CN116415259A - Security check method and device - Google Patents

Security check method and device Download PDF

Info

Publication number
CN116415259A
CN116415259A CN202310491926.4A CN202310491926A CN116415259A CN 116415259 A CN116415259 A CN 116415259A CN 202310491926 A CN202310491926 A CN 202310491926A CN 116415259 A CN116415259 A CN 116415259A
Authority
CN
China
Prior art keywords
environment
security
target application
abnormal
abnormal operation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310491926.4A
Other languages
Chinese (zh)
Inventor
高亭宇
张园超
高嵩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang eCommerce Bank Co Ltd
Original Assignee
Zhejiang eCommerce Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang eCommerce Bank Co Ltd filed Critical Zhejiang eCommerce Bank Co Ltd
Priority to CN202310491926.4A priority Critical patent/CN116415259A/en
Publication of CN116415259A publication Critical patent/CN116415259A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • G06F11/3612Software analysis for verifying properties of programs by runtime analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3664Environments for testing or debugging software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3692Test management for test results analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the specification provides a security inspection method and a device, wherein the security inspection method comprises the following steps: receiving a verification task for a target application; deploying a target application in a security check environment based on the check task, wherein the security check environment is generated by performing feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment; and running the target application, and determining the security check level of the target application based on the running result. When a verification task for the target application is received, the target application is deployed in a security verification environment generated by carrying out feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment, so that the target application is verified, and a security verification level of the target application is obtained, so that the security verification level obtained by determination is more accurate, the security verification level is processed, and the security of the target application is further ensured.

Description

Security check method and device
Technical Field
The embodiment of the specification relates to the technical field of communication security, in particular to a security inspection method.
Background
With the rapid development of network technology, the number of internet users grows exponentially, the sales of intelligent devices increases greatly, the application design in the intelligent devices is increasingly complex to meet the demands of users, the development scale is increasingly huge, and the application quality is also increasingly important.
In the IOS platform, the development technology of the application is uneven, so that the security level of the application is uneven, and the attack technology aiming at the application on the IOS platform in the market is more mature, so that a security checking method capable of checking the security of the application is needed to ensure the security of the application.
Disclosure of Invention
In view of this, the present description embodiments provide a security inspection method. One or more embodiments of the present specification also relate to a security verification apparatus, a computing device, a computer-readable storage medium, and a computer program that solve the technical drawbacks of the prior art.
According to a first aspect of embodiments of the present specification, there is provided a security verification method comprising:
receiving a verification task for a target application;
deploying a target application in a security check environment based on the check task, wherein the security check environment is generated by performing feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment;
And running the target application, and determining the security check level of the target application based on the running result.
According to a second aspect of embodiments of the present specification, there is provided a security check device comprising:
a receiving module configured to receive a verification task for a target application;
the deployment module is configured to deploy the target application in a security check environment based on the check task, wherein the security check environment is generated by performing feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment;
and the determining module is configured to run the target application and determine the security inspection level of the target application based on the running result.
According to a third aspect of embodiments of the present specification, there is provided a computing device comprising:
a memory and a processor;
the memory is configured to store computer-executable instructions that, when executed by the processor, perform the steps of the security verification method described above.
According to a fourth aspect of embodiments of the present specification, there is provided a computer readable storage medium storing computer executable instructions which, when executed by a processor, implement the steps of the security verification method described above.
According to a fifth aspect of embodiments of the present specification, there is provided a computer program, wherein the computer program, when executed in a computer, causes the computer to perform the steps of the above-described security verification method.
One embodiment of the present specification receives a verification task for a target application; deploying a target application in a security check environment based on the check task, wherein the security check environment is generated by performing feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment; and running the target application, and determining the security check level of the target application based on the running result. When a verification task for the target application is received, the target application is deployed in a security verification environment generated by carrying out feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment, so that the target application is verified, and a security verification level of the target application is obtained, so that the security verification level obtained by determination is more accurate, the security verification level is processed, and the security of the target application is further ensured.
Drawings
FIG. 1 is a schematic diagram of an interaction flow under a security verification system architecture according to one embodiment of the present disclosure;
FIG. 2 is a block diagram of a security verification system provided in one embodiment of the present disclosure;
FIG. 3 is a flow chart of a security verification method provided by one embodiment of the present disclosure;
FIG. 4a is a process flow diagram of a security verification method provided in one embodiment of the present disclosure;
FIG. 4b is a schematic process flow diagram of a security verification method according to one embodiment of the present disclosure;
FIG. 5 is a schematic diagram of a security check device according to one embodiment of the present disclosure;
FIG. 6 is a block diagram of a computing device provided in one embodiment of the present description.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present description. This description may be embodied in many other forms than described herein and similarly generalized by those skilled in the art to whom this disclosure pertains without departing from the spirit of the disclosure and, therefore, this disclosure is not limited by the specific implementations disclosed below.
The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present specification refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that, although the terms first, second, etc. may be used in one or more embodiments of this specification to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first may also be referred to as a second, and similarly, a second may also be referred to as a first, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
Furthermore, it should be noted that, user information (including, but not limited to, user equipment information, user personal information, etc.) and data (including, but not limited to, data for analysis, stored data, presented data, etc.) according to one or more embodiments of the present disclosure are information and data authorized by a user or sufficiently authorized by each party, and the collection, use, and processing of relevant data is required to comply with relevant laws and regulations and standards of relevant countries and regions, and is provided with corresponding operation entries for the user to select authorization or denial.
First, terms related to one or more embodiments of the present specification will be explained.
IOS application: mobile application developed based on mobile terminal operating system IOS
Hook framework: hook is a technique used to obtain or alter certain data while a program is executing, or alter the flow of execution of a program.
With the rapid development of network technology, the number of internet users grows exponentially, the sales of intelligent devices increases greatly, the application design in the intelligent devices is increasingly complex to meet the demands of users, the development scale is increasingly huge, and the application quality is also increasingly important.
Many IOS applications currently lack a check on the security of the environment where they are located, which also results in a risk of the application being breached, for example, an attacker may first run the application on the IOS operating system in a "jail-break" environment, analyze and study the application using various "hacking tools" as an attack feature, and the application determines whether to provide normal functional services by checking the running environment, running state and network environment where it is located, so as to avoid the risk of being breached.
The security level of the IOS application is uneven, and the attack technology for the application on the IOS platform in the market is more and more mature, so a security checking method capable of checking the security of the application is needed to ensure the security of the application.
It should be noted that, the user information (including, but not limited to, user equipment information, user personal information, etc.) and the data (including, but not limited to, data for analysis, stored data, presented data, etc.) according to the embodiments of the present disclosure are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region, and provide corresponding operation entries for the user to select authorization or rejection.
In the present specification, a security inspection method is provided, and the present specification relates to a security inspection apparatus, a computing device, and a computer-readable storage medium, which are described in detail in the following embodiments one by one.
Referring to fig. 1, fig. 1 shows a schematic diagram of an interaction flow under a security check system architecture according to an embodiment of the present disclosure, and as shown in fig. 1, the system includes a server 0101 and a client 0102.
Service side 0101: for receiving a verification task for a target application; deploying a target application in a security check environment based on the check task, wherein the security check environment is generated by performing feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment; operating the target application, and determining the security inspection level of the target application based on the operation result;
Client 0102: for receiving the security check level sent by the server 0101.
Applying the solution of the embodiment of the present specification, receiving a verification task for a target application; deploying a target application in a security check environment based on the check task, wherein the security check environment is generated by performing feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment; and running the target application, and determining the security check level of the target application based on the running result. When a verification task for the target application is received, the target application is deployed in a security verification environment generated by carrying out feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment, so that the target application is verified, and a security verification level of the target application is obtained, so that the security verification level obtained by determination is more accurate, the security verification level is processed, and the security of the target application is further ensured.
Referring to fig. 2, fig. 2 illustrates a frame diagram of a security verification system provided in one embodiment of the present description, which may include a server 100 and a plurality of clients 200. Communication connection can be established between the plurality of clients 200 through the server 100, and in a security check scenario, the server 100 is used to provide security check services between the plurality of clients 200, and the plurality of clients 200 can respectively serve as a transmitting end or a receiving end, so that communication is realized through the server 100.
The user may interact with the server 100 through the client 200 to receive data transmitted from other clients 200, to transmit data to other clients 200, etc. In the security check scenario, it may be that the user issues a security check request to the server 100 through the client 200, and the server 100 generates a security check result according to the security check request and pushes the security check result to other clients 200 that establish communication.
Wherein, the client 200 and the server 100 establish a connection through a network. The network provides a medium for a communication link between client 200 and server 100. The network may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others. The data transmitted by the client 200 may need to be encoded, transcoded, compressed, etc. before being distributed to the server 100.
The client 200 may be a browser, an Application program (APP), or a web Application such as a hypertext markup language5 th edition (H5, hyperText Markup Language 5) Application, or a light Application (also called applet, a lightweight Application program) or cloud Application, etc., and the client 200 may be based on a software development kit (SDK, software Development Kit) of a corresponding service provided by a server, such as a real-time communication (RTC, real Time Communication) based SDK development acquisition, etc. The client 200 may be deployed in an electronic device, need to run depending on the device or some APP in the device, etc. The electronic device may for example have a display screen and support information browsing etc. as may be a personal mobile terminal such as a mobile phone, tablet computer, personal computer etc. Various other types of applications are also commonly deployed in electronic devices, such as human-machine conversation type applications, model training type applications, text processing type applications, web browser applications, shopping type applications, search type applications, instant messaging tools, mailbox clients, social platform software, and the like.
The server 100 may include a server that provides various services, such as a server that provides communication services for multiple clients, a server for background training that provides support for a model used on a client, a server that processes data sent by a client, and so on. It should be noted that, the server 100 may be implemented as a distributed server cluster formed by a plurality of servers, or may be implemented as a single server. The server may also be a server of a distributed system or a server that incorporates a blockchain. The server may also be a cloud server for cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, content delivery networks (CDN, content Delivery Network), and basic cloud computing services such as big data and artificial intelligence platforms, or an intelligent cloud computing server or an intelligent cloud host with artificial intelligence technology.
It should be noted that, the security checking method provided in the embodiment of the present disclosure is generally performed by the server 100, but in other embodiments of the present disclosure, the client 200 may have a similar function to the server, so as to perform the security checking method provided in the embodiment of the present disclosure. In other embodiments, the security verification method provided in the embodiments of the present disclosure may be performed by the client 200 and the server 100 together.
Referring to fig. 3, fig. 3 shows a flowchart of a security check method according to an embodiment of the present disclosure, which specifically includes the following steps.
Step 302: a verification task for a target application is received.
The embodiments of the present disclosure are applied to a client or a server corresponding to an application, a platform, a device, or the like having a security check function, and the following description will take the server as an example.
When the security inspection requirement on the target application exists, the server receives an inspection task aiming at the target application, and the server inspects the target application based on the received inspection task aiming at the target application, wherein the manner of receiving the inspection task aiming at the target application by the server can be input and initiated by a user through the front end or can be generated by the server according to the operation of the user.
Specifically, the target application refers to an application program that needs to be checked, such as an IOS application, an android application, and the like. The checking task refers to a task requiring to perform checking, and the checking task may include a target application to be checked, an installation package of the target application, a version number of the target application, and the like.
In one possible implementation manner of the present disclosure, a user may input and initiate a verification task for a target application through a front end, and specifically, the user may click an operation button of a specific page to initiate the verification task for the target application to a server through a client.
In another possible implementation manner of the present specification, a verification task for a target application may be generated when a user has an input of a security verification event about the target application at a front end.
The security inspection level for the target application is obtained by receiving an inspection task for the target application such that the target application is subsequently inspected based on the inspection task.
Step 304: the target application is deployed in a security check environment based on the check task, wherein the security check environment is generated based on feature abstraction of at least two of an abnormal operating environment, an abnormal operating state, and an abnormal network environment.
Specifically, the safety inspection environment is constructed based on items to be inspected in advance, specifically, is generated based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment through feature abstraction, for example, the abnormal operation environment and the abnormal operation state are subjected to feature abstraction, and the safety inspection environment is generated based on a feature abstraction result; for another example, feature abstraction is performed on the abnormal operation environment, the abnormal operation state and the abnormal network environment, and a security check environment is generated based on the feature abstraction result.
The abnormal operation environment refers to an operation environment which is different from a normal operation environment, for example, when the application A is installed on a mobile phone, the abnormal operation environment is the abnormal operation environment of the mobile phone, the application A can be influenced based on the abnormal operation environment of the mobile phone, and the abnormal operation environment can be a jail-break environment.
The jail-breaking environment refers to an operation environment created by a technical means for acquiring the high authority of the IOS of the operating system of the portable device, and a user can acquire the high authority of the IOS by using the technology and software.
The abnormal operation state refers to an operation state different from the normal operation state, and the abnormal operation state is an abnormal operation state for an application, for example, when the application A is installed on a mobile phone, the abnormal operation state refers to an abnormal operation state for the application on the mobile phone, and the abnormal operation state can be a Hook frame, for example, a Frida frame, a Cydia Substrate frame, a fisheok frame, a Method Swizzle frame.
The Frida framework is a portable and full-platform-supporting Hook framework, and can be used for interacting with a Frida server (frida_server) by writing script programming language (JS, javaScript) and Python codes, and carrying out Hook operation on an application program based on the interaction.
The Cydia Substrate framework is a code modification framework based on Hook, can be used in Android and iOS platforms, and can modify default codes of a system, so that a third-party developer is allowed to provide a runtime patch for system functions.
Wherein the fishhook framework is a lightweight hook framework that allows simulators and devices supported on the IOS to run Mach-O and provide dynamic binding services applicable to the IOS operating system, wherein Mach-O (Mach Object File Format) describes the format of executable files.
The principle of the Method Swizzle framework is mainly a runtime (run) mechanism of an object-oriented programming language (ObjC) of extended C, and the Method can be implemented by dynamically replacing a runtime (run) function such as a class_replace Method in the ObjC Method, so that the Method can be applied to an IOS operating system.
The abnormal network environment is a network environment different from the normal network environment, and the abnormal network environment is a network environment with an abnormality for an application, for example, an abnormality occurs in a link accessing a network through an application a, and the abnormal network environment can be a network proxy, a hypertext transfer (HyperText Transfer Protocol) forced authentication, and the like.
The network proxy refers to a proxy IP (Proxy Server) obtained from a proxy server to access the internet through proxy IP.
The HTTP forced authentication refers to a Pinning mechanism of SSL, and SSL-Pinning has two modes: certificate locks (Certificate Pinning) and public key locks (Public Key Pinning); wherein, certificate locks: the client code is required to be internally provided with a certificate which only receives a specified domain name, but not any certificate corresponding to a root certificate which is internally arranged in an operating system or a browser, and the uniqueness and the safety of the communication between the application program and the server are ensured by the authorization mode, so that the communication between the client and the server (such as an API Gateway) can be ensured to be safe; public key locking: the public key in the certificate is extracted and built into the client, and the correctness of the connection is verified by comparing the public key value with the server. When a certificate key is made, the public key can be kept unchanged (namely, the key pair is unchanged) before and after the duration of the certificate, so that the problem of the validity period of the certificate can be avoided, and the method is generally recommended. SSL kill Switch: popular plugins under IOS bypass the SSL Pinning mechanism in the HTTP authentication process.
Based on the verification task, the implementation manner of deploying the target application in the security verification environment can be to install the target application in the platform, the device and the system in the security verification environment, so that the target application is in the security verification environment when running, wherein the platform, the device and the system can be real or virtual.
The security inspection environment is generated by carrying out feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment, wherein the at least two items can be any two or three of three items, the feature abstraction is carried out based on the at least two items, and the security inspection environment is generated based on a feature abstraction result.
Optionally, the implementation manner of generating the security check environment based on the feature abstraction of at least two of the abnormal operation environment, the abnormal operation state and the abnormal network environment is various, and specifically implemented according to the actual situation, and the present specification is not limited herein.
In one possible implementation manner of the present disclosure, at least two items may be selected first, and then feature abstraction is performed on the selected items to obtain a feature abstraction result, and a security check environment is generated based on the feature abstraction result.
In another possible implementation manner of the present disclosure, feature abstraction may be performed on each item to obtain a feature abstraction result corresponding to each item, and at least two feature abstractions corresponding to each item are selected to generate a security check environment.
In yet another possible implementation manner of the present disclosure, an overall verification environment may be generated based on the feature abstract results corresponding to the three items, and after at least two items are selected, unselected items in the overall verification environment may be closed/masked to obtain a security verification environment corresponding to the selected items for verifying the target application.
The implementation manner of feature abstraction based on the abnormal operation environment may be to abstract different features of the abnormal operation environment relative to the normal operation environment, so as to obtain a feature abstraction result, for example, a plug-in type of the plug-in.
The implementation manner of feature abstraction based on the abnormal operation state may be to abstract features of the abnormal operation state different from those of the normal operation state, so as to obtain feature abstraction results, such as dynamic link library keywords.
The implementation manner of feature abstraction based on the abnormal network environment may be to abstract different features of the abnormal network environment relative to the normal network environment, so as to obtain a feature abstraction result, for example, an interception manner of intercepting the streaming data.
Optionally, the feature abstraction of the security check environment based on at least two of the abnormal operation environment, the abnormal operation state and the abnormal network environment may be generated by processing the initial check environment through each corresponding feature abstraction result to obtain the security check environment, that is, the generating steps of the security check environment are as follows:
acquiring an initial inspection environment, an abnormal operation state and an abnormal network environment;
Performing feature abstraction on the abnormal operation environment, the abnormal operation state and the abnormal network environment to generate an abnormal operation environment abstract feature corresponding to the abnormal operation environment, an abnormal operation state abstract feature corresponding to the abnormal operation state and an abnormal network environment abstract feature corresponding to the abnormal network environment;
and adjusting the initial inspection environment based on at least two of the abnormal operation environment abstract feature, the abnormal operation state abstract feature and the abnormal network environment abstract feature to generate a safety inspection environment.
When the target application is tested, if the target application is directly tested based on each item, collision among each item may occur, or the electronic equipment is overloaded, and the security testing level of the target application is inaccurate, so that the security testing environment is generated based on at least two items of each item, and the target application is tested by using the security testing environment.
Specifically, the initial inspection environment refers to an initial environment for inspecting the item to be inspected, and the initial inspection environment does not include features corresponding to each item, for example, features corresponding to an abnormal operation environment, an abnormal operation state and an abnormal network environment. The abnormal operation environment abstract feature refers to a feature corresponding to different environment states of the abnormal operation environment compared with the normal operation environment. The abnormal operation state feature refers to a feature corresponding to a different operation state of the abnormal operation state compared to the normal operation state. The abnormal network environment abstract feature refers to a feature corresponding to a different network environment of the abnormal network environment compared with the normal network environment.
The implementation manner of obtaining the initial inspection environment, the abnormal operation state and the abnormal network environment can be that the initial inspection environment, the abnormal operation state and the abnormal network environment are manually preset in a database of a server, and the server is directly obtained from the database.
The method comprises the steps of carrying out feature abstraction on an abnormal operation environment, an abnormal operation state and an abnormal network environment, generating an abnormal operation environment abstract feature corresponding to the abnormal operation environment, an abnormal operation state abstract feature corresponding to the abnormal operation state and an implementation mode of the abnormal network environment abstract feature corresponding to the abnormal network environment, wherein the feature abstraction can be carried out on the feature by identifying the feature corresponding to the different environment states of the abnormal operation environment compared with the normal operation environment, and obtaining the abnormal operation state abstract feature corresponding to the abnormal operation environment; identifying characteristics corresponding to different running states of the abnormal running state compared with the normal running state, and carrying out characteristic abstraction on the characteristics to obtain the abstract characteristics of the abnormal running state corresponding to the abnormal running state; and identifying the characteristics corresponding to different network environments of the abnormal network environment compared with the normal network environment, and carrying out characteristic abstraction on the characteristics to obtain the abstract characteristics of the abnormal network environment corresponding to the abnormal network environment.
The method for generating the security check environment by adjusting the initial check environment based on at least two of the abnormal operation environment abstract feature, the abnormal operation state abstract feature and the abnormal network environment abstract feature may be that an integration abstract feature is generated based on at least two of the abnormal operation environment abstract feature, the abnormal operation state abstract feature and the abnormal network environment abstract feature, and the integration abstract feature is fused with the initial check environment to generate the security check environment.
By applying the scheme of the embodiment of the specification, the initial inspection environment is obtained, the abnormal operation environment, the abnormal operation state and the abnormal network environment are subjected to characteristic abstraction, the initial inspection environment is adjusted by using the obtained result to generate the safety inspection environment, so that the generated safety inspection environment comprises at least two corresponding abstract features in the abnormal operation environment, the abnormal operation state and the abnormal network environment, namely, the safety inspection environment adjusted by the features corresponding to a plurality of anomalies, and the inspection result of the target application is more accurate.
Optionally, generating a simulated inspection environment based on at least two of the abnormal operation environment, the abnormal operation state and the abstract features obtained by feature abstraction of the abnormal network environment, adding the simulated inspection environment to the initial inspection environment, and generating a safety inspection environment, that is, the step of adjusting the initial inspection environment based on at least two of the abnormal operation environment abstract features, the abnormal operation state abstract features and the abnormal network environment abstract features, and generating the safety inspection environment includes the steps of:
Generating a simulation test environment based on at least two of the abnormal operation environment abstract feature, the abnormal operation state abstract feature and the abnormal network environment abstract feature;
the simulated verification environment is added to the initial verification environment to generate a security verification environment.
Specifically, the simulated inspection environment refers to an inspection environment obtained by performing environmental simulation using characteristics required for the inspection environment.
Based on at least two of the abstract features of the abnormal operation environment, the abstract features of the abnormal operation state and the abstract features of the abnormal network environment, an implementation mode of simulating the test environment is generated, specifically, any two of the abstract features of the abnormal operation environment, the abstract features of the abnormal operation state and the abstract features of the abnormal network environment are selected, and the simulation test environment is generated based on the abstract features corresponding to the selected any two.
The simulation test environment is added to the initial test environment, and the implementation mode of generating the safety test environment can be to cover the simulation test environment with the initial test environment according to the environment information of the initial test environment to generate the safety test environment, wherein the environment information can be an installation platform, a system, a device and the like of the initial test environment, and can also be an installation mode of the initial test environment.
By applying the scheme of the embodiment of the specification, a simulation test environment is generated based on at least two of the abstract features of the abnormal operation environment, the abstract features of the abnormal operation state and the abstract features of the abnormal network environment; the simulation test environment is added to the initial test environment to generate the safety test environment, the simulation test environment generated based on the abstract features is added to the initial test environment to generate the safety test environment, so that the test accuracy of the safety test environment is ensured, and meanwhile, the efficiency of generating the safety test environment is improved.
Optionally, the step performs feature abstraction on the abnormal operation environment to generate an abstract feature of the abnormal operation environment corresponding to the abnormal operation environment, and includes the following steps:
identifying the type of the plug-in the abnormal operation environment;
based on the plug-in type, obtaining the abstract characteristics of the abnormal operation environment corresponding to the abnormal operation environment.
In particular, plug-ins refer to components that strengthen software functions without modifying the program body. The plug-in type refers to the type corresponding to the plug-in
The implementation manner of identifying the plug-in type of the plug-in the abnormal operation environment may be to identify the plug-in the carrier corresponding to the abnormal operation environment, compare the plug-in with a preset plug-in type library, and determine the plug-in type corresponding to the plug-in, for example, the plug-in type of the plug-in the jail-break environment is a software warehouse, for example, the front end of a graphic interface, an application store, and the like.
Based on the plug-in type, the implementation manner of obtaining the abstract feature of the abnormal operation environment corresponding to the abnormal operation environment may be based on the plug-in and the plug-in type corresponding to the plug-in, extracting the feature corresponding to the plug-in, and taking the feature as the abstract feature of the abnormal operation environment corresponding to the abnormal operation environment, for example, the abstract feature of the abnormal operation environment may be cydia.
By applying the scheme of the embodiment of the specification, the plug-in type of the plug-in the abnormal operation environment is identified; based on the plug-in type, obtaining the abstract feature of the abnormal operation environment corresponding to the abnormal operation environment, and abstracting the corresponding feature of the abnormal operation environment through the relationship between the abnormal operation environment and the plug-in type, so as to obtain the abstract feature of the abnormal operation environment for the subsequent generation of the security inspection environment for inspection.
Optionally, the step performs feature abstraction on the abnormal operation state to generate an abnormal operation state abstract feature corresponding to the abnormal operation state, and includes the following steps:
identifying a dynamic link library keyword in an abnormal operation state;
and obtaining the abstract characteristics of the abnormal operation state corresponding to the abnormal operation state based on the dynamic link library keywords.
Specifically, dynamic link library keywords refer to keywords linked in a dynamic link library that contains separate files of many functions that can be called by applications and other DLLs to accomplish certain specific tasks, which are typically not directly executed, and which typically do not receive messages, and one dynamic link library is only started when another module invokes the function it contains.
The implementation manner of identifying the keywords of the dynamic link library in the abnormal operation state may be to search the dynamic link library in the abnormal operation state and obtain the keywords in the dynamic link library.
Based on the dynamic link library keywords, the implementation manner of obtaining the abnormal operation state abstract features corresponding to the abnormal operation state can be based on the dynamic link library keywords, comparing the dynamic link library keywords with a preset keyword storage library, determining frame information of a target frame containing the dynamic link library keywords, and extracting features based on the frame information to obtain the abnormal operation state abstract features corresponding to the abnormal operation state, wherein the preset keyword storage library records the corresponding relation between the dynamic link library keywords and the frame, for example, the target frame can be a Frida frame, a Cydia Substrate frame, a fisheok frame and a Method Swizzle frame.
By applying the scheme of the embodiment of the specification, the keywords of the dynamic link library in the abnormal operation state are identified; based on the dynamic link library keywords, obtaining the abstract features of the abnormal operation state corresponding to the abnormal operation state, and abstracting the features corresponding to the abnormal operation state through the relation between the abnormal operation state and the dynamic link library keywords to obtain the abstract features of the abnormal operation state for subsequent generation of a safety inspection environment for inspection.
Optionally, the step performs feature abstraction on the abnormal network environment to generate an abstract feature of the abnormal network environment corresponding to the abnormal network environment, and includes the following steps:
identifying an interception mode for intercepting the flow data in the abnormal network environment;
based on the interception mode, obtaining the abstract characteristics of the abnormal network environment corresponding to the abnormal network environment.
Specifically, the traffic data refers to data generated when accessing the internet, for example, the traffic data may be data accessed through the internet by traffic, or may be data accessed through the internet by a wireless network. The interception mode refers to a mode of intercepting traffic data from a client to the internet.
The implementation mode of identifying the interception mode of intercepting the traffic data in the abnormal network environment can be based on simulating an access request, accessing the Internet, detecting an access link, determining an abnormal interception point in the access link, and determining the interception mode based on the abnormal interception point.
Based on the interception mode, the implementation mode of obtaining the abstract feature of the abnormal network environment corresponding to the abnormal network environment can be based on the interception mode, the interception information corresponding to the interception mode is determined, the feature extraction is performed on the interception information, and the abstract feature of the abnormal network environment corresponding to the abnormal network environment is obtained, for example, the abstract feature of the abnormal network environment can be a network agent, a Pinning mechanism of SSL and the like.
By applying the scheme of the embodiment of the specification, the interception mode for intercepting the flow data in the abnormal network environment is identified; based on the interception mode, obtaining an abstract feature of the abnormal network environment corresponding to the abnormal network environment, abstracting the feature corresponding to the abnormal network environment through the relation between the abnormal network environment and the interception mode, and obtaining the abstract feature of the abnormal network environment for subsequent generation of a security inspection environment for inspection.
Step 306: and running the target application, and determining the security check level of the target application based on the running result.
In one or more embodiments of the present description, a verification task for a target application is received, and the target application is deployed in a security verification environment based on the verification task, wherein the security verification environment is generated by performing feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state, and an abnormal network environment; the target application is run in a security verification environment to determine a security verification level of the target application.
Specifically, the running result refers to a result of running the application, for example, the running result may be failure or success, the running result is different based on different running modes, and the running may be running the application and running the application function, for example, the running result may be running the application failure and running the application function failure. The security level characterizes security performance corresponding to the inspection application, for example, the security level includes a first security level and a second security level, wherein the first security level is higher than the second security level, that is, the security performance of the application corresponding to the first security level is higher than the security performance of the application corresponding to the second security level.
The implementation manner of running the target application and determining the security check level of the target application based on the running result may be that the target application is run, the running result corresponding to the target application is determined, the security check level of the target application is determined based on the running result, for example, the game application is opened, the game application is successfully opened, and the security check level of the target application is determined based on the running result that the game application is successfully opened.
Optionally, after the operation result is that the operation is successful, an application function in the target application can be operated, and the security inspection level of the target application is determined based on the operation result corresponding to the application function.
When the target application is operated, the target application detects an abnormal condition, whether the target application is operated or not is determined based on a detection result, and an operation result is determined according to yes or no, for example, when the target application is operated in a jail-breaking environment, the target application detects the abnormal condition, the detection result is that the cydia application is detected, the target application is determined to not operate, and further the operation result is determined to be failure; for another example, the application determines whether the target application is injected into the dynamic link library by acquiring the value of the environment variable (dynamic_insert_LIBRARIS), if the acquired value is not null, the target application risks being injected into the dynamic link library, if the target application includes a name keyword of a frame such as MobileSubstrate, frida through analysis of the returned value, the target application is determined to be Hook, and if the target application detects that the target application is Hook, the target application is determined not to run.
Optionally, the step 306 runs the target application, and determines the security check level of the target application based on the running result, including the following steps:
operating a target application to obtain an application operation result corresponding to the target application;
under the condition that the application running result is failure, determining the security check level of the target application as a first security check level;
and under the condition that the application running result is successful, determining the security check level of the target application as a second security check level, wherein the second security check level is lower than the first security check level.
And running the target application, and obtaining an implementation mode of an application running result corresponding to the target application, specifically running the target application in a security check environment, and determining the application running result based on the application running state of the target application.
Under the condition that the application running result is failure, the security inspection level of the target application is determined to be a first security inspection level, the target application can be determined to run failure, and the target application is determined to recognize the abnormality in the security inspection environment, so that the target application is determined to have stronger security, and the security of the target application can be ensured under the condition of abnormal environment.
And under the condition that the application running result is successful, determining the security inspection level of the target application as a second security inspection level, and determining that the target application does not recognize the abnormality in the security inspection environment if the target application can run successfully, so that the security of the target application is determined to be lower than the security of the target application corresponding to the first security inspection level.
Optionally, under the condition that the application running result is successful, the application function corresponding to the target application can be run, the corresponding application running result is obtained, and the security inspection level corresponding to the target application is determined based on the application running result.
By applying the scheme of the embodiment of the specification, the target application is operated, and an application operation result corresponding to the target application is obtained; under the condition that the application running result is failure, determining the security check level of the target application as a first security check level; under the condition that the application running result is successful, determining the security inspection grade of the target application as a second security inspection grade, wherein the second security inspection grade is lower than the first security inspection grade, determining the application running result by running the target application in a security inspection environment, and further determining the security inspection grade of the target application according to the application running result, so that the security inspection grade is processed based on the security inspection environment, the target application and the running operation, and the accuracy of the security inspection grade is ensured.
Optionally, in the case that the security check level of the target application in the step is the second security check level, the method further includes the following steps:
operating the application function in the target application to obtain a function operation result corresponding to the target application;
under the condition that the function operation result is failure, determining the security check level of the target application as a third security check level;
and under the condition that the function operation result is successful, determining the security check level of the target application as a fourth security check level, wherein the fourth security check level is lower than the third security check level.
Specifically, the application function refers to a function included in an application, for example, the target application is a payment type application, and the application function may be a payment function.
The implementation manner of running the application function in the target application to obtain the function running result corresponding to the target application may be running the application function in the security check environment, determining the function running result based on the application function running state of the target application, for example, the target application is a payment type application, clicking the payment function in the payment type application, determining the running state of the payment function in the payment type application, that is, whether the payment button can be clicked or not, and determining the function running result.
And under the condition that the function operation result is failure, determining that the security inspection level of the target application is a third security inspection level, and detecting the current abnormal environment for the target application, so that the application function is closed, determining that the function operation result is failure, namely, the target application identifies the current abnormal environment, and determining that the security inspection level of the target application is the third security inspection level, wherein the third security inspection level can be used for determining that the target application has at least one security protection mechanism, and has medium security performance, namely, is lower than the security of the application corresponding to the first security inspection level.
And under the condition that the function operation result is successful, determining the security check level of the target application as a fourth security check level, which can be that the target application does not detect the environment which is in the abnormality at present, determining the function operation result as successful, namely that the target application does not recognize the current abnormality environment, and determining the security check level of the target application as the fourth security check level, wherein the fourth security check level can be that the security of the target application is determined to be lower and the risk of being broken exists.
By applying the scheme of the embodiment of the specification, the application function in the target application is operated, and a function operation result corresponding to the target application is obtained; under the condition that the function operation result is failure, determining the security check level of the target application as a third security check level; under the condition that the function operation result is successful, determining the security check level of the target application as a fourth security check level, wherein the fourth security check level is lower than the third security check level, determining the function operation result by operating the target application in a security check environment, and further determining the security check level of the target application according to the function operation result, so that the security check level is processed based on the security check environment, the target application and the operation, and the accuracy of the security check level is ensured.
Optionally, the security inspection environment is an environment of a security inspection platform; the verifying task-based deployment of the target application in the security verification environment in step 304 includes the following steps:
based on the verification task, the target application is installed on the security verification platform.
Specifically, the security verification platform refers to a platform deploying a security verification environment, for example, an application is run in the security verification platform, and the application is determined to run in the security verification environment.
And if the verification task for the target application is received, the target application needs to be verified, and the target application is installed on the security verification platform so as to run the target application on the security verification platform, and the security verification level of the target application is determined.
According to the scheme of the embodiment of the specification, the target application is installed on the security inspection platform based on the inspection task, so that the target application can be operated in the security inspection platform later, the security inspection grade corresponding to the target application is determined, a carrier is provided for determining the security inspection grade, and the implementation of determining the security inspection grade is ensured.
Optionally, the running target application in step 306 includes the following steps:
and running the target application on the security inspection platform.
And operating the target application installed on the platform on the security inspection platform, obtaining an operation result corresponding to the target application, and obtaining the security inspection grade corresponding to the target application based on the operation result.
By applying the scheme of the embodiment of the specification, the target application is operated on the security inspection platform for subsequent determination of the security inspection level of the target application based on the operation result of the operation on the security inspection platform, a carrier for installing the target application is provided for determining the security inspection level, and the implementation of determining the security inspection level is ensured.
The security inspection method provided in the present specification will be further described with reference to fig. 4a by taking an application of the security inspection method in the inspection of a target application as an example. Fig. 4a shows a flowchart of a process of a security check method according to an embodiment of the present disclosure, which specifically includes the following steps.
Step 402: a verification task for a target application is received.
Step 404: based on the verification task, a target application is deployed in a security verification environment.
Step 406: and operating the target application to obtain an application operation result corresponding to the target application.
Step 408: and under the condition that the application running result is failure, determining the security check level of the target application as a first security check level.
Step 410: and under the condition that the application running result is successful, determining the security check level of the target application as a second security check level, wherein the second security check level is lower than the first security check level.
Step 412: and under the condition that the security inspection level of the target application is the second security inspection level, operating the application function in the target application to obtain a function operation result corresponding to the target application.
Step 414: and under the condition that the function operation result is failure, determining the security check level of the target application as a third security check level.
Step 416: and under the condition that the function operation result is successful, determining the security check level of the target application as a fourth security check level, wherein the fourth security check level is lower than the third security check level.
It should be noted that the specific implementation manner of steps 402 to 416 is the same as the implementation manner of the security check method provided in fig. 3, and the description of the embodiment is omitted herein.
Referring to fig. 4b, fig. 4b is a schematic process flow diagram of a security check method according to an embodiment of the present disclosure:
referring to FIG. 4b, an IOS application is installed and running on a security check platform, security check items in the security check environment of the security check platform including an abnormal running environment, an abnormal running state, and an abnormal network environment;
Wherein, the abnormal operation environment: running an IOS application in an IOS system in a jail-breaking environment; abnormal operation state: 1. performing Hook on the IOS application by using a Cydia Substrate framework; 2. performing Hook on the IOS application by using the Frida framework; 3. performing Hook on the application by using a fi-shhook framework; 4. performing Hook on the application by using a Method Swizzle framework; abnormal network environment: 1. setting a network proxy address as a controllable data packet analysis tool in the IOS system; 2. and opening a plug-in SSL kill Switch bypassing Http forced authentication in the IOS system.
Judging whether the IOS application is successfully operated, if not, determining that the operation result of the application is failure, and determining that the security inspection level of the IOS application is a first security inspection level, namely determining that the IOS application has higher security; if yes, determining that the application running result is successful, and determining that the security inspection level of the IOS application is a second security inspection level;
under the condition that the security inspection level of the IOS application is determined to be the second security inspection level, running the application function in the IOS application, judging whether the IOS application function is normally used, if not, determining that the function running result is failure, determining that the security inspection level of the IOS application is the third security inspection level, namely determining that the IOS application has at least one security protection mechanism, and ensuring that the security is medium; if yes, the function operation result is determined to be successful, and the security inspection level of the IOS application is determined to be a fourth security inspection level, namely the security of the IOS application is determined to be low, and the risk of being broken exists.
Applying the solution of the embodiment of the present specification, receiving a verification task for a target application; deploying a target application in a security check environment based on the check task, wherein the security check environment is generated by performing feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment; and running the target application, and determining the security check level of the target application based on the running result. When a verification task for the target application is received, the target application is deployed in a security verification environment generated by carrying out feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment, so that the target application is verified, and a security verification level of the target application is obtained, so that the security verification level obtained by determination is more accurate, the security verification level is processed, and the security of the target application is further ensured.
Corresponding to the above method embodiments, the present disclosure further provides an embodiment of a security inspection device, and fig. 5 shows a schematic structural diagram of a security inspection device provided in one embodiment of the present disclosure. As shown in fig. 5, the apparatus includes:
A receiving module 502 configured to receive a verification task for a target application;
a deployment module 504 configured to deploy a target application in a security check environment based on the check task, wherein the security check environment is generated based on feature abstraction of at least two of an abnormal operating environment, an abnormal operating state, and an abnormal network environment;
the determining module 506 is configured to run the target application, and determine a security check level of the target application based on a result of the running.
Optionally, the generating step of the security check environment is as follows: an acquisition module configured to acquire an initial inspection environment, an abnormal operation state, and an abnormal network environment; the feature generation module is configured to abstract features of the abnormal operation environment, the abnormal operation state and the abnormal network environment, and generate an abnormal operation environment abstract feature corresponding to the abnormal operation environment, an abnormal operation state abstract feature corresponding to the abnormal operation state and an abnormal network environment abstract feature corresponding to the abnormal network environment; the environment generation module is configured to adjust an initial inspection environment based on at least two of the abnormal operation environment abstract feature, the abnormal operation state abstract feature and the abnormal network environment abstract feature, and generate a security inspection environment.
Optionally, the environment generating module is further configured to generate a simulated inspection environment based on at least two of the abnormal operation environment abstract feature, the abnormal operation state abstract feature and the abnormal network environment abstract feature; the simulated verification environment is added to the initial verification environment to generate a security verification environment.
Optionally, the feature generating module is further configured to identify a plug-in type of the plug-in the abnormal running environment; based on the plug-in type, obtaining the abstract characteristics of the abnormal operation environment corresponding to the abnormal operation environment.
Optionally, the feature generating module is further configured to identify a dynamic link library keyword in the abnormal operation state; and obtaining the abstract characteristics of the abnormal operation state corresponding to the abnormal operation state based on the dynamic link library keywords.
Optionally, the feature generating module is further configured to identify an interception mode for intercepting the traffic data in the abnormal network environment; based on the interception mode, obtaining the abstract characteristics of the abnormal network environment corresponding to the abnormal network environment.
Optionally, the determining module is further configured to run the target application to obtain an application running result corresponding to the target application; under the condition that the application running result is failure, determining the security check level of the target application as a first security check level; and under the condition that the application running result is successful, determining the security check level of the target application as a second security check level, wherein the second security check level is lower than the first security check level.
Optionally, the security inspection device further comprises an obtaining module configured to run an application function in the target application, and obtain a function running result corresponding to the target application; the third security inspection level determining module is configured to determine that the security inspection level of the target application is the third security inspection level when the function operation result is failure; and the fourth security inspection level determining module is configured to determine that the security inspection level of the target application is a fourth security inspection level under the condition that the function operation result is successful, wherein the fourth security inspection level is lower than the third security inspection level.
Optionally, the security inspection environment is an environment of a security inspection platform; the deployment module is further configured to install the target application on the security inspection platform based on the inspection task.
Optionally, the determining module is further configured to run the target application at the security verification platform.
Applying the solution of the embodiment of the present specification, receiving a verification task for a target application; deploying a target application in a security check environment based on the check task, wherein the security check environment is generated by performing feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment; and running the target application, and determining the security check level of the target application based on the running result. When a verification task for the target application is received, the target application is deployed in a security verification environment generated by carrying out feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment, so that the target application is verified, and a security verification level of the target application is obtained, so that the security verification level obtained by determination is more accurate, the security verification level is processed, and the security of the target application is further ensured.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the security check device, since it is substantially similar to the security check method embodiment, the description is relatively simple, and reference is made to the description of the security check method embodiment in part.
FIG. 6 illustrates a block diagram of a computing device provided by one embodiment of the present description. The components of computing device 600 include, but are not limited to, memory 610 and processor 620. The processor 620 is coupled to the memory 610 via a bus 630 and a database 650 is used to hold data.
Computing device 600 also includes access device 640, access device 640 enabling computing device 600 to communicate via one or more networks 660. Examples of such networks include public switched telephone networks (PSTN, public Switched Telephone Network), local area networks (LAN, local Area Network), wide area networks (WAN, wide Area Network), personal area networks (PAN, personal Area Network), or combinations of communication networks such as the internet. The access device 640 may include one or more of any type of network interface, wired or wireless, such as a network interface card (NIC, network interface controller), such as an IEEE802.11 wireless local area network (WLAN, wireless LocalArea Network) wireless interface, a worldwide interoperability for microwave access (Wi-MAX, worldwide Interoperability for Microwave Access) interface, an ethernet interface, a universal serial bus (USB, universal Serial Bus) interface, a cellular network interface, a bluetooth interface, near field communication (NFC, near Field Communication).
In one embodiment of the present description, the above-described components of computing device 600, as well as other components not shown in FIG. 6, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device shown in FIG. 6 is for exemplary purposes only and is not intended to limit the scope of the present description. Those skilled in the art may add or replace other components as desired.
Computing device 600 may be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), mobile phone (e.g., smart phone), wearable computing device (e.g., smart watch, smart glasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or personal computer (PC, personal Computer). Computing device 600 may also be a mobile or stationary server.
Wherein the processor 620 is configured to execute computer-executable instructions that, when executed by the processor, perform the steps of the security verification method described above.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for computing device embodiments, the description is relatively simple as it is substantially similar to the security verification method embodiments, as relevant points are found in the partial description of the security verification method embodiments.
An embodiment of the present disclosure also provides a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the steps of the security verification method described above.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for computer readable storage medium embodiments, since they are substantially similar to security verification method embodiments, the description is relatively simple, with reference to the description of security verification method embodiments in part.
An embodiment of the present disclosure also provides a computer program, wherein the computer program, when executed in a computer, causes the computer to perform the steps of the above-described security check method.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the computer program embodiment, since it is substantially similar to the security check method embodiment, the description is relatively simple, and reference is made to the partial description of the security check method embodiment for relevant points.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The computer instructions include computer program code that may be in source code form, object code form, executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the computer readable medium contains content that can be appropriately scaled according to the requirements of jurisdictions in which such content is subject to legislation and patent practice, such as in certain jurisdictions in which such content is subject to legislation and patent practice, the computer readable medium does not include electrical carrier signals and telecommunication signals.
It should be noted that the foregoing describes specific embodiments of the present invention. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily all required for the embodiments described in the specification.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
The preferred embodiments of the present specification disclosed above are merely used to help clarify the present specification. Alternative embodiments are not intended to be exhaustive or to limit the invention to the precise form disclosed. Obviously, many modifications and variations are possible in light of the teaching of the embodiments. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the invention. This specification is to be limited only by the claims and the full scope and equivalents thereof.

Claims (22)

1. A security inspection method comprising:
receiving a verification task for a target application;
deploying the target application in a security verification environment based on the verification task, wherein the security verification environment is generated by performing feature abstraction based on at least two of an abnormal operation environment, an abnormal operation state and an abnormal network environment;
and running the target application, and determining the security check level of the target application based on the running result.
2. The method of claim 1, the generating of the security check environment comprising:
acquiring an initial inspection environment, an abnormal operation state and an abnormal network environment;
performing feature abstraction on the abnormal operation environment, the abnormal operation state and the abnormal network environment to generate an abnormal operation environment abstract feature corresponding to the abnormal operation environment, an abnormal operation state abstract feature corresponding to the abnormal operation state and an abnormal network environment abstract feature corresponding to the abnormal network environment;
and adjusting the initial inspection environment based on at least two of the abnormal operation environment abstract features, the abnormal operation state abstract features and the abnormal network environment abstract features to generate a safety inspection environment.
3. The method of claim 2, adjusting the initial verification environment based on at least two of the abnormal operating environment abstraction feature, the abnormal operating state abstraction feature, and the abnormal network environment abstraction feature, generating a security verification environment, comprising:
generating a simulation test environment based on at least two of the abnormal operation environment abstract feature, the abnormal operation state abstract feature and the abnormal network environment abstract feature;
the simulated verification environment is added to the initial verification environment to generate a security verification environment.
4. The method of claim 2, performing feature abstraction on the abnormal operation environment, generating an abnormal operation environment abstract feature corresponding to the abnormal operation environment, including:
identifying the type of the plug-in the abnormal operation environment;
and obtaining the abstract characteristics of the abnormal operation environment corresponding to the abnormal operation environment based on the plug-in type.
5. The method of claim 2, performing feature abstraction on the abnormal operation state, generating an abnormal operation state abstract feature corresponding to the abnormal operation state, including:
identifying a dynamic link library keyword in the abnormal operation state;
And obtaining the abstract characteristics of the abnormal operation state corresponding to the abnormal operation state based on the dynamic link library keywords.
6. The method of claim 2, performing feature abstraction on the abnormal network environment, generating an abnormal network environment abstract feature corresponding to the abnormal network environment, comprising:
identifying an interception mode for intercepting the flow data in the abnormal network environment;
based on the interception mode, obtaining an abnormal network environment abstract feature corresponding to the abnormal network environment.
7. The method of claim 1, running the target application, and determining a security check level of the target application based on a result of the running, comprising:
operating the target application to obtain an application operation result corresponding to the target application;
under the condition that the application running result is failure, determining the security inspection level of the target application as a first security inspection level;
and under the condition that the application running result is successful, determining the security check level of the target application as a second security check level, wherein the second security check level is lower than the first security check level.
8. The method of claim 7, further comprising, in the event that the security level of the target application is a second security level:
Operating the application function in the target application to obtain a function operation result corresponding to the target application;
under the condition that the function operation result is failure, determining the security inspection level of the target application as a third security inspection level;
and under the condition that the function operation result is successful, determining the security check level of the target application as a fourth security check level, wherein the fourth security check level is lower than the third security check level.
9. The method of claim 1, the security inspection environment being an environment of a security inspection platform;
deploying the target application in a security verification environment based on the verification task, comprising:
and installing the target application on the security inspection platform based on the inspection task.
10. The method of claim 9, running the target application, comprising:
and running the target application on the security inspection platform.
11. A security inspection device comprising:
a receiving module configured to receive a verification task for a target application;
a deployment module configured to deploy the target application in a security verification environment based on the verification task, wherein the security verification environment is generated based on feature abstraction of at least two of an abnormal operating environment, an abnormal operating state, and an abnormal network environment;
And the determining module is configured to run the target application and determine the security inspection level of the target application based on a running result.
12. The apparatus of claim 11, the security check environment is generated as follows:
an acquisition module configured to acquire an initial inspection environment, an abnormal operation state, and an abnormal network environment;
the feature generation module is configured to perform feature abstraction on the abnormal operation environment, the abnormal operation state and the abnormal network environment, and generate an abnormal operation environment abstract feature corresponding to the abnormal operation environment, an abnormal operation state abstract feature corresponding to the abnormal operation state and an abnormal network environment abstract feature corresponding to the abnormal network environment;
the environment generation module is configured to adjust the initial inspection environment based on at least two of the abnormal operation environment abstract feature, the abnormal operation state abstract feature and the abnormal network environment abstract feature, and generate a security inspection environment.
13. The apparatus of claim 12, the environment generation module further configured to:
generating a simulation test environment based on at least two of the abnormal operation environment abstract feature, the abnormal operation state abstract feature and the abnormal network environment abstract feature;
The simulated verification environment is added to the initial verification environment to generate a security verification environment.
14. The apparatus of claim 12, the feature generation module further configured to:
identifying the type of the plug-in the abnormal operation environment;
and obtaining the abstract characteristics of the abnormal operation environment corresponding to the abnormal operation environment based on the plug-in type.
15. The apparatus of claim 12, the feature generation module further configured to:
identifying a dynamic link library keyword in the abnormal operation state;
and obtaining the abstract characteristics of the abnormal operation state corresponding to the abnormal operation state based on the dynamic link library keywords.
16. The apparatus of claim 12, the feature generation module further configured to:
identifying an interception mode for intercepting the flow data in the abnormal network environment;
based on the interception mode, obtaining an abnormal network environment abstract feature corresponding to the abnormal network environment.
17. The apparatus of claim 11, the determination module further configured to:
operating the target application to obtain an application operation result corresponding to the target application;
Under the condition that the application running result is failure, determining the security inspection level of the target application as a first security inspection level;
and under the condition that the application running result is successful, determining the security check level of the target application as a second security check level, wherein the second security check level is lower than the first security check level.
18. The apparatus of claim 17, further comprising:
the obtaining module is configured to run the application functions in the target application and obtain a function running result corresponding to the target application;
the third security inspection level determining module is configured to determine that the security inspection level of the target application is a third security inspection level when the function operation result is failure;
and the fourth security inspection level determining module is configured to determine that the security inspection level of the target application is a fourth security inspection level under the condition that the function operation result is successful, wherein the fourth security inspection level is lower than the third security inspection level.
19. The apparatus of claim 11, the security inspection environment being an environment of a security inspection platform;
A deployment module further configured to:
and installing the target application on the security inspection platform based on the inspection task.
20. The apparatus of claim 19, the determination module further configured to:
and running the target application on the security inspection platform.
21. A computing device, comprising:
a memory and a processor;
the memory is configured to store computer executable instructions, the processor being configured to execute the computer executable instructions, which when executed by the processor, implement the steps of the method of any one of claims 1 to 10.
22. A computer readable storage medium storing computer executable instructions which when executed by a processor implement the steps of the method of any one of claims 1 to 10.
CN202310491926.4A 2023-05-04 2023-05-04 Security check method and device Pending CN116415259A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310491926.4A CN116415259A (en) 2023-05-04 2023-05-04 Security check method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310491926.4A CN116415259A (en) 2023-05-04 2023-05-04 Security check method and device

Publications (1)

Publication Number Publication Date
CN116415259A true CN116415259A (en) 2023-07-11

Family

ID=87059548

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310491926.4A Pending CN116415259A (en) 2023-05-04 2023-05-04 Security check method and device

Country Status (1)

Country Link
CN (1) CN116415259A (en)

Similar Documents

Publication Publication Date Title
US9614863B2 (en) System and method for analyzing mobile cyber incident
US10581874B1 (en) Malware detection system with contextual analysis
CN107239702A (en) The method and device of a kind of security breaches detection
CN109165514B (en) A kind of risk checking method
US10404723B1 (en) Method and system for detecting credential stealing attacks
CN105897807A (en) Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
US20210314353A1 (en) Rule-based dynamic security test system
Zhang et al. ScanMe mobile: a cloud-based Android malware analysis service
CN112953896A (en) Playback method and device of log message
CN114422271A (en) Data processing method, device, equipment and readable storage medium
CN111541758B (en) Page updating method and device
CN116415259A (en) Security check method and device
CN108566380B (en) Proxy internet surfing behavior identification and detection method
CN115622776A (en) Data access method and device
CN116074280A (en) Application intrusion prevention system identification method, device, equipment and storage medium
CN108322912A (en) A kind of method and device that short message distinguishes
CN111488580A (en) Potential safety hazard detection method and device, electronic equipment and computer readable medium
CN110377499A (en) The method and device that a kind of pair of application program is tested
CN111639033B (en) Software security threat analysis method and system
US11907658B2 (en) User-agent anomaly detection using sentence embedding
CN113839957B (en) Unauthorized vulnerability detection method and device
WO2022264239A1 (en) Alert verification device, alert verification method, and alert verification program
Teng et al. A forensic examination of four popular cross‐platform file‐sharing apps with Wi‐Fi P2P
CN116137601A (en) Test method, related device and equipment for target test pile service
CN116436615A (en) Request verification method, request generation method and request verification system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination