CN115618333A - Attack defense method and device, electronic equipment and storage medium - Google Patents

Attack defense method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115618333A
CN115618333A CN202211272803.3A CN202211272803A CN115618333A CN 115618333 A CN115618333 A CN 115618333A CN 202211272803 A CN202211272803 A CN 202211272803A CN 115618333 A CN115618333 A CN 115618333A
Authority
CN
China
Prior art keywords
key
function
generation function
key generation
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211272803.3A
Other languages
Chinese (zh)
Inventor
吕经祥
童志明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN202211272803.3A priority Critical patent/CN115618333A/en
Publication of CN115618333A publication Critical patent/CN115618333A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Bioethics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides an attack defense method, an attack defense device, electronic equipment and a storage medium, which are applied to the electronic equipment, wherein the method comprises the following steps: acquiring each key generation function in the electronic equipment; the key generation function can be called by a program in the electronic equipment to generate a key; adding a preset code in each key generation function; the preset code can be triggered to execute when the key generation function where the preset code is located is called, so as to record the key generated by the key generation function. According to the attack defense method, when the key generation function is called, the preset code in the key generation function can be executed, and when the preset code is executed, the key generated by the key generation function can be recorded. Therefore, even if the file in the electronic equipment is encrypted by the lasso software, the encrypted file can be decrypted through the recorded secret key without paying money to the lasso software, so that the defense of the lasso software is realized, and the loss caused by the lasso software is avoided.

Description

Attack defense method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of data security, and in particular, to an attack defense method and apparatus, an electronic device, and a storage medium.
Background
The lasso software is a common trojan horse, and enables user data assets or computing resources to be incapable of being normally used by harassing, scaring or even adopting a way of kidnapping user files and the like, and lassifies money to the user under the condition of the strangling. Such user data assets include documents, mail, databases, source code, pictures, compressed files, and the like.
For example, the lasso software generates a key by calling a key in a DLL (dynamic link library) in the system and calls the key to encrypt a file of a user using a function, and the user cannot normally open the corresponding file because the user does not have the key for decryption. Only after the user delivers money according to the guidance of the lasso software, the corresponding secret key can be obtained to decrypt the file.
Disclosure of Invention
In view of the above, the present application provides an attack defense method, apparatus, electronic device and storage medium, which at least partially solve the problems in the prior art.
In an aspect of the present application, an attack defense method is provided, which is applied to an electronic device, and includes:
acquiring each key generation function in the electronic equipment; the key generation function is capable of being invoked by a program within the electronic device for key generation;
adding a preset code in each key generation function; the preset code can be triggered to execute when the key generation function where the preset code is located is called, so as to record the key generated by the key generation function.
In an exemplary embodiment of the present application, the adding of the preset code in each key generation function includes:
and adding the preset codes before the return instruction of each key generation function.
In an exemplary embodiment of the present application, the preset code is configured to perform the steps of:
acquiring a generated key corresponding to the return instruction; the generated key is a key generated when the key generation function is called;
and storing the generated key in a preset storage space.
In an exemplary embodiment of the present application, the method further comprises:
determining each key usage function within the electronic device; the key usage function is capable of being called by a program within the electronic device to encrypt a file within the electronic device using a key;
after any key generation function sends a generated key to the preset storage space, if the called times of any key use function exceed a preset threshold value within a preset time length, prompt information is output and/or the key use function is prevented from being continuously called.
In an exemplary embodiment of the present application, the method further comprises:
if the preset storage space receives a generated key returned by the key generation function, establishing a record document corresponding to the generated key;
establishing an association relation between the record document and the generated key; the record document is used for recording a generation key having an association relation with the record document and a file name of a file encrypted by using the generation key.
In an exemplary embodiment of the present application, the method further comprises:
determining each key usage function within the electronic device; the key usage function is capable of being called by a program within the electronic device to encrypt a file within the electronic device using a key;
monitoring a calling instruction received by each key using function; the calling instruction comprises a target key and a target file name, and the calling instruction is used for indicating to receive a corresponding key and encrypt a file corresponding to the target file name by using the target key through a function; the target key is any generated key in the preset storage space;
and storing the target file name into a recording document corresponding to the target key in the preset storage space.
In an exemplary embodiment of the present application, the method further comprises:
and if the updating times of any recording document in the preset storage space in the preset time length exceed a set threshold, outputting prompt information and/or preventing the key from being continuously called by using a function.
In another aspect of the present application, an attack defense apparatus applied to an electronic device is provided, including:
an obtaining module, configured to obtain each key generation function in the electronic device; the key generation function is capable of being invoked by a program within the electronic device for key generation;
the processing module is used for adding preset codes in each key generation function; the preset code can be triggered to execute when the key generation function where the preset code is located is called, so as to record the key generated by the key generation function.
In another aspect of the present application, there is provided an electronic device comprising a processor and a memory;
the processor is configured to perform the steps of any of the above methods by calling a program or instructions stored in the memory.
In another aspect of the application, there is provided a non-transitory computer readable storage medium storing a program or instructions for causing a computer to perform the steps of any of the methods described above.
According to the attack defense method, the preset code is added to the key generation function for generating the key in the electronic equipment. When the key generation function is called, the preset code in the key generation function can be executed, and when the preset code is executed, the key generated by the key generation function can be recorded. Therefore, even if the file in the electronic equipment is encrypted by the lasso software, the encrypted file can be decrypted through the recorded secret key without paying money to the lasso software, so that the defense of the lasso software is realized, and the loss caused by the lasso software is avoided.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of an attack defense method provided in this embodiment;
fig. 2 is a block diagram of a structure of an attack defense apparatus provided in this embodiment.
Detailed Description
The embodiments of the present application will be described in detail below with reference to the accompanying drawings.
It should be noted that, in the case of no conflict, the features in the following embodiments and examples may be combined with each other; moreover, based on the embodiments in the present disclosure, all other embodiments obtained by a person of ordinary skill in the art without making creative efforts shall fall within the protection scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
Referring to fig. 1, in an aspect of the present application, an attack defense method is provided, which is applied to an electronic device. The electronic equipment can be common electronic equipment such as a mobile phone, a computer, a notebook computer, a server or a tablet computer.
The method comprises the following steps:
s100, acquiring each key generation function in the electronic equipment. The key generation function can be invoked by a program within the electronic device for key generation. In particular, the key generation function is used to generate a new key in response to a call by a program and return this key to the program that called it.
The key generation function may be, among other things, a function/code within a dll of the operating system for key generation. The confirmation of the key generation function can be confirmed through a preset function name list, and the function name list records the function name of each key generation function in self-contained dll in the operating system, such as a crypt GenRaom function. In this way, the key generation function can be confirmed from within the dll through the function name list. In this embodiment, the number of key generation functions may be plural. At this time, step S200 is performed for each key generation function.
S200, adding a preset code in each key generation function; the preset code can be triggered to execute when the key generation function where the preset code is located is called, so as to record the key generated by the key generation function.
After the preset code is added into the key generation function, the preset code can be triggered and executed together with the original code in the key generation function when the key generation function is called. And its start execution time is affected by its position in the key generation function.
The attack defense method provided by the embodiment adds a preset code in a key generation function for key generation in the electronic device. When the key generation function is called, the preset code in the key generation function can be executed, and when the preset code is executed, the key generated by the key generation function can be recorded. Therefore, even if the file in the electronic equipment is encrypted by the lasso software, the encrypted file can be decrypted through the recorded secret key without paying money to the lasso software, so that the defense of the lasso software is realized, and the loss caused by the lasso software is avoided.
Meanwhile, compared with the technical scheme that the key generation function is directly monitored, when the key generation function is monitored to be called, the related key is obtained through other functions or programs, in the embodiment, a thread or a process for monitoring the key generation function does not need to be set in real time, and long-term occupation of resources in the electronic equipment in a normal state is avoided. Meanwhile, if the key generation function is monitored, the key generation function is easily discovered by the lasso software. In the embodiment, since the code in the key generation function is modified, the lasso software generally only searches and calls the key generation function through the function name, and it is difficult to find that the code in the key generation function is modified. Therefore, the attack defense method provided by the embodiment is superior to the technical scheme of monitoring the key generation function in the aspect of concealment.
In an exemplary embodiment of the present application, the adding of the preset code in each key generation function includes:
and adding the preset code before the return instruction of each key generation function.
The preset code is used for executing the following steps:
and acquiring a generated key corresponding to the return instruction. The generated key is a key generated when the key generation function is called.
And storing the generated key in a preset storage space.
Specifically, within the key generation function, a return instruction (e.g., a return instruction) is the last instruction executed to return the key it generated to the program that called the key generation function. The preset code is set before the return instruction, and can acquire the generated key before the program calling the key generation function after the generated key is generated, and store the generated key in the preset storage space, thereby realizing the recording of the generated key.
In an exemplary embodiment of the present application, the method further comprises:
determining each key usage function within the electronic device. The key usage function is capable of being called by a program within the electronic device to encrypt files within the electronic device using a key.
After any key generation function sends a generated key to the preset storage space, if the called times of any key use function exceed a preset threshold value within a preset time length, prompt information is output and/or the key use function is prevented from being continuously called. The preset time length is 1 minute to 10 minutes, in this embodiment, the preset time length is 2 minutes, and the threshold is set to 50 times. The prompt message is used for informing the user that the Lesoq software exists at present and encrypting the file.
The key using function may be a function/code for key use in a dll of the operating system, and may be confirmed through a preset function name list, where a function name of each key using function, such as a crypt function, in the dll of the operating system is recorded in the function name list.
If the number of times that any key using function is called exceeds a preset threshold value within a preset time length after the preset storage space receives the generated key sent by the key generating function, it can be determined with high probability that the generated key is used for many times within a short time. Under the general condition, a user can encrypt a large number of files respectively in a short time, so that the situation that the files are encrypted by lasso software generally occurs, and at the moment, prompt information is output, so that the user can know the situation in time. Meanwhile, the key is prevented from being continuously called by using the function, so that excessive files can be prevented from being encrypted by the Lesoh software, and the processing amount of subsequent decryption processing is reduced.
In an exemplary embodiment of the present application, the method further comprises:
if the preset storage space receives a generated key returned by the key generation function, establishing a record document corresponding to the generated key;
establishing an association relation between the record document and the generated key; the record document is used for recording a generation key having an association relation with the record document and a file name of a file encrypted by using the generation key. The association relationship may be established by associating the documents, recording the correspondence between each key and the corresponding recording document, or directly modifying the file name of the recording document to the file name of the corresponding key (the recording document and the key may exist simultaneously due to different suffixes of the file names).
That is, each time the preset storage space receives one generated key, a corresponding record document is established for the preset storage space, so that a user can determine which files are encrypted by each key in the storage space by looking up the record document.
In an exemplary embodiment of the present application, the method further comprises:
and monitoring a calling instruction received by each key using function. The calling instruction comprises a target key and a target file name, and the calling instruction is used for indicating to receive a corresponding key and encrypt a file corresponding to the target file name by using the target key through a function. The target key is any generated key in the preset storage space.
And storing the target file name into a recording document corresponding to the target key in the preset storage space.
In this embodiment, since the keys are all stored in the preset storage space and the record document is established when the keys are generated, after the call instruction received by the key using function is obtained, the record document corresponding to the key in the preset storage space can be determined according to the target key, and the target file name is stored in the corresponding record document, so as to update the record document. So that the recording document can record the file name of each file encrypted by the generation key.
In an exemplary embodiment of the present application, the method further comprises:
and if the updating times of any recording document in the preset storage space in the preset time length exceed a set threshold, outputting prompt information and/or preventing the key from being continuously called by using a function.
And if the updating times of any recording document in the preset storage space in the preset time length exceed a set threshold, determining that the same key is used for multiple times in a short time. Under the general condition, a user can encrypt a large number of files by using the same secret key in a short time, so that the situation that the files are encrypted by lasso software generally occurs, and at the moment, prompt information is output, so that the user can know the situation in time. Meanwhile, the key is prevented from being continuously called by using the function, so that excessive files can be prevented from being encrypted by the Lesoh software, and the processing amount of subsequent decryption processing is reduced.
In an exemplary embodiment of the present application, the method further comprises:
a second preset code is added to each key usage function.
The second preset code is used for recording the key used by the key using function when being executed.
Some lasso software may have its own keys for key generation rather than using the key generation function of the system. In this embodiment, in order to avoid the problem that the corresponding key cannot be obtained through the key generation function to which the preset code is added in this case, the second preset code is added to the key use function, so that the corresponding key can be obtained even if the key is carried in the lasso software, and the defense effect with the lasso software is improved.
In an exemplary embodiment of the application, the adding of the second preset code to each key usage function includes:
and adding a second preset code at a function inlet of the key usage function.
The second preset code is used for executing the following steps:
and acquiring the encryption key received by the key usage function. I.e. to obtain the encryption key entered by the program calling the key usage function.
And storing the encryption key in a preset storage space.
The function entry may be an api that needs to be triggered by the function for calling the key, or a location after receiving the instruction. Therefore, the encryption key input by the program can be obtained and stored in the preset storage space, and the recording of the encryption key is realized.
Correspondingly, after a preset storage space receives an encryption key sent by a key use function, whether a record document corresponding to the encryption key exists in the preset storage space is determined.
And if so, adding the file name corresponding to the encryption key into the record document, and deleting the encryption key.
If the key does not exist, establishing a record document corresponding to the encryption key, adding a file name corresponding to the encryption key into the record document, and storing the key to be stored.
In this embodiment, after the preset storage space receives the encryption key sent by the key use function, it is determined whether the preset storage space already has a record document corresponding to the key to be stored, that is, it is determined whether the same key has been received before, and only if not, the corresponding record document is generated and the key is stored. Therefore, repeated storage of the key and repeated establishment of the record document are avoided, and the storage space is saved.
In an exemplary embodiment of the present application, the record document is also used to record a file storage path of each target file.
The attack defense method provided by the embodiment further comprises the following steps:
after any recorded document is updated, determining all files of the storage space corresponding to the file storage path, which are the same as the file type of the target file, as first files according to the file storage path internally received in the current update.
If the file name of each first file is added to the current record document within the set time, outputting prompt information and/or preventing the key use function from being continuously called.
Generally, a user can encrypt all files in the same storage path by using the same key in a short time, so that the situation that the file is encrypted by Lesox software is mostly caused, and at the moment, prompt information is output, so that the user can know the situation. Meanwhile, the key is prevented from being continuously called by using the function, so that excessive files can be prevented from being encrypted by the Lesoh software, and the processing amount of subsequent decryption processing is reduced.
Further, the determining that all files in the storage space corresponding to the file storage path, which have the same file type as the target file, are the first file includes
Determining a superior storage path corresponding to the file storage path as a target path;
and taking all files with the same file type as the target file in the storage space corresponding to the target path as first files.
The upper path is a storage path of the upper-level storage space of the storage space corresponding to the file storage path. For example, if the file storage path is "C: \ Windows \ Boot \ Misc \ PCAT", the target is "C: \ Windows \ Boot \ Misc".
In some cases, when there are few files in a folder, the user may encrypt each file according to his/her normal requirement. Therefore, in order to avoid the false prompt or the false call prevention under the circumstance, in the embodiment, when the first file is determined, the upper storage path corresponding to the file storage path is determined as the target path, and all files in the storage space corresponding to the target path, which are the same as the file type of the target file, are determined as the first file, so that the number of the determined first files can be increased. And the lasso software typically encrypts the files of the full disk separately. Therefore, in the embodiment, the behavior of the Lesojou software can be recognized more accurately, the error recognition rate of the normal behavior of the user is reduced, and the overall accuracy is improved.
Referring to fig. 2, in another aspect of the present application, an attack defense apparatus is provided, which is applied to an electronic device, and includes:
an obtaining module, configured to obtain each key generation function in the electronic device; the key generation function is capable of being invoked by a program within the electronic device for key generation;
the processing module is used for adding preset codes in each key generation function; the preset code can be triggered to execute when the key generation function where the preset code is located is called, so as to record the key generated by the key generation function.
Moreover, although the steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that the steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
As will be appreciated by one skilled in the art, aspects of the present application may be embodied as a system, method or program product. Accordingly, various aspects of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device according to this embodiment of the present application. The electronic device is only an example, and should not bring any limitation to the function and the use range of the embodiment of the present application.
The electronic device is in the form of a general purpose computing device. Components of the electronic device may include, but are not limited to: the at least one processor, the at least one memory, and a bus connecting the various system components (including the memory and the processor).
Wherein the storage stores program code executable by the processor to cause the processor to perform steps according to various exemplary embodiments of the present application described in the "exemplary methods" section above.
The memory may include readable media in the form of volatile memory, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM).
The storage may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which or some combination thereof may comprise an implementation of a network environment.
The bus may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface. Also, the electronic device may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via a network adapter. The network adapter communicates with other modules of the electronic device over the bus. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, various aspects of the present application may also be implemented in the form of a program product comprising program code for causing a terminal device to perform the steps according to various exemplary embodiments of the present application described in the "exemplary methods" section above of this specification, when the program product is run on the terminal device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the present application, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. An attack defense method applied to an electronic device, the method comprising:
acquiring each key generation function in the electronic equipment; the key generation function is capable of being invoked by a program within the electronic device for key generation;
adding a preset code in each key generation function; the preset code can be triggered to execute when the key generation function where the preset code is located is called, so as to record the key generated by the key generation function.
2. The attack defense method according to claim 1, wherein the adding of the preset code within each key generation function comprises:
and adding the preset codes before the return instruction of each key generation function.
3. The attack defense method according to claim 2, characterized in that the preset code is used for executing the following steps:
acquiring a generated key corresponding to the return instruction; the generated key is generated when the key generation function is called;
and storing the generated key in a preset storage space.
4. The attack defense method according to claim 1, further comprising:
determining each key usage function within the electronic device; the key usage function is capable of being called by a program within the electronic device to encrypt a file within the electronic device using a key;
after any key generation function sends a generated key to the preset storage space, if the called times of any key use function exceed a preset threshold value within a preset time length, prompt information is output and/or the key use function is prevented from being continuously called.
5. The attack defense method according to claim 3, further comprising:
if the preset storage space receives a generated key returned by the key generation function, establishing a record document corresponding to the generated key;
establishing an association relation between the record document and the generated key; the record document is used for recording a generation key having an association relation with the record document and a file name of a file encrypted by using the generation key.
6. The attack defense method according to claim 5, characterized in that the method further comprises:
determining each key usage function within the electronic device; the key usage function is capable of being called by a program within the electronic device to encrypt a file within the electronic device using a key;
monitoring a calling instruction received by each key using function; the calling instruction comprises a target key and a target file name, and the calling instruction is used for indicating to receive a corresponding key and encrypt a file corresponding to the target file name by using the target key through a function; the target key is any generated key in the preset storage space;
and storing the target file name into a recording document corresponding to the target key in the preset storage space.
7. The attack defense method according to claim 6, characterized in that the method further comprises:
and if the updating times of any record document in the preset storage space in a preset time length exceed a set threshold, outputting prompt information and/or preventing the key from being continuously called by using a function.
8. An attack defense apparatus applied to an electronic device, comprising:
an obtaining module, configured to obtain each key generation function in the electronic device; the key generation function is capable of being invoked by a program within the electronic device for key generation;
the processing module is used for adding preset codes in each key generation function; the preset code can be triggered to execute when the key generation function where the preset code is located is called, so as to record the key generated by the key generation function.
9. An electronic device comprising a processor and a memory;
the processor is adapted to perform the steps of the method of any one of claims 1 to 7 by calling a program or instructions stored in the memory.
10. A non-transitory computer readable storage medium storing a program or instructions for causing a computer to perform the steps of the method of any one of claims 1 to 7.
CN202211272803.3A 2022-10-18 2022-10-18 Attack defense method and device, electronic equipment and storage medium Pending CN115618333A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211272803.3A CN115618333A (en) 2022-10-18 2022-10-18 Attack defense method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211272803.3A CN115618333A (en) 2022-10-18 2022-10-18 Attack defense method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115618333A true CN115618333A (en) 2023-01-17

Family

ID=84863220

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211272803.3A Pending CN115618333A (en) 2022-10-18 2022-10-18 Attack defense method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115618333A (en)

Similar Documents

Publication Publication Date Title
CN111539813B (en) Method, device, equipment and system for backtracking processing of business behaviors
CN110826111B (en) Test supervision method, device, equipment and storage medium
US20180075234A1 (en) Techniques for Detecting Encryption
US20210042150A1 (en) Method-call-chain tracking method, electronic device, and computer readable storage medium
WO2023226801A1 (en) Service processing method, apparatus, and device
US20180034780A1 (en) Generation of asset data used in creating testing events
CN112733180A (en) Data query method and device and electronic equipment
CN111259382A (en) Malicious behavior identification method, device and system and storage medium
CN112506481A (en) Service data interaction method and device, computer equipment and storage medium
CN110545542B (en) Main control key downloading method and device based on asymmetric encryption algorithm and computer equipment
CN116305290A (en) System log security detection method and device, electronic equipment and storage medium
WO2021099959A1 (en) Cluster security based on virtual machine content
CN109995774B (en) Key authentication method, system, device and storage medium based on partial decryption
CN115618333A (en) Attack defense method and device, electronic equipment and storage medium
CN113824748B (en) Asset characteristic active detection countermeasure method, device, electronic equipment and medium
CN115618334A (en) Attack defense method and device, electronic equipment and storage medium
US10503929B2 (en) Visually configurable privacy enforcement
US11088923B2 (en) Multi-stage authorization
CN116611058A (en) Lexovirus detection method and related system
CN112306582A (en) Configuration variable encryption and decryption method and device, computer equipment and readable storage medium
CN113672925A (en) Method, device, storage medium and electronic equipment for preventing lasso software attack
CN113992345A (en) Method and device for encrypting and decrypting webpage sensitive data, electronic equipment and storage medium
CN112182509A (en) Method, device and equipment for detecting abnormity of compliance data
CN113379577A (en) Transaction auditing method, device and equipment
KR101467123B1 (en) Monitoring of enterprise information leakage in smart phones

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination