CN116582326A - Security verification method and device for application software, electronic equipment and storage medium - Google Patents

Abstract

The disclosure provides a security verification method and device for application software, electronic equipment and a storage medium, and can be applied to the technical field of information security. The method comprises the following steps: according to the timestamp of the current moment, a dynamic verification matrix of the current moment is obtained, the dynamic verification matrix characterizes dynamic logic protection relations among N sentinel nodes, and the sentinel nodes are used for carrying out safety verification on target application software, wherein N is more than or equal to 2; and verifying N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of the target application software.

Description

Security verification method and device for application software, electronic equipment and storage medium

Technical Field

The disclosure relates to the technical field of information security, and in particular relates to a security verification method and device for application software, electronic equipment and a storage medium.

Background

With the continuous development of internet technology, the variety and number of mobile terminal application software are gradually increasing. For the security protection scenario of the application software, the related technology generally verifies the application software based on a signature protection mechanism provided by the mobile terminal operating system, such as verifying the signature of the application software. After the application software runs the signature verification logic, the signature is found to be inconsistent, which means that the security of the application software is destroyed.

However, since the signature verification logic of the application software in the related technology is static and fixed, an attacker can locate the verification anchor point in the signature verification logic by accumulating the attack times, and then realize the attack operation by a method of bypassing the verification anchor point. Therefore, the related art has a technical problem of low safety and reliability of application software.

Disclosure of Invention

In view of the above, the present disclosure provides a method, an apparatus, an electronic device, and a storage medium for security verification of application software.

According to a first aspect of the present disclosure, there is provided a security verification method of application software, including:

acquiring a dynamic verification matrix at the current moment according to the timestamp of the current moment, wherein the dynamic verification matrix characterizes dynamic logic protection relations among N sentinel nodes, and the sentinel nodes are used for carrying out safety verification on target application software, wherein N is more than or equal to 2;

and verifying the N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of the target application software.

According to an embodiment of the present disclosure, the verifying the N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of the target application software includes:

Determining the verification sequence of the N sentinel nodes according to the logic protection relation represented by the dynamic verification matrix;

sequentially verifying the N sentinel nodes according to the verification sequence to obtain at least one node verification result, wherein the node verification result represents the verification result of the sentinel nodes; and

and determining the target verification result according to the at least one node verification result.

According to an embodiment of the present disclosure, the verifying, according to the verification sequence, the N sentinel nodes sequentially obtain at least one node verification result, including:

verifying the N sentinel nodes until the verification result of the ith node corresponding to the ith sentinel node is detected to be abnormal, stopping detecting and obtaining the verification result of the i nodes, wherein i is more than or equal to 1 and less than or equal to N;

and verifying the N sentinel nodes until each node verification result is detected to be normal, and obtaining N node verification results.

According to an embodiment of the present disclosure, the determining the target verification result according to the at least one node verification result includes:

determining the target verification result as abnormal under the condition that the abnormality exists in the at least one node verification result, and generating a verification report aiming at the target verification result according to the at least one node verification result;

And under the condition that the at least one node verification result is determined to be normal, determining the target verification result to be normal, and generating a verification report aiming at the target verification result according to the at least one node verification result.

According to an embodiment of the present disclosure, the method further comprises:

and executing a protection operation based on the verification report under the condition that the target verification result is determined to be abnormal.

According to an embodiment of the present disclosure, before obtaining the dynamic verification matrix at the current time according to the timestamp at the current time, the method further includes:

determining the N sentinel nodes according to the target application software;

the N guard nodes are utilized to form a dynamic guard linkage network related to time, and a relation exists between each guard node and at least one guard node in the guard linkage network; and

and generating the dynamic verification matrix according to the dynamic sentinel linkage network.

According to an embodiment of the present disclosure, the determining the N sentinel nodes according to the target application software includes:

dividing the target application software by taking the function as a unit to obtain M protection objects, wherein M is more than or equal to 2;

Determining L first nodes according to the M protection objects and the target application software, wherein the first nodes are used for protecting the protection objects, and L is more than or equal to M is more than or equal to 2; and

and determining (N-L) second nodes according to the L first nodes, wherein the second nodes are used for protecting the first nodes, and the N sentinel nodes comprise the L first nodes and the (N-L) second nodes.

According to an embodiment of the present disclosure, the determining, according to the M protection objects and the target application software, L first nodes includes:

determining the total number of the first nodes according to the security level and the performance data of the target application software; and

and determining one or more first nodes corresponding to each protection object according to the protection intensity weight of the protection object and the total number of the first nodes so as to obtain the L first nodes for protecting the M protection objects.

A second aspect of the present disclosure provides a security verification apparatus for application software, including:

the acquisition module is used for acquiring a dynamic verification matrix at the current moment according to the timestamp at the current moment, wherein the dynamic verification matrix characterizes dynamic logic protection relations among N sentinel nodes, and the sentinel nodes are used for carrying out safety verification on target application software, wherein N is more than or equal to 2;

And the verification module is used for verifying the N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of the target application software.

A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the security verification method of the application software.

A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the security verification method of application software described above.

A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the security verification method of application software described above.

According to the embodiment of the disclosure, a dynamic verification matrix at the current moment is obtained according to the timestamp at the current moment, and the dynamic verification matrix characterizes the dynamic logic protection relationship among N sentinel nodes; and verifying the N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of target application software, so that safety verification based on time-dimension variability is realized, and the reliability of the safety verification method is improved. Because the dynamic verification matrix in the embodiment of the disclosure is time-varying, correspondingly, the logic protection relationship in the dynamic verification matrix is also dynamic, so that the number of the sentinel nodes at each moment and the logic protection relationship among a plurality of sentinel nodes are different. Therefore, the dynamic verification matrix related to the time stamp is utilized for verification, so that an attacker cannot attack the application software through accumulated attack times, and the safety of the application software and the reliability of a safety verification method are improved.

Drawings

The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:

FIG. 1 schematically illustrates an application scenario diagram of a security verification method of application software according to an embodiment of the present disclosure;

FIG. 2 schematically illustrates a flow chart of a security verification method of application software according to an embodiment of the disclosure;

FIG. 3 schematically illustrates a flow chart of a method of determining a target verification result in accordance with an embodiment of the disclosure;

FIG. 4 schematically illustrates a security verification scenario in accordance with a specific embodiment of the present disclosure;

fig. 5A schematically illustrates a security verification scenario at time a according to an embodiment of the present disclosure;

fig. 5B schematically illustrates a security verification scenario at time B according to an embodiment of the present disclosure;

FIG. 6 schematically illustrates a flow chart of a method of generating a dynamic verification matrix in accordance with an embodiment of the disclosure;

FIG. 7 schematically illustrates a generation schematic of a dynamic verification matrix according to an embodiment of the disclosure;

FIG. 8 schematically illustrates a block diagram of a security verification apparatus for application software according to an embodiment of the present disclosure; and

fig. 9 schematically illustrates a block diagram of an electronic device adapted for a security verification method of application software according to an embodiment of the disclosure.

Detailed Description

Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.

Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

In the technical scheme of the disclosure, the related data (such as including but not limited to personal information of a user) are collected, stored, used, processed, transmitted, provided, disclosed, applied and the like, all conform to the regulations of related laws and regulations, necessary security measures are adopted, and the public welcome is not violated.

In the related art, for application software of an android operating system, a signature verification logic is generally generated in advance based on mobile terminal operation information, and then a verification anchor point is set at a preset position of the application software based on the signature verification logic. And when the signature is verified, verifying the signature verification result of each verification anchor point by traversing the whole application software. If the signatures are found to be inconsistent, the application software is indicated to have security risks.

However, the signature verification logic of the security verification scheme is fixed, and the signature verification logic features are obvious. An attacker can position verification anchor points in the application software one by accumulating the attack times. After positioning the verification anchor point in the application software, an attacker bypasses the verification anchor point through technologies such as dynamic injection or Hook (Hook) and the like to realize the attack behavior. On the basis of the security verification scheme, even if the number of verification anchor points is increased, an attacker can realize the attack behavior by accumulating the attack times. Therefore, there is a technical problem in the related art that security verification reliability is low.

The embodiment of the disclosure provides a security verification method of application software, comprising the following steps: according to the timestamp of the current moment, a dynamic verification matrix of the current moment is obtained, the dynamic verification matrix characterizes dynamic logic protection relations among N sentinel nodes, and the sentinel nodes are used for carrying out safety verification on target application software, wherein N is more than or equal to 2; and verifying N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of the target application software.

Fig. 1 schematically illustrates an application scenario diagram of a security verification method of application software according to an embodiment of the present disclosure.

As shown in fig. 1, an application scenario 100 according to this embodiment may include a terminal 101 and a server 102. The terminal 101 includes various terminal devices such as a first terminal device 101-1, a second terminal device 101-2, and a third terminal device 101-3.

Communication between the first terminal device 101-1, the second terminal device 101-2, the third terminal device 101-3, and the server 102 may be achieved through a network. The network may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

The first terminal device 101-1, the second terminal device 101-2, the third terminal device 101-3 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.

Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the first terminal device 101-1, the second terminal device 101-2, and the third terminal device 101-3. The user may interact with the server 102 through a network using at least one of the first terminal device 101-1, the second terminal device 101-2, the third terminal device 101-3 to receive or send messages, etc.

The server 102 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by the user using the first terminal device 101-1, the second terminal device 101-2, and the third terminal device 101-3. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.

For another example, the server 102 may generate a dynamic verification matrix that varies with time, and send the dynamic verification matrix to at least one of the first terminal device 101-1, the second terminal device 101-2, and the third terminal device 101-3 to implement security verification of the application software in the terminal device.

It should be noted that, the security verification method of the application software provided by the embodiments of the present disclosure may be generally executed by the terminal 101. Accordingly, the security verification device for application software provided in the embodiments of the present disclosure may be generally disposed in the terminal 101.

For example, the terminal 101 obtains a dynamic verification matrix of the current time from the server 102 according to the timestamp of the current time; and verifying N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of the target application software.

The security verification method of the application software provided by the embodiment of the present disclosure may also be executed by the server 102. Accordingly, the security verification device for application software provided in the embodiments of the present disclosure may be generally disposed in the server 102.

For example, the server 102 obtains a timestamp of the current time, and obtains a dynamic verification matrix of the current time according to the timestamp of the current time; and verifying the N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of the target application software, and returning the target verification result to the terminal 101.

The security verification method of application software provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 102 and is capable of communicating with the terminal 101 and/or the server 102. Accordingly, the security verification device of the application software provided by the embodiments of the present disclosure may also be provided in a server or a server cluster different from the server 102 and capable of communicating with the terminal 101 and/or the server 102.

For example, after the third party server obtains the timestamp of the current time, the dynamic verification matrix of the current time is obtained from the server 102 according to the timestamp of the current time. And the third party server verifies the N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of the target application software, and returns the target verification result to the terminal 101.

It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

The security verification method of the application software of the disclosed embodiment will be described in detail below with reference to fig. 2 to 7 based on the scenario described in fig. 1.

Fig. 2 schematically illustrates a flowchart of a security verification method of application software according to an embodiment of the present disclosure.

As shown in fig. 2, the method 200 includes operations S210-S220.

In operation S210, a dynamic verification matrix at the current moment is obtained according to the timestamp at the current moment, where the dynamic verification matrix characterizes a dynamic logic protection relationship among N sentinel nodes, and the sentinel nodes are used for performing security verification on the target application software, where N is greater than or equal to 2.

According to embodiments of the present disclosure, when an Application (APP) is run, specific business or security verification actions that occur at each moment in time of the Application may be recorded based on the time stamp.

A sentry Node (Sentinel Node) refers to a piece of code in computer software that is responsible for performing a particular security protection or defense function. The sentinel nodes can be arranged in the target application software, but do not affect the normal business behavior of the target application software.

According to the embodiment of the disclosure, in the case of security verification, a time stamp of the current time is obtained from the target application software. And acquiring the dynamic verification matrix of the current moment from the server according to the timestamp of the current moment. Because the dynamic verification matrix is changed along with the time dimension, the logic protection relation of N sentinel nodes at the current moment can be determined according to the dynamic verification matrix at the current moment.

In operation S220, N sentinel nodes are verified according to the dynamic verification matrix, and a target verification result of the target application software is obtained.

According to the embodiment of the disclosure, since the dynamic verification matrix includes the dynamic logic protection relations among the N sentinel nodes, after the dynamic verification matrix is acquired, not only the number of the sentinel nodes realizing the security verification at the current moment, but also the logic protection relations among the sentinel nodes at the current moment can be acquired.

According to embodiments of the present disclosure, the dynamic verification matrix at multiple times may include multiple numbers of sentinel nodes, logical guard relationships between the multiple numbers of sentinel nodes. Wherein the dynamic verification matrix at different moments may comprise different sentinel nodes.

For example, 5 sentinel nodes, such as an a sentinel node, a b sentinel node, a C sentinel node, a d sentinel node, and an e sentinel node, and a logical protection relationship between the 5 sentinel nodes are included in the dynamic verification matrix at time C. The dynamic verification matrix at the moment D comprises 3 sentinel nodes, such as an a sentinel node, a b sentinel node and a c sentinel node, and a logic protection relation among the 3 sentinel nodes. I.e. different numbers of sentinel authentication nodes are included in the dynamic authentication matrix at different moments.

The dynamic verification matrix at the moment E comprises 3 sentinel nodes, such as a c sentinel node, a d sentinel node and an E sentinel node, and a logic protection relation among the 3 sentinel nodes. The dynamic verification matrix at the moment F comprises 3 sentinel nodes, such as an a sentinel node, a b sentinel node and a c sentinel node, and a logic protection relation among the 3 sentinel nodes. I.e. different sentinel authentication nodes are included in the dynamic authentication matrix at different moments.

The dynamic protection matrixes at the moment B and the moment F comprise a sentinel node, a sentinel node B and a sentinel node c. The logical protection relationship between the 3 sentinel nodes represented by the dynamic protection matrix at the moment B can be a- & gtb- & gtc- & gta, and the logical protection relationship between the 3 sentinel nodes represented by the dynamic protection at the moment F can be B- & gta- & gtc- & gtb. I.e. different logical protection relations are included in the dynamic verification matrix at different moments.

According to the embodiment of the disclosure, after the dynamic verification matrix at the current moment is obtained, verifying N sentinel nodes according to the logic protection relation among N sentinel nodes characterized in the dynamic verification matrix, and obtaining a target verification result of target application software.

According to the embodiment of the disclosure, verification of the sentinel nodes can verify the checksum calculated by the N sentinel nodes to obtain a target verification result; one or more target functions can be called through N sentinel nodes to obtain a function calculation result, and verification is carried out according to the function calculation result to obtain a target verification result; one or more digital signatures can be obtained through N sentinel nodes for verification, so that a target verification result is obtained.

The above-described authentication method is only an exemplary embodiment, but is not limited thereto, and may also include an authentication method known in the art as long as a security authentication method of application software can be implemented through a dynamic authentication matrix.

According to the embodiment of the disclosure, a dynamic verification matrix at the current moment is obtained according to the timestamp at the current moment, and the dynamic verification matrix characterizes the dynamic logic protection relationship among N sentinel nodes; and verifying the N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of target application software, so that safety verification based on time-dimension variability is realized, and the reliability of the safety verification method is improved. Because the dynamic verification matrix in the embodiment of the disclosure is time-varying, correspondingly, the logic protection relationship in the dynamic verification matrix is also dynamic, so that the number of the sentinel nodes at each moment and the logic protection relationship among a plurality of sentinel nodes are different. Therefore, the dynamic verification matrix related to the time stamp is utilized for verification, so that an attacker cannot attack the application software through accumulated attack times, and the safety of the application software and the reliability of a safety verification method are improved.

Fig. 3 schematically illustrates a flowchart of a method of determining a target verification result according to an embodiment of the disclosure.

As shown in fig. 3, the method 300 for determining the target verification result of this embodiment includes operations S321 to S323, which may be a specific embodiment of operation S220.

In operation S321, a verification sequence of the N sentinel nodes is determined according to the logical protection relationship characterized by the dynamic verification matrix.

In operation S322, N sentinel nodes are sequentially verified according to the verification sequence, to obtain at least one node verification result, where the node verification result represents a verification result of the sentinel nodes.

In operation S323, a target authentication result is determined according to the at least one node authentication result.

According to embodiments of the present disclosure, the sentinel node is used for security verification of the target application software. The target application software comprises a plurality of program blocks with business functions, each program block comprises a plurality of lines of program codes, and each sentinel node can protect part of the program codes. The N sentinel nodes with the logic protection relationship can jointly protect the safety of the target application software.

According to embodiments of the present disclosure, the logical guard relationship between the N sentinel nodes may characterize a precedence verification order between the N sentinel nodes. After the dynamic verification matrix is acquired, the verification sequence of the N sentinel nodes is determined by analyzing the dynamic verification matrix.

According to an embodiment of the present disclosure, after determining the verification order of the N sentinel nodes, the N sentinel nodes are verified sequentially in the verification order.

According to the embodiment of the disclosure, since an attacker can conduct the attack behavior by a method of bypassing the sentinel nodes; the sentry node can be attacked without alarming when being attacked, so that the attack behavior is realized.

The sentinel node includes a first node and a second node. The first node is used for protecting the target application software, and the second node is used for protecting the first node. The safety of the target application software is protected through the first node, and then the first node is protected through the second node, so that the safety protection of the whole target application software is realized.

According to embodiments of the present disclosure, after the sentinel node is verified, the sentinel node may output a node verification result, wherein the node verification result characterizes a verification result of the current sentinel node to determine whether a plurality of lines of program code protected by the current sentinel node are modified or whether the current sentinel node is secure.

According to embodiments of the present disclosure, since the verification order for the N sentinel nodes depends on a dynamic verification matrix, which in turn is time-varying, the verification order for the N sentinel nodes is time-dimensionally variable. Because the verification sequence is time-dimension variable, an attacker cannot bypass the sentry node to realize attack, and therefore, the sentry node protecting the multiple lines of codes can send out an alarm as long as the multiple lines of codes protected by the sentry node are modified.

According to the embodiment of the disclosure, according to the verification sequence, the security of a part of codes can be determined every time a sentinel node is verified to obtain a node verification result representing normal. And determining that the target application software is under attack at the current moment and positioning an attack point position as long as the node verification result represents abnormality. Therefore, in the process of verifying the N sentinel nodes, at least one node verification result can be obtained, and the target verification result of the target application software is determined according to the at least one node verification result.

In the related art, when the application software is subjected to security verification, the signature verification logic needs to perform traversal calculation on all asset information or execution codes of the whole application software. However, the size of the application software is usually above 100M at present, so that the technical problems of long execution time, poor performance and low execution efficiency of the signature verification logic exist in the related technology.

According to the embodiment of the disclosure, the verification sequence of N sentinel nodes is determined according to the logic protection relation represented by the dynamic verification matrix; sequentially verifying the N sentinel nodes according to the verification sequence to obtain at least one node verification result; and determining a target verification result according to the at least one node verification result. According to the embodiment of the disclosure, the verification sequence of the sentinel nodes is time-dimension variable, and under the condition that the verification result of a certain node is abnormal, the target verification result can be determined to be abnormal, so that the safety verification of the application software is realized.

Therefore, in the embodiment of the disclosure, the target verification result can be determined only by calculating at least one node verification result, so that compared with the traditional method for verifying the whole software, the embodiment of the disclosure reduces the calculation amount of security verification, reduces the performance consumption of the security verification on the software operation, and improves the execution efficiency of the security verification.

According to an embodiment of the present disclosure, sequentially verifying N sentinel nodes according to a verification sequence, to obtain at least one node verification result, including: verifying the N sentinel nodes until the verification result of the ith node corresponding to the ith sentinel node is detected to be abnormal, stopping detecting and obtaining the verification result of the i nodes, wherein i is more than or equal to 1 and less than or equal to N; and verifying the N sentinel nodes until each node verification result is detected to be normal, and obtaining N node verification results.

According to the embodiment of the disclosure, in the process of verifying N sentinel nodes based on the verification sequence, whether the current node verification result is abnormal needs to be determined every time one node verification result is obtained. And when the current node verification result is determined to be normal, storing the current node verification result and verifying the next sentinel node. Under the condition that the current node verification result is abnormal, stopping detecting, and detecting the rest sentry nodes, and determining that the target verification result is abnormal according to the current node verification result and the previous node verification result.

For example, the a-guard node, the b-guard node, the c-guard node, the d-guard node, and the e-guard node are sequentially verified in the verification order. The node verification results of the a guard node, the b guard node and the c guard node are normal.

After the d sentinel node is verified and the node verification result of the d sentinel node is obtained, the node verification result corresponding to the d sentinel node is detected to be abnormal, the e sentinel node is not verified any more, and 4 node verification results are obtained. And determining that the target verification result of the target application program is abnormal according to the 4 node verification results.

According to the embodiment of the disclosure, the N sentinel nodes are sequentially verified, at least one node verification result is obtained, detection is stopped under the condition that the node verification result is detected to be abnormal in representation, and consumption of performance is reduced.

According to an embodiment of the present disclosure, determining a target verification result from at least one node verification result includes: and under the condition that the abnormality exists in the at least one node verification result, determining the target verification result as the abnormality, and generating a verification report aiming at the target verification result according to the at least one node verification result.

And under the condition that the at least one node verification result is determined to be normal, determining the target verification result to be normal, and generating a verification report aiming at the target verification result according to the at least one node verification result.

According to the embodiment of the disclosure, in the process of verifying the N sentinel nodes according to the verification sequence, if the node verification result of a certain sentinel node represents abnormality, the execution code in the target application software may be attacked, and the sentinel node itself may also be attacked. The above cases all represent that the target application software has a security risk, so that the target verification result is determined to be abnormal under the condition that the abnormality exists in at least one node verification result; and under the condition that at least one node verification result is determined to be normal, determining the target verification result to be normal.

According to an embodiment of the present disclosure, the verification report for the target verification result includes the number of node verification results, a specific result of the node verification results, such as abnormal or normal. And under the condition that the target verification result is abnormal, the verification report also comprises attack points.

After the target verification result is determined according to the at least one node verification result, the embodiment of the disclosure also generates the verification report comprising the number of the node verification results and the specific result, thereby being beneficial to the operation and maintenance personnel to execute the protection operation according to the verification report.

According to an embodiment of the present disclosure, in a case where it is determined that the target verification result is abnormal, a guard operation is performed based on the verification report.

According to embodiments of the present disclosure, a sentinel node may include a pre-trigger, a verifier, and a responder. The front trigger is used for starting the sentinel node, the verifier is used for executing verification operation, and the responder is used for processing the output of the verifier.

According to the embodiment of the disclosure, after the dynamic verification matrix at the current moment is acquired, a call list is determined according to the dynamic verification matrix, wherein the call list comprises the identification of N sentinel nodes to be verified. And sending a trigger instruction to the front triggers of the N sentinel nodes according to the arousal list so as to start the N sentinel nodes.

According to the embodiment of the disclosure, J guard nodes can be arranged in the target application program, N guard nodes to be verified are determined from the J guard nodes according to the dynamic verification matrix, and J is larger than or equal to N.

According to the embodiment of the disclosure, after N sentinel nodes are started through the front trigger, verification operation is executed through the verifier, and a node verification result is obtained.

According to an embodiment of the present disclosure, after the verifier outputs the node verification result, whether the node verification result is abnormal may be detected by the responder. In the case that the node verification result is detected to be abnormal, the responder can directly execute predefined response logic to execute protection operation, such as interrupting service execution, alarming and the like.

According to the embodiment of the disclosure, the verification report includes a specific verification result of the node verification result, and when it is determined that the target verification result is abnormal, the sentinel node corresponding to the ith node verification result can be determined according to the verification report, and a protection instruction and a protection scheme are sent to the responder of the sentinel node corresponding to the ith node verification result, so that the responder can execute protection operation.

Fig. 4 schematically illustrates a security verification scenario according to a specific embodiment of the present disclosure.

As shown in fig. 4, the security verification scenario 400 includes a terminal device 401 and a sentinel network generator 402. The terminal device 401 includes an application running main process 4011, and the application running main process 4011 includes a main thread 4011-1 and a daemon thread 4011-2. In the main thread, K represents the core part of the target application, T represents the pre-trigger, V represents the verifier, and R represents the responder. Daemon threads 4011-2 are controlled by monitoring center component MCC for scheduling sentinel nodes while being responsible for interacting with sentinel network generator 402 in the back end of the business or in the server.

As shown in fig. 4, the main thread 4011-1 includes a verifier V1 of a first sentinel node, a verifier V2 of a second sentinel node, a verifier V3 of a third sentinel node, a verifier V4 of a fourth sentinel node, a pre-trigger T1 of the first sentinel node, a responder R1 of the first sentinel node, and a first core portion K1 of a target application. The first sentinel node is used to protect the first core portion K1.

The trigger T1 in the front of the first sentinel node sends a trigger result to the monitoring center in the daemon thread 4011-2, and the monitoring center may send a verification request to the verifier V1 of the first sentinel node, the verifier V2 of the second sentinel node, the verifier V3 of the third sentinel node, or the verifier V4 of the fourth sentinel node according to the dynamic verification matrix, so that the verifiers perform the verification operation and return the node verification result.

The monitoring center in daemon thread 4011-2 may also send a node verification result to the responder R1 of the first sentinel node so that the responder R1 of the first sentinel node detects the node verification result and performs a guard operation. The monitoring center in daemon thread 4011-2 may also send a guard instruction and guard scheme to the responder R1 of the first sentinel node so that the responder R1 of the first sentinel node performs a guard operation.

The dynamic logical guard relationship characterized by the dynamic verification matrix will be described by fig. 5A and 5B based on the scenario described in fig. 2.

Fig. 5A schematically illustrates a security verification scenario at time a according to an embodiment of the present disclosure.

As shown in fig. 5A, security verification scenario 500A includes a time a dynamic logical guard relationship and a runtime security verification scenario. The dynamic logic guard relationship at time a includes guard relationships between 4 guard nodes, the 4 guard nodes being used to guard the first core portion K1 of the target application. The verification sequence determined according to the dynamic logic protection relation at the time A is V1-V2-V3-V4.

During operation, according to the verification sequence, the first guard node, the second guard node, the third guard node and the fourth guard node are verified in sequence.

Fig. 5B schematically illustrates a security verification scenario at time B according to an embodiment of the present disclosure.

As shown in fig. 5B, security verification scenario 500B includes a B-time dynamic logical guard relationship and a runtime security verification scenario. The dynamic logic guard relationship at time B includes guard relationships between 3 guard nodes, the 3 guard nodes being used to guard the first core portion K1 of the target application. The verification sequence determined according to the dynamic logic protection relation at the moment B is V1-V2-V1-V4.

During operation, according to the verification sequence, the first guard node, the second guard node, the first guard node and the fourth guard node are verified in sequence.

Compared with the isolation of safety protection nodes in the traditional method, the embodiment of the disclosure realizes the linkage between the guard nodes through the guard net technology, and enhances the protection strength. Meanwhile, aiming at the protection of the guard nodes and the guard net, the three-stage structure of a front trigger, a checker and a responder is designed, and the attack and bypassing difficulty of protection logic are effectively improved through time-dimension variability, so that the anti-safety verification method of the embodiment of the disclosure has higher reliability.

The embodiment of the disclosure provides a method which is simple to implement and low in implementation cost, can effectively prevent malicious programs from acquiring user passwords, and can also overcome the defects in the existing password authentication technology.

Fig. 6 schematically illustrates a flowchart of a method of generating a dynamic verification matrix according to an embodiment of the disclosure.

As shown in fig. 6, the method includes operations S610 to S630. Operations S610 to S630 may be provided before operation S210.

In operation S610, N sentinel nodes are determined according to the target application software.

In operation S620, a dynamic guard linkage network related to time is formed by using N guard nodes, and a relationship exists between each guard node and at least one guard node in the guard linkage network.

In operation S630, a dynamic verification matrix is generated from the dynamic sentinel linkage network.

According to embodiments of the present disclosure, various types of application software may perform various functions, such as financial application software, asset management application software, in-bank office software, and the like. There are a variety of security strengths for a variety of applications.

According to the embodiment of the disclosure, the number of the sentinel nodes corresponding to the target application software is determined through the type of the target application software, so that the protection intensity matched with the target application software is flexibly determined.

According to an embodiment of the present disclosure, after N guard nodes for a guard target application are determined, a dynamic guard linkage network related to time is composed with the N guard nodes based on a generation rule. The guard linkage net is a graph net-shaped logic structure formed by mutually connecting a plurality of guard nodes, and the plurality of guard nodes have the capability of mutual communication and linkage. The dynamic guard linkage network refers to the change of a logic structure between a plurality of guard nodes in the linkage network along with time.

According to an embodiment of the present disclosure, generating a rule includes: a logic protection relationship exists between the entrance guard node and at least two guard nodes; there is a relationship between each sentinel node and at least one sentinel node.

According to an embodiment of the present disclosure, a dynamic sentinel linkage network is generated according to a time-based random algorithm in case the generation rule is satisfied. The time interval of the change of the dynamic sentinel linkage network can be 1s, 1min, 1h or 1d, and can also be other time intervals.

Because the logic protection relation among the plurality of guard nodes in the dynamic guard linkage network randomly changes on the basis of meeting the generation rule, an attacker cannot determine the logic protection relation by accumulating the attack times, and the reliability of the security verification method of the embodiment of the disclosure is further improved.

According to embodiments of the present disclosure, there is a direction in which a graph mesh logic structure in a dynamic sentinel linkage network exists. After the dynamic guard linkage network is generated, the dynamic guard linkage network is analyzed by using a graph-based algorithm, and a dynamic verification matrix is generated.

According to embodiments of the present disclosure, graph-based algorithms may include user-defined graph analysis methods, and may also include other graph analysis algorithms. The conversion between graph and matrix may be accomplished by other graph analysis algorithms, as merely exemplary embodiments, and is not limited in this regard.

The embodiment of the disclosure determines the number of the sentinel nodes matched with the application software, generates a dynamic sentinel linkage network based on the determined sentinel nodes, further generates a dynamic verification matrix, does not need to write a logic protection relationship manually by a developer, can realize the determination of the logic protection relationship without manual participation, improves the verification efficiency and improves the protection flexibility. In addition, as the number of the sentry nodes is related to the application software, the number of the sentry nodes, the dynamic sentry linkage network and the dynamic verification matrix can be flexibly determined according to different application software, and the flexibility of the logic protection relationship is improved.

According to an embodiment of the present disclosure, determining N sentinel nodes according to target application software includes: dividing target application software by taking a function as a unit to obtain M protection objects, wherein M is more than or equal to 2; determining L first nodes according to M protection objects and target application software, wherein the first nodes are used for protecting the protection objects, and L is more than or equal to M is more than or equal to 2; and determining (N-L) second nodes according to the L first nodes, wherein the second nodes are used for protecting the first nodes, and the N sentinel nodes comprise the L first nodes and the (N-L) second nodes.

According to embodiments of the present disclosure, execution code in application software may be classified into core logic code and edge logic code according to business importance. The protection requirements of the core logic code and the edge logic code are different for the same application software.

According to an embodiment of the present disclosure, the function is part of a computer software code asset, representing a minimum set of code segments that can independently implement a business logic. And cutting the target application software by taking the function as a unit to obtain M protection objects, wherein each protection object represents the function. Wherein each protection object corresponds to at least one first node.

According to an embodiment of the present disclosure, after determining L first nodes for protecting a protection object, determining (N-L) second nodes for protecting the L first nodes.

According to an embodiment of the present disclosure, according to the L first nodes and the guard rule of the guard node, the (N-L) second nodes for protecting the L first nodes are determined. The guard node protection rule can be determined according to actual conditions.

For example, the number of second nodes corresponding to the L first nodes is determined based on a preset ratio. Or based on the number comparison table, determining the number of the second nodes according to the number of the first nodes.

According to the embodiment of the disclosure, the function-level granularity slicing is performed on the protection object, so that the verification calculation amount is reduced. And the first node and the second node can protect the node itself while protecting the target program, thereby improving the reliability of the security verification scheme.

Fig. 7 schematically illustrates a generation schematic of a dynamic verification matrix according to an embodiment of the disclosure.

As shown in fig. 7, the generation schematic 700 of the dynamic verification matrix includes a dynamic sentinel linkage network 701 and a dynamic verification matrix 702 at the current time. The target application software includes two protected objects G1 and G2, and 4 sentinel nodes Ab1, ab2, ab3, ab4, and Ab5.

According to an embodiment of the present disclosure, after 5 sentinel nodes are determined, a dynamic sentinel linkage network 701 is generated using the 5 sentinel nodes. The sentinel node includes a first node for protecting the protected object and a second node for protecting the first node.

In the dynamic sentinel linkage network 701, the first nodes for protecting the protection object G1 are Ab1 and Ab2, and the first nodes for protecting the protection object G2 are Ab2 and Ab3. The second nodes used to protect the first node Ab1 are Ab1 and Ab5. The second node for protecting the first node Ab2 is Ab4. The second nodes used to protect the first node Ab3 are Ab1 and Ab4. The second nodes used to protect the first node Ab4 are Ab2 and Ab5. The second nodes used to protect the first node Ab5 are Ab1 and Ab3.

The dynamic guard linkage network 701 comprises 5 guard nodes and a directed logic protection relationship among the 5 guard nodes. The dynamic verification matrix 702 is obtained by performing graph analysis on the dynamic sentinel linkage network 701. The dynamic verification matrix 702 includes directional features of logical guard relationships between sentinel nodes.

According to an embodiment of the present disclosure, determining L first nodes according to M protection objects and target application software includes: determining the total number of the first nodes according to the security level and the performance data of the target application software; and determining one or more first nodes corresponding to each protection object according to the protection intensity weight of the protection object and the total number of the first nodes, so as to obtain L first nodes for protecting M protection objects.

According to the embodiment of the disclosure, the security level of the target application software can be determined according to the service type, service purpose and target user type of the target application software. The higher the security level, the greater the number of first nodes, the lower the security level, and the fewer the number of first nodes.

The performance data may include a size of the target application software, the higher the performance data, the greater the number of first nodes, and the lower the performance data, the fewer the number of first nodes.

According to the embodiment of the disclosure, the security level and the performance data can be determined according to an application software open table, and the table at least comprises the identification of the application software, the service type, the service purpose, the target user type, the size, the security level and the performance data.

According to embodiments of the present disclosure, the protection intensity weight of the protection object may be determined according to the service type to which the protection object relates. Specifically, the protection intensity weight of the protection object may be determined according to a weight configuration table. As shown in table 1, the protection intensity weights of the protection objects are exemplarily shown.

TABLE 1

According to an embodiment of the present disclosure, the payment class is identified as K1, and the protection intensity weight w is 15; the identification of the clearing class is K2, and the protection intensity weight w is 15; the identity verification type is marked as K3, and the protection intensity weight w is 15; the identification of financial class is K4, and the protection intensity weight w is 10; the identifier of the bulletin class is K5, and the protection intensity weight w is 5.

According to an embodiment of the present disclosure, determining a first node corresponding to each protection object according to a protection intensity weight of the protection object and a total number of first nodes includes: determining the proportion of the protection intensity weight of the mth protection object in the total protection intensity weight of the M protection objects, and determining one or more first nodes corresponding to the mth protection object according to the proportion and the number of the first nodes, wherein M is more than or equal to 1 and less than or equal to M. Thus, L first nodes protecting M protection objects are obtained.

According to an embodiment of the present disclosure, one or more first nodes corresponding to each protection object are determined, satisfying: k (M) first number of nodes=c×w (M)/(w1+w2+w3+ & gt w (M).+ w (M)), C represents the total number of first nodes, and w (M) represents the protection intensity weight of the mth protection object.

In accordance with embodiments of the present disclosure, in generating the dynamic sentinel linkage network, the generation rule also satisfies a first node number limit on the protected object and a second node number limit on the first node.

In the related technology, generally based on the angle of application software, unified and coarse-granularity signature verification is carried out on the whole application software, and the core logic code and the edge logic code cannot be distinguished and protected, so that the practical application space is limited.

Embodiments of the present disclosure determine a total number of first nodes by based on security level and performance data of a target application software; according to the protection intensity weight of the protection objects and the total number of the first nodes, one or more first nodes corresponding to each protection object are determined, and flexible protection of different intensity codes is achieved. The technical scheme of the application program is used for carrying out differential protection on the core logic code and the edge logic code, so that the practicability of the security verification method of the application program is expanded.

Fig. 8 schematically shows a block diagram of a security verification apparatus of application software according to an embodiment of the present disclosure.

As shown in fig. 8, the security verification apparatus 800 of the application software of this embodiment includes an acquisition module 810 and a verification module 820.

The obtaining module 810 is configured to obtain a dynamic verification matrix at the current time according to the timestamp at the current time, where the dynamic verification matrix characterizes a dynamic logic protection relationship between N sentinel nodes, and the sentinel nodes are used for performing security verification on the target application software, where N is greater than or equal to 2. In an embodiment, the obtaining module 810 may be configured to perform the operation S210 described above, which is not described herein.

And the verification module 820 is used for verifying the N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of the target application software. In an embodiment, the verification module 820 may be used to perform the operation S220 described above, which is not described herein.

According to an embodiment of the present disclosure, the authentication module 820 includes a first authentication unit, a second authentication unit, and a third authentication unit.

The first verification unit is used for determining verification sequences of N sentinel nodes according to the logic protection relation represented by the dynamic verification matrix. In an embodiment, the first verification unit may be used to perform the operation S321 described above, which is not described herein.

The second verification unit is used for sequentially verifying the N sentinel nodes according to the verification sequence to obtain at least one node verification result, and the node verification result represents the verification result of the sentinel nodes. In an embodiment, the second verification unit may be used to perform the operation S322 described above, which is not described herein.

The third verification unit is used for determining a target verification result according to the verification result of at least one node. In an embodiment, the third verification unit may be configured to perform the operation S323 described above, which is not described herein.

According to an embodiment of the present disclosure, the second verification unit includes a first verification sub-unit and a second verification sub-unit.

The first verification subunit is used for verifying the N sentinel nodes until the ith node verification result corresponding to the ith sentinel node is detected to be abnormal, stopping detection and obtaining the i node verification result, wherein i is more than or equal to 1 and less than or equal to N.

The second verification subunit is used for verifying the N sentinel nodes until each node verification result is detected to be normal, and N node verification results are obtained.

According to an embodiment of the present disclosure, the third verification unit includes a third verification sub-unit and a fourth verification sub-unit.

The third verification subunit is configured to determine, when it is determined that there is an abnormality in the at least one node verification result, the target verification result as abnormal, and generate a verification report for the target verification result according to the at least one node verification result.

And the fourth verification subunit is used for determining the target verification result as normal under the condition that the at least one node verification result is determined to be normal, and generating a verification report aiming at the target verification result according to the at least one node verification result.

According to an embodiment of the present disclosure, the verification module 820 includes a guard unit for performing a guard operation based on the verification report in case that it is determined that the target verification result is abnormal.

According to an embodiment of the present disclosure, the security verification apparatus 800 of application software further includes a determination module, a first generation module, and a second generation module.

The determining module is used for determining N sentinel nodes according to the target application software. In an embodiment, the determining module may be configured to perform the operation S610 described above, which is not described herein.

The first generation module is used for forming a dynamic guard linkage network related to time by utilizing N guard nodes, and a relation exists between each guard node and at least one guard node in the guard linkage network. In an embodiment, the first generating module may be configured to perform the operation S620 described above, which is not described herein.

The second generation module is used for generating a dynamic verification matrix according to the dynamic sentinel linkage network. In an embodiment, the second generating module may be configured to perform the operation S630 described above, which is not described herein.

According to an embodiment of the present disclosure, the determination module includes a first determination unit, a second determination unit, and a third determination unit.

The first determining unit is used for dividing the target application software by taking the function as a unit to obtain M protection objects, wherein M is more than or equal to 2.

The second determining unit is used for determining L first nodes according to M protection objects and target application software, wherein the first nodes are used for protecting the protection objects, and L is more than or equal to M is more than or equal to 2.

The third determining unit is used for determining (N-L) second nodes according to the L first nodes, the second nodes are used for protecting the first nodes, and the N sentinel nodes comprise the L first nodes and the (N-L) second nodes.

According to an embodiment of the present disclosure, the first determination unit includes a first determination subunit and a second determination subunit.

The first determining subunit is used for determining the total number of the first nodes according to the security level and the performance data of the target application software

The second determining subunit is configured to determine, according to the protection intensity weight of the protection objects and the total number of first nodes, one or more first nodes corresponding to each protection object, so as to obtain L first nodes for protecting M protection objects.

Any of the acquisition module 810 and the verification module 820 may be combined in one module to be implemented, or any of the modules may be split into multiple modules, according to embodiments of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of acquisition module 810 and verification module 820 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), programmable Logic Array (PLA), system-on-chip, system-on-a-substrate, system-on-package, application Specific Integrated Circuit (ASIC), or in hardware or firmware, in any other reasonable manner of integrating or packaging circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the acquisition module 810 and the verification module 820 may be at least partially implemented as computer program modules which, when executed, perform the corresponding functions.

Fig. 9 schematically illustrates a block diagram of an electronic device adapted for a security verification method of application software according to an embodiment of the disclosure.

As shown in fig. 9, an electronic device 900 according to an embodiment of the present disclosure includes a processor 901 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. The processor 901 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 901 may also include on-board memory for caching purposes. Processor 901 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.

In the RAM 903, various programs and data necessary for the operation of the electronic device 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other by a bus 904. The processor 901 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the program may be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.

According to an embodiment of the disclosure, the electronic device 900 may also include an input/output (I/O) interface 905, the input/output (I/O) interface 905 also being connected to the bus 904. The electronic device 900 may also include one or more of the following components connected to the I/O interface 905: an input section 906 including a keyboard, a mouse, and the like; an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 908 including a hard disk or the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to the I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 910 so that a computer program read out therefrom is installed into the storage section 908 as needed.

The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 902 and/or RAM 903 and/or one or more memories other than ROM 902 and RAM 903 described above.

Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to implement the security verification method for application software provided by embodiments of the present disclosure.

The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, via communication portion 909, and/or installed from removable medium 911. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.

While the foregoing is directed to embodiments of the present disclosure, other and further details of the invention may be had by the present application, it is to be understood that the foregoing description is merely exemplary of the present disclosure and that no limitations are intended to the scope of the disclosure, except insofar as modifications, equivalents, improvements or modifications may be made without departing from the spirit and principles of the present disclosure.

Claims (12)

1. A security verification method for application software, comprising:

according to the timestamp of the current moment, a dynamic verification matrix of the current moment is obtained, the dynamic verification matrix represents dynamic logic protection relations among N sentinel nodes, and the sentinel nodes are used for carrying out safety verification on target application software, wherein N is more than or equal to 2;

And verifying the N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of the target application software.

2. The method of claim 1, wherein the verifying the N sentinel nodes according to the dynamic verification matrix results in a target verification result for the target application software, comprising:

determining the verification sequence of the N sentinel nodes according to the logic protection relation represented by the dynamic verification matrix;

sequentially verifying the N sentinel nodes according to the verification sequence to obtain at least one node verification result, wherein the node verification result represents the verification result of the sentinel nodes; and

and determining the target verification result according to the at least one node verification result.

3. The method of claim 2, wherein sequentially verifying the N sentinel nodes in the verification order, to obtain at least one node verification result, comprises:

verifying the N sentinel nodes until the verification result of the ith node corresponding to the ith sentinel node is detected to be abnormal, stopping detecting and obtaining the verification result of the i nodes, wherein i is more than or equal to 1 and less than or equal to N;

and verifying the N sentinel nodes until each node verification result is detected to be normal, and obtaining N node verification results.

4. The method of claim 2, wherein the determining the target validation result from the at least one node validation result comprises:

determining the target verification result as abnormal under the condition that the abnormality exists in the at least one node verification result, and generating a verification report aiming at the target verification result according to the at least one node verification result;

and under the condition that the at least one node verification result is determined to be normal, determining the target verification result to be normal, and generating a verification report aiming at the target verification result according to the at least one node verification result.

5. The method of claim 4, further comprising:

and under the condition that the target verification result is determined to be abnormal, executing a protection operation based on the verification report.

6. The method of claim 1, wherein prior to obtaining the dynamic verification matrix for the current time based on the timestamp of the current time, further comprising:

determining the N sentinel nodes according to the target application software;

forming a dynamic guard link network related to time by utilizing the N guard nodes, wherein a relation exists between each guard node and at least one guard node in the guard link network; and

And generating the dynamic verification matrix according to the dynamic sentinel linkage network.

7. The method of claim 6, wherein the determining the N sentinel nodes from the target application software comprises:

dividing the target application software by taking a function as a unit to obtain M protection objects, wherein M is more than or equal to 2;

determining L first nodes according to the M protection objects and the target application software, wherein the first nodes are used for protecting the protection objects, and L is more than or equal to M is more than or equal to 2; and

and determining (N-L) second nodes according to the L first nodes, wherein the second nodes are used for protecting the first nodes, and the N sentinel nodes comprise the L first nodes and the (N-L) second nodes.

8. The method of claim 7, wherein the determining L first nodes from the M protected objects and the target application software comprises:

determining the total number of the first nodes according to the security level and the performance data of the target application software; and

and determining one or more first nodes corresponding to each protection object according to the protection intensity weight of the protection object and the total number of the first nodes so as to obtain L first nodes for protecting the M protection objects.

9. A security verification apparatus for application software, comprising:

the acquisition module is used for acquiring a dynamic verification matrix at the current moment according to the timestamp at the current moment, wherein the dynamic verification matrix represents dynamic logic protection relations among N sentinel nodes, and the sentinel nodes are used for carrying out safety verification on target application software, wherein N is more than or equal to 2;

and the verification module is used for verifying the N sentinel nodes according to the dynamic verification matrix to obtain a target verification result of the target application software.

10. An electronic device, comprising:

one or more processors;

storage means for storing one or more programs,

wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-8.

11. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-8.

12. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 8.