dynamic classes in the white list contain the byte codes of the classes to be loaded, determining that the third matching result is successful in matching;
and when determining that the byte codes of the legal dynamic classes in the white list do not contain the byte codes of the classes to be loaded, determining that the third matching result is matching failure.
10. The security protection method of claim 9, wherein the determining whether the class to be loaded is secure based on the third matching result comprises:
when the third matching result is that the matching is successful, determining that the class to be loaded is a safe dynamic class;
and when the third matching result is that the matching fails, determining that the class to be loaded is an unsafe dynamic class.
11. The security protection method according to claim 2, wherein before the matching the class to be loaded with the legal class information included in the white list to obtain a matching result, the method further includes:
and scanning deployment codes and deployment middleware codes to obtain the legal static type information, and recording the legal static type information in the white list.
12. The security protection method according to claim 5, wherein before the matching the class to be loaded with the legal dynamic class information in the whitelist to obtain a second matching result, the method further comprises:
acquiring byte codes of legal dynamic classes and stack information of threads running the dynamic classes;
performing security analysis on the stack information of the thread running the dynamic class to obtain a legal sequence included in the stack information of the thread running the dynamic class;
and recording the legal sequence and the byte codes of the legal dynamic class in the white list.
13. A safety shield apparatus, comprising:
the first acquisition unit is used for acquiring the class to be loaded through the monitoring point;
the matching unit is used for matching the class to be loaded with the legal class information included in the white list to obtain a matching result;
and the determining unit is used for determining whether the class to be loaded is safe or not based on the matching result.
14. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the security method of any of claims 1 to 12 when executing the program.
15. A non-transitory computer-readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the security method of any of claims 1 to 12.
16. A computer program product having executable instructions stored thereon, which when executed by a processor cause the processor to implement a method of safeguarding as claimed in any one of claims 1 to 12.
CN202210452044.2A 2022-04-26 2022-04-26 Safety protection method and device Pending CN114896596A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210452044.2A CN114896596A (en) 2022-04-26 2022-04-26 Safety protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210452044.2A CN114896596A (en) 2022-04-26 2022-04-26 Safety protection method and device

Publications (1)

Publication Number Publication Date
CN114896596A true CN114896596A (en) 2022-08-12

Family

ID=82718791

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210452044.2A Pending CN114896596A (en) 2022-04-26 2022-04-26 Safety protection method and device

Country Status (1)

Country Link
CN (1) CN114896596A (en)

Similar Documents

Publication Publication Date Title
US10528745B2 (en) Method and system for identification of security vulnerabilities
US10581879B1 (en) Enhanced malware detection for generated objects
EP2788912B1 (en) Predictive heap overflow protection
CN110516448B (en) Ash-tray testing method, device and equipment and readable storage medium
US10216934B2 (en) Inferential exploit attempt detection
CN110929264B (en) Vulnerability detection method and device, electronic equipment and readable storage medium
US20210312037A1 (en) System and method for container assessment using sandboxing
CN110677381A (en) Penetration testing method and device, storage medium and electronic device
US20100005528A1 (en) Methods for hooking applications to monitor and prevent execution of security-sensitive operations
KR20180075881A (en) Method and Apparatus for Analyzing Web Vulnerability for Client-side
CN111931185A (en) Java anti-serialization vulnerability detection method and component
CN110765333A (en) Method and device for collecting website information, storage medium and electronic device
CN110768950A (en) Permeation instruction sending method and device, storage medium and electronic device
CN114091031A (en) Class loading protection method and device based on white rule
CN112347484A (en) Software vulnerability detection method, device, equipment and computer readable storage medium
US20230018096A1 (en) Analysis apparatus, analysis method, and non-transitory computer readable medium storing analysis program
CN114896596A (en) Safety protection method and device
CN115544503A (en) File-free attack detection method, device, equipment and storage medium
CN114417349A (en) Attack result determination method, device, electronic equipment and storage medium
CN112398784B (en) Method and device for defending vulnerability attack, storage medium and computer equipment
CN112632534A (en) Malicious behavior detection method and device
KR101754964B1 (en) Method and Apparatus for Detecting Malicious Behavior
CN111027052A (en) Application program version-based virtual machine document discrimination method and device and storage equipment
CN116305107A (en) Method and device for analyzing whether byte code calling sequence is credible or not
CN114978587A (en) Safety protection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination