CN115455414A - Safety detection method and device - Google Patents

Safety detection method and device Download PDF

Info

Publication number
CN115455414A
CN115455414A CN202211005879.XA CN202211005879A CN115455414A CN 115455414 A CN115455414 A CN 115455414A CN 202211005879 A CN202211005879 A CN 202211005879A CN 115455414 A CN115455414 A CN 115455414A
Authority
CN
China
Prior art keywords
information
safety
preset
security
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211005879.XA
Other languages
Chinese (zh)
Inventor
钱枫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Geely Holding Group Co Ltd
Zhejiang Zeekr Intelligent Technology Co Ltd
Original Assignee
Zhejiang Geely Holding Group Co Ltd
Zhejiang Zeekr Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Geely Holding Group Co Ltd, Zhejiang Zeekr Intelligent Technology Co Ltd filed Critical Zhejiang Geely Holding Group Co Ltd
Priority to CN202211005879.XA priority Critical patent/CN115455414A/en
Publication of CN115455414A publication Critical patent/CN115455414A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Telephone Function (AREA)

Abstract

The invention discloses a safety detection method, a safety detection device, electronic equipment and a storage medium. The method can comprise the following steps: detecting that a preset operation is executed on a target application in a terminal, and scanning a preset file directory to obtain first safety detection information; detecting and processing the equipment information of the terminal to obtain various equipment information; acquiring security detection configuration information, and performing security detection processing on the various equipment information according to the security detection configuration information to obtain second security detection information; and performing corresponding safety processing on the preset operation according to the first safety detection information and the second safety detection information. According to the technical scheme provided by the disclosure, the single safety detection mode is avoided, the detection accuracy is improved, the attack of malicious software on the mobile equipment can be blocked in time, the risk of user information and data leakage is effectively reduced, and the safety of the operating environment is improved.

Description

Safety detection method and device
Technical Field
The present disclosure relates to the field of system security, and in particular, to a security detection method and apparatus.
Background
With the wide spread of mobile internet, terminals are becoming a serious area of network attacks as indispensable tools for daily life and enterprise operation.
In the related art, the existing security detection means of the android mobile device system generally performs simple decision judgment based on basic information of mobile phone user equipment, comparison of a malicious software blacklist and scanning of system key file information. For example, the basic information of the user equipment is forged by a simulator, a multi-boot assistant, a virtual machine and the like, so that a detection party is deceived, and a detection error problem is caused. And the detection is not comprehensive enough, and the problem of detection omission in dangerous operation exists, so that the leakage risk of the terminal information and data is high.
Disclosure of Invention
The present disclosure provides a security detection method and apparatus, which at least solve the problem in the related art how to overcome the single security detection mode of a terminal system, and improve the detection accuracy. The technical scheme of the disclosure is as follows:
according to a first aspect of the embodiments of the present disclosure, there is provided a security detection method, including:
in a possible implementation manner, when a preset operation executed on a target application in a terminal is detected, scanning a preset file directory to obtain first safety detection information;
detecting and processing equipment information of the terminal to obtain various kinds of equipment information, wherein the various kinds of equipment information represent equipment attribute information, hardware information and software information of the terminal;
acquiring security detection configuration information, and performing security detection processing on the various equipment information according to the security detection configuration information to obtain second security detection information;
and performing corresponding safety processing on the preset operation according to the first safety detection information and the second safety detection information.
According to a second aspect of the embodiments of the present disclosure, there is provided a security detection apparatus including:
the first security detection information acquisition module is used for scanning a preset file directory to obtain first security detection information when detecting that a preset operation is executed on a target application in a terminal;
the device information acquisition module is used for detecting and processing device information of the terminal to obtain various device information, and the various device information represents device attribute information, hardware information and software information of the terminal;
the second safety detection information acquisition module is used for acquiring safety detection configuration information and carrying out safety detection processing on the various equipment information according to the safety detection configuration information to obtain second safety detection information;
and the safety processing module is used for carrying out corresponding safety processing on the preset operation according to the first safety detection information and the second safety detection information.
According to a third aspect of the embodiments of the present disclosure, there is provided an electronic apparatus including: a processor; a memory for storing the processor-executable instructions; wherein the processor is configured to execute the instructions to implement the method of any of the first aspects above.
To achieve the above object, a fourth aspect of the present invention provides a non-transitory computer-readable storage medium having stored thereon a computer program, which, when executed by a processor, implements the steps of the attack protection method as provided by the first aspect of the present invention.
The technical scheme provided by the embodiment of the disclosure at least brings the following beneficial effects:
the method has the advantages that the method can be used for obtaining various equipment information for safety detection, so that the detection is more comprehensive, and the problem of detection errors caused by the fact that the equipment information is singly forged by a simulator, a plurality of assistants and the like is solved; the layer-by-layer progressive safety detection mode of carrying out safety processing by acquiring the first detection safety information and the second detection safety information is adopted, the singleness of the detection mode is avoided, the detection accuracy is improved, and the safety of the operation environment is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the principles of the disclosure and are not to be construed as limiting the disclosure.
FIG. 1 is a schematic diagram illustrating an application environment in accordance with an exemplary embodiment.
FIG. 2 is a flow diagram illustrating a security detection method in accordance with an exemplary embodiment.
Fig. 3 is a flow diagram illustrating a security detection method according to another exemplary embodiment.
Fig. 4 is a flowchart illustrating obtaining third security detection information based on the operating environment information of the terminal according to an exemplary embodiment.
FIG. 5 is a flow diagram illustrating a corresponding security process for a preset operation in accordance with an illustrative embodiment;
FIG. 6 is a flow diagram illustrating a system application scenario in accordance with an exemplary embodiment;
FIG. 7 is a flow diagram illustrating another system application scenario in accordance with an illustrative embodiment;
fig. 8 is a block diagram of an apparatus shown in accordance with an example embodiment.
FIG. 9 is a schematic diagram of an electronic device shown in accordance with an example embodiment.
Detailed Description
In order to make the technical solutions of the present disclosure better understood by those of ordinary skill in the art, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the disclosure described herein are capable of operation in sequences other than those illustrated or otherwise described herein. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating an application environment according to an exemplary embodiment, which may include a server 01 and a terminal 02, as shown in fig. 1.
In an alternative embodiment, server 01 may be used to collect data for storage and continuously update regulatory security detection configuration information. Specifically, the server 01 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform, and the like.
In an optional embodiment, the terminal 02 may perform dynamic security detection in combination with the server 01, so that the flexibility of the security detection method is improved. Specifically, the terminal 02 may include, but is not limited to, a smart phone, a desktop computer, a tablet computer, a notebook computer, a smart speaker, a digital assistant, an Augmented Reality (AR)/Virtual Reality (VR) device, a smart wearable device, and other types of electronic devices. Optionally, the operating system running on the electronic device may include, but is not limited to, an android system, an IOS system, linux, windows, and the like.
In addition, it should be noted that fig. 1 shows only the method and system for detecting the security of the android system operating environment provided by the present disclosure.
In the embodiment of the present specification, the server 01 and the terminal 02 may be directly or indirectly connected by a wired or wireless communication method, and the present application is not limited herein.
It should be noted that the following figures show one possible sequence of steps, and in fact do not limit the order that must be strictly followed. Some steps may be performed in parallel without being dependent on each other. First security detection information (including but not limited to terminal root authority second state information, preset software installation information, etc.), a plurality of kinds of device information (terminal device attribute information, sensor information, flash light information, bluetooth information, simulator file information, system process controller information, etc.), second security detection information (including but not limited to simulator security detection information or virtual machine security detection information, etc.), and third security detection information (including but not limited to repeated start information of a target application, framework use information, terminal root authority first state information, etc.) to which the present disclosure relates are information and data that are authorized by a user or sufficiently authorized by each party.
Fig. 2 is a flowchart illustrating a security detection method according to an exemplary embodiment, which may be applied to a terminal. As shown in fig. 2, the following steps may be included.
In step S201, when it is detected that a preset operation is performed on a target application in a terminal, a preset file directory is scanned to obtain first security detection information.
In the embodiment of the present application, the target application may be any application software on the terminal. The preset file directory may be a preset file directory located in the terminal. Here, the number of the preset file directories may be one or more. As an example, the preset file directory may be set in advance, and for example, the preset file directory may be set according to a file directory associated with the first security detection information. In one example, the first security detection information may characterize security information of the terminal, such as whether or not the terminal is secure or a degree of security. For example, the first security detection information may include at least one of: second state information corresponding to a root authority (root authority) of the terminal and installation information of preset software. The preset software may refer to preset software that has an influence on the security of the terminal and the target application, such as malware like a mask (Magisk) and an abstract emu. Correspondingly, the preset file directory may include a permission information directory of the terminal, a terminal application software installation directory, and the like, and the preset file directory is not limited in the present application, and may be set correspondingly according to the first security detection information as long as it can meet the accurate execution of the first security detection information.
Optionally, the preset file directory may be stored in advance, so as to facilitate subsequent security detection.
In the embodiment of the application, when it is detected that the preset operation is executed on the target application in the terminal, the preset file directory may be scanned to obtain the first security detection information. As an example, when detecting that a preset operation is performed on a target application in a terminal, a preset file directory may be obtained from a storage. Further, the preset file directory may be scanned, for example, the authority information directory of the terminal, the terminal application software installation directory, and the like may be scanned by calling a C language integrated in the dynamic link library, so as to obtain the first security detection information.
As an example, the preset operation may include a click start operation on the target application, and a trigger operation on a preset service in the target application, which is not limited in this application.
Optionally, a security detection Software Development Kit (sd K) may be integrated into the target application, and when a preset operation is performed on the target application in the terminal, the security detection Software Development Kit may be called to perform a security detection method.
In a possible implementation manner, the preset file directory can be scanned by calling the C language integrated in the dynamic link library, so that the difficulty of decompiling and cracking can be improved, and the operation safety of the target application can be improved.
In step S203, the terminal is subjected to device information detection processing to obtain a plurality of types of device information, which represents device attribute information, hardware information, and software information of the terminal.
In the embodiment of the application, the plurality of types of device information represent device attribute information, hardware information, and software information of the terminal. For example, the device attribute information may include at least one of: baseband information, motherboard information, and hardware information may include at least one of: sensor information, flash lamp information, bluetooth information, and software information may include at least one of simulator file information, system process controller information, and the like. The simulator file information may be drive file information related to a virtual operating system simulator QEMU (Quick EMUlator) and Genymotion simulator file information, which is not limited in the present application.
In the embodiment of the application, the terminal is subjected to detection processing of the device information to obtain various device information. As an example, the device information is detected on the terminal to obtain a plurality of types of device information, for example, a system file directory on the terminal is scanned to obtain attribute information and system information of the terminal, so that the problem of detection errors caused by the fact that the obtained device information is single and is forged by a simulator, a virtual machine and the like is solved.
In step S205, the security detection configuration information is obtained, and the security detection processing is performed on the multiple pieces of device information according to the security detection configuration information to obtain second security detection information, so that the accuracy of detection can be improved.
In this embodiment of the present application, the security configuration information may refer to information used for performing security detection processing on multiple pieces of device information, for example, the security configuration information may include a security detection threshold and a preset detection mode; or may include a security detection mode corresponding to each piece of device information. The preset detection mode can be regarded as a security detection processing strategy and is used for performing security detection processing on various equipment information.
The second security detection information may characterize security information of an object associated with the terminal within the terminal, i.e. whether the object associated with the terminal is secure or not. The terminal-related object may be an object for performing a simulation operation on the terminal, and the object may be a simulator, a virtual machine, or the like. For example, the second security detection information may include at least one of: the safety detection information of the simulator and the safety detection information of the virtual machine.
In this embodiment of the present application, the security detection configuration information is obtained, and the security detection processing may be performed on the multiple pieces of device information according to the security detection configuration information, so as to obtain second security detection information. As one example, the security detection configuration information may be obtained by a server. For example, the terminal uploads various device information to a server and receives security detection configuration information returned by the server in response to the various device information. Further, according to the obtained security detection configuration information, security detection processing is performed on the multiple pieces of device information, for example, the security detection configuration information may include security detection modes corresponding to the pieces of device information, so that security detection may be performed on the pieces of device information according to the corresponding security detection modes, abnormal information of the multiple pieces of device information is determined, and second security detection information is obtained. Therefore, the problem that the normal use of the target application is influenced due to single judgment is avoided through the regulation and the dynamic adjustment of the server on the safety detection configuration information, and the accuracy of safety detection is improved.
As one example, the security check configuration information is determined based on historical security check information, which is the second security check information and the third security check information stored by the server in the last security check flow started. The last starting of the security detection process may refer to a process of detecting that a preset operation is executed on the target application in the terminal last time to execute the security detection method.
In a possible implementation manner, the preset detection manner may refer to a processing manner for the abnormal information, and the multiple pieces of device information represent device attribute information, hardware information, and software information of the terminal. Wherein the device attribute information may include at least one of: baseband information, motherboard information, and hardware information may include at least one of: sensor information, flash light information, bluetooth information. As an example, for different device information, the preset detection manner may include the following multiple manners:
in the case that the device information is baseband information, the preset detection manner may be a detection manner based on comparison between the baseband information and a baseband anomaly threshold. Specifically, if the baseband information of the terminal is higher than the baseband abnormal threshold and the baseband information is null, the baseband abnormal value is updated, for example, the baseband abnormal value is raised. As an example, in the case that the baseband is a baseband abnormal value, a first preset baseband value may be accumulated on the baseband abnormal value, and the preset baseband value may be 2, which is not limited by the present disclosure. If the baseband information of the terminal is higher than the baseband abnormal threshold and the baseband information is not null (e.g., a value of 1.0.0.0), the baseband abnormal value is updated, e.g., raised. As an example, in case that the baseband abnormality information is a baseband abnormality value, a second preset baseband value may be accumulated on the baseband abnormality value, wherein the second preset baseband value is greater than the first preset baseband value. For example, the second preset baseband value may be 5, which is not limited by the present disclosure.
In the case that the device information is motherboard information, the preset detection mode may be a detection mode based on comparison between the motherboard information and a motherboard abnormality threshold. Specifically, if the mainboard information of the terminal is higher than the mainboard abnormality threshold and the mainboard information is empty, the mainboard abnormality value is updated, for example, the mainboard abnormality value is increased. As an example, in the case that the mainboard abnormality information is a mainboard abnormality value, a first preset mainboard value may be accumulated on the mainboard abnormality value, for example, the first preset mainboard value may be 1, which is not limited by the present disclosure. If the main board information of the terminal is higher than the main board exception threshold and the main board information is not empty (for example, information such as VBOX (virtual box) and Android Open Source Project AOSP (Android Open Source Project)), updating the main board exception value, for example, raising the main board exception value. As an example, in a case that the mainboard abnormality information is a mainboard abnormality value, a second preset mainboard value may be accumulated on the mainboard abnormality value, where the second preset mainboard value is greater than the first preset mainboard value. For example, the second preset main board value may be 2, which is not limited by the present disclosure.
In the case that the device information is hardware information, the preset detection mode may be a detection mode based on comparison between the hardware information and a baseband abnormality threshold. Specifically, if the terminal includes hardware information, such as hardware, such as a camera flash, a light sensor, bluetooth, etc., and if the terminal does not include at least one of the above hardware information, the hardware outlier is updated, such as the hardware outlier is raised. As an example, the preset hardware value is accumulated over the hardware outlier, for example, the preset hardware value may be 1, which is not limited by the present disclosure.
In the case where the device information is sensor information, the preset detection manner may be a detection manner based on comparison of the sensor information with a baseband abnormality threshold. Specifically, if the ratio of the number of sensors to the total number of devices, which is less than the first preset number, is less than the first preset ratio, the sensor abnormal value of the device is updated, as an example, the first preset number may be a value between 10 and 13, for example, 12, the first preset ratio may be 0.1%, and in the case that the ratio of the number of sensors to the total number of devices, which is greater than 10 and less than 13, is less than 0.1%, the first preset sensor abnormal value may be accumulated on the sensor abnormal value. For example, the first preset sensor number abnormal value may be 1, and the present application is not limited thereto. If the ratio of the number of the devices whose number of the sensors is less than the second preset number to the total number of the devices is less than the second preset ratio, the number of the sensors of the device is updated, as an example, the second preset number may be 10, the second preset ratio may be 0.01%, and in the case that the ratio of the number of the devices whose number of the sensors is less than the second preset number to the total number of the devices is less than 0.01%, the second preset number of the sensors may be added to the number of the sensors, where the second preset number of the sensors is greater than the first preset number of the sensors, for example, the first preset number of the sensors may be 2, and the application is not limited thereto.
Accumulating the abnormal values of the various equipment information to obtain a terminal abnormal value, and determining the terminal abnormal value as the safety detection information of the virtual machine or the simulator if the terminal abnormal value is greater than a safety detection threshold; and if the abnormal value of the terminal is smaller than the safety detection threshold value, uploading the abnormal values of the various information to a server to be stored as a data record, and providing data support for the safety detection configuration information.
In a possible implementation manner, different device information may be detected according to the security detection threshold and a preset detection manner, so as to obtain security detection information of the simulator or security detection information of the virtual machine. And determining the second safety detection information according to the safety detection information of the simulator or the safety detection information of the virtual machine.
In step S207, corresponding security processing is performed on the preset operation according to the first security detection information and the second security detection information.
In the embodiment of the application, according to the first safety detection information and the second safety detection information, corresponding safety processing can be performed on the preset operation. For example, the security level information may be determined according to the first security detection information and the second security detection information. For example, the correspondence relationship between the first security detection information, the second security detection information, and the security level information may be acquired, so that the security level information corresponding to the first security detection information and the second security detection information may be acquired according to the correspondence relationship. And further, performing corresponding safety processing on the preset operation according to the safety level information. Wherein, the higher the safety level information is, the safer the representation preset operation is. Accordingly, the security process may be positively correlated with the security level information, e.g., the higher the security level information, the simpler the manner of the corresponding security process.
The security level information may be quantized information, or may be degree information corresponding to the quantized information, such as high, medium, and low. The number of security levels represented by the security level information is not limited in the present application.
Fig. 3 is a flow diagram illustrating another security detection method based on fig. 2 according to an example embodiment. As shown in fig. 3, the following steps may be included.
In step S301, operating environment information of the terminal is acquired.
In the embodiment of the application, the operating environment information of the terminal is represented by the internal information and the external calling information of the terminal. For example, the operating environment information of the terminal may include at least one of: the stack information, the preset file directory information and the dynamic link library file information of the virtual machine. The virtual machine is a virtual machine corresponding to the development language of the terminal, for example, in an android system, the virtual machine may be a Java virtual machine, an android virtual machine, and the like, which is not limited in this application.
As an example, the internal information and the external call information of the terminal may be scanned, for example, stack information, preset file directory information, dynamic link library file information, and the like of the virtual machine may be scanned, so as to obtain the operating environment information of the terminal.
In step S303, third security detection information is obtained according to the operating environment information of the terminal.
In this embodiment of the application, the third security detection information may represent security information of the file directory of the target application, that is, whether the target application is secure. For example, the third security detection information may include at least one of: the method comprises repeated starting information of a target application, use information of a preset frame and first state information of root authority. The preset frame is a service frame corresponding to an operating system of the terminal. For example, in the android system, the framework may be an Xposed framework, cydiassubstrat, or the like.
In the embodiment of the application, the third security detection information is obtained according to the running environment information of the terminal, and as an example, the repeated starting information of the target application, the use information of the preset frame, and the first state information of the root authority may be obtained by scanning the running environment information of the terminal. And obtaining third safety detection information based on the repeated starting information of the target application, the use information of the preset frame and the first state information of the root authority.
In step S305, corresponding security processing is performed on the preset operation according to the first security detection information, the second security detection information and the third security detection information.
In the embodiment of the present application, the preset operation is performed with corresponding security processing according to the first security detection information, the second security detection information, and the third security detection information, which is described in detail in step S207 above, and will not be described in detail here.
In an optional embodiment, when a click start operation is performed on a target application or a trigger operation is performed on a preset service in the target application, three processes are respectively created, where the three processes may be a pre-detection process, an independent detection process, and a client host process, and the application is not limited in this application. In the pre-detection process, the operation of acquiring the first safety detection information can be executed; executing the operation of acquiring the second safety detection information and the third safety detection information in the independent detection process; and executing corresponding safety processing on the preset operation in the client main process.
Fig. 4 is a flowchart illustrating obtaining third security detection information based on the operating environment information of the terminal according to an exemplary embodiment. In one possible implementation manner, as shown in fig. 4, the step S303 may include the following steps:
in step S401, the repeated start-up state of the target application is analyzed based on the software information, and repeated start-up information of the target application is determined.
In an embodiment of the present application, the software information may include at least one of: simulator file information, system process controller information. Such as information of driving files related to the virtual operating system simulator, information of Genymotion simulator, information of process controllers (cgroups) originated from a control group, and the like. Specifically, the device application file directory, the application package name list, the system process list, and the like may be used, and the present application is not limited thereto.
The repeated starting information of the target application may include at least one of the following: the device application file directory contains file information which is repeated with the application, the application package name list contains package name information which is repeated with the application, and the system process list contains process information which is repeated with a User Identification UID (User Identification) part.
In the embodiment of the application, based on the software information, the repeated starting state of the target application can be analyzed, and the repeated starting information of the target application is determined. As one example, based on the software information, the repeated launch status of the target application may be analyzed. For example, the repeated start state of the target application may be analyzed based on information such as an application file directory, an application package name list, and a system process list of the terminal, so as to obtain the repeated start state information. Further, the repeated starting information of the target application can be determined according to the obtained repeated starting state information. For example, the information of the file in the device application file directory and the duplicate file of the application, the information of the package name in the application package name list and the duplicate UID part duplicate process information in the system process list can be analyzed according to the obtained duplicate start state information, so as to determine the duplicate start information of the target application.
In step S403, the stack information is analyzed to obtain the usage information of the preset frame.
In this embodiment, the preset frame is a service frame corresponding to an operating system of the terminal. For example, in the android system, the framework may be the Xposed framework, cydiasystem, and the like.
As an example, the stack information may be analyzed, and usage information of a preset framework may be obtained, for example, in an android system, a security detection software development kit integrated by a target application may capture stack information related to a Java virtual machine by throwing an exception containing an Xpo sed framework identifier. And determining an Xpos frame key class in the stack information according to the stack information related to the Java virtual machine, so as to determine the use information of the Xpos frame.
Optionally, the target application integration security detection software development kit may also induce the Java virtual machine to throw an exception by acquiring Xposed framework key class information from the Java virtual machine class loader, so as to determine the usage information of the Xposed framework through a preset exception. The preset exception may be an exception occurring when the Xposed framework is used, an exception of division operation, an Input/Output (Input/Output) exception, and the like, and the present application is not limited thereto.
In step S405, a preset file directory is scanned and a dynamic link library file is called, and first state information corresponding to a root authority of the terminal is determined.
In this embodiment of the application, scanning a preset file directory and calling a dynamic link library file, and determining first state information corresponding to a root authority of the terminal, as an example, scanning the preset file directory and calling the dynamic link library file may obtain the preset file directory from a storage, and then scanning the preset file directory by calling a C language method integrated in the dynamic link library. For example, in the android system, the security detection software development kit integrated with the target application may invoke a C language method integrated in a dynamic link library to scan a preset file directory by executing a preset shell (shell) command.
Specifically, the target application integrated security detection software development kit creates an independent service process by calling a ZygotePreload class provided by the android system, and determines root authority information of a terminal and installation information of preset software by calling a C language method integrated in a dynamic link library to scan a preset file directory in the process; the preset software installation information may be mask (magic) information and installation information of malicious software thereof. Further, the installation information determining the preset software may be determined by usage information of a preset Transmission Control Protocol (TCP) port. Therefore, the situation that malicious software hides root trace and information of the malicious software to cause the increase of target application risk can be avoided through the mode.
In step S407, third security detection information is obtained based on the repeated start information of the target application, the usage information of the preset frame, and the first state information of the root authority.
In the embodiment of the present application, the third security detection information is obtained based on the repeated start information of the target application, the use information of the preset frame, and the first state information of the root authority, and as an example, the start information of the target application, the use information of the preset frame, and the obtained state information of the root authority may be analyzed to obtain the third security detection information.
In a possible implementation manner, the steps S401 to S405 may be performed in parallel, and a detection target application may be combined with multiple manners, such as repeated start information, use information of a preset frame, and first state information of a root authority, to avoid a vulnerability of less detection due to only one detection manner, so that security detection is more comprehensive, and accuracy of detection is improved.
FIG. 5 is a flow diagram illustrating a corresponding security process for a preset operation in accordance with an illustrative embodiment. In one possible implementation manner, as shown in fig. 5, the step S305 may include the following steps:
in step S501, if the security level information is higher than or equal to the first preset level, the preset operation is determined as the security operation, and the step of obtaining the second security detection information and the third security detection information is returned to perform the redetermination of the security level information.
In the embodiment of the present application, it should be noted that the re-determination of the security level information is performed by periodically detecting the second security detection information and the third security detection information, so as to perform the re-determination of the security level information.
As an example, if the security level information is higher than or equal to the first preset level, the preset operation is determined as the security operation, and the step of obtaining the second security detection information and the third security detection information is returned to perform the re-determination of the security level information. For example, the correspondence between the first security detection information, the second security detection information, the third security detection information, and the security level information may be acquired, so that the security level information may be determined according to the correspondence. If the safety level information is higher than or equal to the first preset level, the preset operation is determined to be the safety operation, the second safety detection information and the third safety detection information are continuously acquired, safety detection is carried out, the safety level information is determined again, the problem that the terminal continuously has final safety risks due to the fact that dangerous behaviors exist in the terminal are not permanent is avoided, the problem of detection errors caused by simple judgment is avoided, the detection accuracy is improved, and the safety of the running environment is improved.
In step S503, if the security level information is lower than the first preset level and higher than the second preset level, a warning message is returned for the preset operation.
In the embodiment of the present application, as an example, a correspondence relationship between the first safety detection information, the second safety detection information, the third safety detection information, and the safety level information may be obtained, so that the safety level information may be determined according to the correspondence relationship. And if the safety level information is lower than the first preset level and higher than a second preset level, returning warning information to the preset operation. For example, the warning information may be returned to the preset operation by means of pop-up window, warning, and the like, and the present application is not limited thereto.
In step S505, if the security level information is lower than or equal to the second predetermined level, the predetermined operation is rejected.
In the embodiment of the present application, as an example, correspondence between the first security detection information, the second security detection information, the third security detection information, and the security level information may be obtained, so that the security level information may be determined according to the correspondence. And if the safety level information is lower than or equal to the second preset level, rejecting preset operation. For example, the preset operation may be rejected by prohibiting the operation, exiting the application, and the like, and the application is not limited in this application.
For better understanding of the embodiment of the present invention, in a possible implementation manner, as shown in fig. 3, a process of performing security detection may be performed. Alternatively, as shown in fig. 6, the process in fig. 3 may be applied to the execution of fig. 6. Please refer to fig. 6:
after step S305, the second safety detection information and the third safety detection information may be periodically detected.
In the embodiment of the present application, the periodic detection is performed because the detected operations and features that present a security risk to the target application are not necessarily permanent, but may also be operations that do not currently detect a security risk to the target application, and after a period of time, for example, 5 seconds, 10 seconds, and the like, the operations and features that present a security risk to the target application exist discontinuously.
As an example, after step S305, the second safety detection information and the third safety detection information may be periodically detected. For example, the second safety detection information and the third safety detection information are periodically detected within a time interval (for example, 5 seconds, 10 seconds, and the like, which is not limited in this application).
It should be noted that, in the actual execution process of acquiring the second safety detection information and acquiring the third safety detection information, the process is not limited to the flow in the embodiment shown in fig. 6, and may also be executed in the manner as shown in fig. 7:
after step S305, the third safety detection information is periodically detected.
It should be noted that, in the embodiment of the present application, the second security detection information is determined according to the security detection configuration information, and the third security detection information is determined according to the operation environment information obtained from the terminal. In the process of the security detection of the target application, the security detection configuration information is not changed, and therefore, the second security detection information is not changed. The process of starting the security detection process of the target application may refer to a process of executing a preset operation on the target application in the terminal to execute the security detection method. As an example, the third safety detection information may be detected periodically, for example, within a time interval (such as 5 seconds, 10 seconds, and the like, which is not limited in this application), only the third safety detection information may be detected periodically, but not the second safety detection information.
FIG. 8 is a block diagram illustrating a security apparatus for detecting an android system operating environment, according to an example embodiment. Referring to fig. 8, the apparatus 800 may include:
a first security detection acquisition module 801, configured to scan a preset file directory to obtain first security detection information when detecting that a preset operation is performed on a target application in a terminal;
the device information acquiring module 803 is configured to perform device information detection processing on the terminal to obtain multiple pieces of device information, where the multiple pieces of device information represent device attribute information, hardware information, and software information of the terminal;
a second security detection information obtaining module 805, configured to obtain security detection configuration information, and perform security detection processing on multiple pieces of device information according to the security detection configuration information to obtain second security detection information;
the first security processing module 807 is configured to perform corresponding security processing on the preset operation according to the first security detection information and the second security detection information.
In a possible implementation manner, the apparatus may further include:
the operation environment information acquisition module is used for acquiring the operation environment information of the terminal;
the third safety detection information acquisition module is used for acquiring third safety detection information according to the running environment information of the terminal;
and the second safety processing module is used for carrying out corresponding safety processing on the preset operation according to the first safety detection information, the second safety detection information and the third safety detection information.
In one possible implementation manner, the safety detection configuration information includes a safety detection threshold value and a preset detection manner; the second security detection information obtaining module 805 may include:
the safety detection information acquisition unit is used for carrying out safety detection processing on various equipment information according to a safety detection threshold value and a preset detection mode to obtain safety detection information of the simulator or safety detection information of the virtual machine;
and the second safety detection information acquisition unit is used for determining second safety detection information according to the safety detection information of the simulator or the safety detection information of the virtual machine.
In a possible implementation manner, the running environment information of the terminal includes stack information of the virtual machine, preset file directory information and dynamic link library file information; the virtual machine is a virtual machine corresponding to the development language of the terminal; the operation environment information acquiring module may include:
the target application repeated starting information acquisition unit: the system comprises a software module, a software module and a starting module, wherein the software module is used for analyzing and processing the repeated starting state of the target application based on the software information and determining the repeated starting information of the target application;
a preset frame use information acquisition unit: the system comprises a storage module, a processing module, a display module and a control module, wherein the storage module is used for storing stack information, and the stack information is used for analyzing and processing the stack information to obtain use information of a preset frame, and the preset frame is a service frame corresponding to an operating system of a terminal;
a terminal root authority first state information acquisition unit: the system comprises a terminal, a dynamic link library file and a database server, wherein the terminal is used for scanning a preset file directory and calling the dynamic link library file to determine first state information corresponding to a root authority of the terminal;
a third security detection information acquisition unit: and obtaining third safety detection information based on the repeated starting information of the target application, the use information of the preset frame and the first state information of the root authority.
In a possible implementation manner, the first security detection acquiring module 801 may include:
and the calling unit is used for scanning the preset file directory by calling the C language integrated in the dynamic link library to obtain first safety detection information.
In a possible implementation manner, the first security detection acquiring module 801 may include:
the first safety detection information acquisition unit is used for acquiring second state information corresponding to the root authority of the terminal; and presetting installation information of software, wherein the preset software refers to preset software which has influence on the safety of the terminal and the target application.
In a possible implementation manner, the device information obtaining module 803 may include:
the device information acquisition unit is used for acquiring hardware information and software information of the terminal, wherein the hardware information comprises sensor information, flash lamp information or Bluetooth information; the software information comprises simulator file information and system process controller information.
In a possible implementation manner, the second secure processing module may include:
the safety level information acquisition unit is used for determining safety level information according to the first safety detection information, the second safety detection information and the third safety detection information;
and the safety processing unit is used for carrying out corresponding safety processing on the preset operation according to the safety level information.
In a possible implementation manner, the security level information obtaining unit may include:
the safety operation subunit is used for confirming that the preset operation is the safety operation if the safety level information is higher than or equal to the first preset level, and returning to the step of acquiring the second safety detection information and the third safety detection information to re-determine the safety level information;
the warning information acquisition subunit is used for returning warning information to the preset operation if the safety level information is lower than a first preset level and higher than a second preset level;
and the rejecting subunit is used for rejecting the preset operation if the safety level information is lower than or equal to a second preset level.
In a possible implementation manner, the second security detection information obtaining module 805 may include:
and the security detection configuration information acquisition unit is used for uploading the information of the various devices to the server and receiving the security detection configuration information which is returned by the server and responds to the information of the various devices.
With regard to the apparatus in the above embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be described in detail here.
Fig. 9 is a block diagram of an electronic device, which may be a terminal, for detecting a security method of an android system operating environment according to an exemplary embodiment, where an internal structure diagram of the electronic device may be as shown in fig. 9. The electronic device comprises a processor, a memory, a network interface, a display screen and an input device which are connected through a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic equipment comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the electronic device is used for connecting and communicating with an external terminal through a network. The computer program is executed by a processor to implement a method of detecting android system operating environment security. The display screen of the electronic equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the electronic equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the electronic equipment, an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 9 is a block diagram of only a portion of the structure associated with the disclosed aspects and does not constitute a limitation on the electronic devices to which the disclosed aspects apply, and that a particular electronic device may include more or fewer components than shown in the figures, or combine certain components, or have a different arrangement of components.
In an exemplary embodiment, a computer-readable storage medium is further provided, and when executed by a processor of an electronic device, the instructions in the computer-readable storage medium enable the electronic device to perform a method for detecting security of an android system operating environment in the embodiments of the present disclosure. The computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
In an exemplary embodiment, a computer program product containing instructions is also provided, which when run on a computer, causes the computer to perform a method of detecting security of an android system operating environment in the embodiments of the present disclosure.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice in the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (13)

1. A security detection method, comprising:
scanning a preset file directory to obtain first safety detection information when detecting that a preset operation is executed on a target application in a terminal;
detecting and processing equipment information of the terminal to obtain various kinds of equipment information, wherein the various kinds of equipment information represent equipment attribute information, hardware information and software information of the terminal;
acquiring security detection configuration information, and performing security detection processing on the multiple equipment information according to the security detection configuration information to obtain second security detection information;
and performing corresponding safety processing on the preset operation according to the first safety detection information and the second safety detection information.
2. The method of claim 1, further comprising:
acquiring the running environment information of the terminal;
obtaining third safety detection information according to the running environment information of the terminal;
the performing, according to the first safety detection information and the second safety detection information, corresponding safety processing on the preset operation includes:
and performing corresponding safety processing on the preset operation according to the first safety detection information, the second safety detection information and the third safety detection information.
3. The method according to claim 1 or 2, wherein the safety detection configuration information comprises a safety detection threshold and a preset detection mode; the performing, according to the security detection configuration information, security detection processing on the multiple pieces of device information to obtain second security detection information includes:
according to the safety detection threshold and the preset detection mode, carrying out safety detection processing on the multiple kinds of equipment information to obtain safety detection information of the simulator or safety detection information of the virtual machine;
and determining the second safety detection information according to the safety detection information of the simulator or the safety detection information of the virtual machine.
4. The method according to claim 2, wherein the operating environment information of the terminal includes stack information of a virtual machine, the preset file directory information, and dynamic link library file information; the virtual machine is a virtual machine corresponding to the development language of the terminal;
obtaining third safety detection information according to the operation environment information of the terminal, wherein the third safety detection information comprises:
analyzing and processing the repeated starting state of the target application based on the software information, and determining repeated starting information of the target application;
analyzing and processing the stack information to obtain use information of a preset frame, wherein the preset frame is a service frame corresponding to an operating system of the terminal;
scanning the preset file directory and calling the dynamic link library file, and determining first state information corresponding to the root authority of the terminal;
and obtaining the third safety detection information based on the repeated starting information of the target application, the use information of the preset frame and the first state information of the root authority.
5. The method according to claim 1, wherein the scanning a preset file directory to obtain first security detection information comprises:
and scanning the preset file directory by calling C language integrated in a dynamic link library to obtain the first safety detection information.
6. The method according to claim 1 or 5, wherein the first security detection information comprises at least one of: second state information corresponding to the root authority of the terminal; and presetting installation information of software, wherein the preset software refers to preset software which has influence on the safety of the terminal and the target application.
7. The method of claim 1, wherein the hardware information comprises sensor information, flash information, or bluetooth information; the software information comprises simulator file information and system process controller information.
8. The method according to claim 2, wherein performing corresponding security processing on the preset operation according to the first security detection information, the second security detection information, and the third security detection information includes:
determining safety grade information according to the first safety detection information, the second safety detection information and the third safety detection information;
and performing corresponding safety processing on the preset operation according to the safety level information.
9. The method according to claim 1 or 2, wherein performing corresponding security processing on the preset operation according to the security level information comprises:
if the security level information is higher than or equal to a first preset level, confirming that the preset operation is a security operation, and returning to the step of acquiring the second security detection information and the third security detection information to re-determine the security level information;
if the safety level information is lower than the first preset level and higher than a second preset level, returning warning information to the preset operation;
and if the safety level information is lower than or equal to the second preset level, rejecting the preset operation.
10. The method according to claim 1 or 2, wherein the obtaining security detection configuration information comprises:
uploading the various equipment information to a server, and receiving the security detection configuration information which is returned by the server and responds to the various equipment information.
11. A security device, comprising:
the first security detection acquisition module is used for scanning a preset file directory to obtain first security detection information when detecting that a preset operation is executed on a target application in the terminal;
the device information acquisition module is used for detecting and processing device information of the terminal to obtain various device information, and the various device information represents device attribute information, hardware information and software information of the terminal;
the second safety detection information acquisition module is used for acquiring safety detection configuration information and carrying out safety detection processing on the various equipment information according to the safety detection configuration information to obtain second safety detection information;
and the safety processing module is used for carrying out corresponding safety processing on the preset operation according to the first safety detection information and the second safety detection information.
12. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to execute the executable instructions to implement the method of any one of claims 1 to 10.
13. A non-transitory computer readable storage medium having stored thereon computer program instructions, wherein the computer program instructions, when executed by a processor, implement the method of any one of claims 1 to 10.
CN202211005879.XA 2022-08-22 2022-08-22 Safety detection method and device Pending CN115455414A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211005879.XA CN115455414A (en) 2022-08-22 2022-08-22 Safety detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211005879.XA CN115455414A (en) 2022-08-22 2022-08-22 Safety detection method and device

Publications (1)

Publication Number Publication Date
CN115455414A true CN115455414A (en) 2022-12-09

Family

ID=84298894

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211005879.XA Pending CN115455414A (en) 2022-08-22 2022-08-22 Safety detection method and device

Country Status (1)

Country Link
CN (1) CN115455414A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117150453A (en) * 2023-11-01 2023-12-01 建信金融科技有限责任公司 Network application detection method, device, equipment, storage medium and program product

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117150453A (en) * 2023-11-01 2023-12-01 建信金融科技有限责任公司 Network application detection method, device, equipment, storage medium and program product
CN117150453B (en) * 2023-11-01 2024-02-02 建信金融科技有限责任公司 Network application detection method, device, equipment, storage medium and program product

Similar Documents

Publication Publication Date Title
EP3693874A1 (en) Continuous vulnerability management for modern applications
RU2514140C1 (en) System and method for improving quality of detecting malicious objects using rules and priorities
CN109117250B (en) Simulator identification method, simulator identification equipment and computer readable medium
US10534915B2 (en) System for virtual patching security vulnerabilities in software containers
CN106991324B (en) Malicious code tracking and identifying method based on memory protection type monitoring
CN111191226B (en) Method, device, equipment and storage medium for determining program by utilizing right-raising loopholes
EP2790122B1 (en) System and method for correcting antivirus records to minimize false malware detections
WO2019072008A1 (en) Security scanning method and apparatus for mini program, and electronic device
CN111131221B (en) Interface checking device, method and storage medium
US10397281B2 (en) Method, system and server for self-healing of electronic apparatus
CN106326735B (en) Method and apparatus for preventing injection
CN111460404A (en) Double-recording data processing method and device, computer equipment and storage medium
CN111683047A (en) Unauthorized vulnerability detection method and device, computer equipment and medium
CN112738094B (en) Expandable network security vulnerability monitoring method, system, terminal and storage medium
CN110837644A (en) System penetration testing method and device and terminal equipment
CN110941825B (en) Application monitoring method and device
CN111523097A (en) APP brush user identification method and device based on android system and storage medium
CN115455414A (en) Safety detection method and device
CN113779562A (en) Zero trust based computer virus protection method, device, equipment and medium
JP2006146600A (en) Operation monitoring server, terminal apparatus and operation monitoring system
CN113609478B (en) IOS platform application program tampering detection method and device
CN114386047A (en) Application vulnerability detection method and device, electronic equipment and storage medium
CN114238943A (en) Application program protection method, device, equipment and storage medium
CN109784037B (en) Security protection method and device for document file, storage medium and computer equipment
CN110891097A (en) Cross-device user identification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination