CN117951682A

CN117951682A - Application process detection processing method, system, device and computer equipment

Info

Publication number: CN117951682A
Application number: CN202211271612.5A
Authority: CN
Inventors: 吴岳廷
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2022-10-18
Filing date: 2022-10-18
Publication date: 2024-04-30

Abstract

The application relates to an application process detection processing method, an application process detection processing system, an application process detection processing device, a computer device, a storage medium and a computer program product. The method comprises the following steps: when the process of the target application meets the detection trigger condition, detecting the calling operation of the sensitive interface in the running process aiming at the process of the target application, and obtaining the interface calling characteristic of the sensitive interface; acquiring a reference characteristic associated with a target application; the reference feature is obtained by aggregating security call data generated by security call of the sensitive interface according to the process of the target application; comparing the interface calling features with the reference features to obtain feature comparison results; and when the characteristic comparison result indicates that the calling operation does not belong to the operation type of the safe calling, blocking the calling operation of the sensitive interface aiming at the process of the target application. By adopting the method, the detection accuracy of the application process can be improved, and the running safety of the application can be ensured.

Description

Application process detection processing method, system, device and computer equipment

Technical Field

The present application relates to the field of computer technology, and in particular, to an application process detection processing method, system, apparatus, computer device, storage medium, and computer program product.

Background

With the development of computer technology, various computer applications have been widely popularized, and various aspects such as life, work and entertainment are involved. When an application runs on a computer device, the corresponding application functions are often implemented by executing a process. For malicious processes, information such as files, privacy, accounts and the like can be stolen, and the safety of application operation is affected.

Currently, in detecting process security, a blacklist of a process is preset, and processes belonging to the blacklist are handled, for example, process execution is finished, so as to ensure the running security of an application. However, if malicious code is injected into the process, effective detection cannot be performed through the blacklist, so that the running safety of the application is affected.

Disclosure of Invention

In view of the foregoing, it is desirable to provide an application process detection processing method, system, apparatus, computer device, computer readable storage medium, and computer program product that can improve the accuracy of application process detection and ensure the running safety of an application.

In a first aspect, the present application provides an application process detection processing method. The method comprises the following steps:

When the process of the target application meets the detection trigger condition, detecting the calling operation of the sensitive interface in the running process aiming at the process of the target application, and obtaining the interface calling characteristic of the sensitive interface;

Acquiring a reference characteristic associated with a target application; the reference feature is obtained by aggregating security call data generated by security call of the sensitive interface according to the process of the target application;

Comparing the interface calling features with the reference features to obtain feature comparison results;

And when the characteristic comparison result indicates that the calling operation does not belong to the operation type of the safe calling, blocking the calling operation of the sensitive interface aiming at the process of the target application.

In a second aspect, the present application further provides an application process detection processing system, where the system includes:

The terminal is used for detecting the calling operation of the sensitive interface in the running process aiming at the process of the target application when the process of the target application meets the detection triggering condition, and obtaining the interface calling characteristic of the sensitive interface;

The server is used for acquiring the reference characteristics associated with the target application; the reference feature is obtained by aggregating security call data generated by security call of the sensitive interface according to the process of the target application; comparing the interface calling features with the reference features to obtain feature comparison results;

And the terminal is also used for blocking the calling operation of the sensitive interface aiming at the process of the target application when the characteristic comparison result indicates that the calling operation does not belong to the operation type of the safe calling.

In a third aspect, the application further provides an application process detection processing device. The device comprises:

The interface calling feature obtaining module is used for detecting the calling operation of the sensitive interface in the running process aiming at the process of the target application when the process of the target application meets the detection triggering condition to obtain the interface calling feature of the sensitive interface;

The reference feature acquisition module is used for acquiring the reference features associated with the target application; the reference feature is obtained by aggregating security call data generated by security call of the sensitive interface according to the process of the target application;

the feature comparison module is used for comparing the interface calling feature with the reference feature to obtain a feature comparison result;

And the blocking processing module is used for blocking the calling operation of the sensitive interface aiming at the process of the target application when the characteristic comparison result indicates that the calling operation does not belong to the operation type of the safe call.

In a fourth aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor which when executing the computer program performs the steps of:

In a fifth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:

In a sixth aspect, the application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of:

According to the application process detection processing method, system, device, computer equipment, storage medium and computer program product, when the process of the target application meets the detection trigger condition, the calling operation of the sensitive interface is detected in the running process of the target application, the interface calling feature of the sensitive interface is obtained, the interface calling feature is compared with the reference feature associated with the target application, the reference feature is obtained by aggregating safety calling data generated by carrying out safety calling on the sensitive interface according to the process of the target application, and when the feature comparison result shows that the calling operation does not belong to the operation type of the safety calling, the calling operation of the sensitive interface is blocked by the process of the target application. By comparing the interface calling characteristics of the sensitive interface in the running process of the target application with the reference characteristics in the safe calling process, the detection of the actual calling behavior of the process of the target application on the sensitive interface can be realized, the accuracy of the detection of the application process can be improved, and the running safety of the application is ensured.

Drawings

FIG. 1 is an application environment diagram of an application process detection processing method in one embodiment;

FIG. 2 is a flow diagram of an application process detection processing method in one embodiment;

FIG. 3 is a flow diagram of detecting a call trigger in one embodiment;

FIG. 4 is a schematic diagram of an interface for applying access policy configuration in one embodiment;

FIG. 5 is an interface diagram of resource allocation in one embodiment;

FIG. 6 is a schematic diagram of an apparatus for performing a process detection processing method according to an embodiment;

FIG. 7 is a schematic block diagram of network resource access in one embodiment;

FIG. 8 is a flowchart of another embodiment of a method for detecting and processing an application process;

FIG. 9 is a schematic diagram of API combinations forming application benchmark features in one embodiment;

FIG. 10 is a schematic diagram of variation trend of an application version feature in one embodiment;

FIG. 11 is a block diagram of an application process detection processing system in one embodiment;

FIG. 12 is a block diagram of an application process detection processing device in one embodiment;

fig. 13 is an internal structural view of a computer device in one embodiment.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

The application process detection processing method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on the cloud or other servers. The terminal 102 may run a target application, for example, the target application may be a social application, when the terminal 102 detects that a process of the target application meets a detection trigger condition, the terminal 102 detects a call operation of a sensitive interface in a running process aiming at the process of the target application, so as to obtain an interface call feature of the sensitive interface, the terminal 102 may send the obtained interface call feature to the server 104, the server 104 may perform feature comparison on the interface call feature and a reference feature associated with the target application, the reference feature aggregates security call data generated by performing security call on the sensitive interface according to the process of the target application, when the feature comparison result indicates that the call operation does not belong to an operation type of security call, the server 104 may send a processing instruction to the terminal 102, so that the call operation of the sensitive interface is blocked by the terminal 102 aiming at the process of the target application.

In addition, the application process detection processing method provided by the embodiment of the application can also be implemented by the terminal 102 or the server 104 alone, for example, after the terminal 102 obtains the interface calling feature, the terminal 102 directly compares the interface calling feature with the reference feature associated with the target application, and performs blocking processing on the calling operation of the sensitive interface for the process of the target application when the feature comparison result indicates that the calling operation does not belong to the operation type of safe calling.

The terminal 102 may be, but not limited to, various desktop computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.

In one embodiment, as shown in fig. 2, an application process detection processing method is provided, where the method is executed by a computer device, specifically, may be executed by a computer device such as a terminal or a server, or may be executed by the terminal and the server together, and in an embodiment of the present application, an example where the method is applied to the terminal in fig. 1 is described, and the method includes the following steps:

Step 202, when the process of the target application meets the detection trigger condition, detecting the calling operation of the sensitive interface in the running process aiming at the process of the target application, and obtaining the interface calling characteristic of the sensitive interface.

The application is an application program running on the computer device, and specifically may include various types of applications such as social applications, news applications, video applications, music applications, and tool applications. The target application is an application for which the application process detection processing method is aimed. The detection trigger condition is used for judging whether to perform security detection on the target application, and the detection trigger condition can be set according to actual needs, for example, when the target application is started or when the target application accesses the target resource, the detection trigger condition is considered to be satisfied, so that security detection processing is performed on the target application. A process is an instance of a running program and an application implements the corresponding functionality by running one or more processes. During the running process of the application, various interfaces need to be called to perform data communication and processing, for example, an API (Application Program Interface ) interface needs to be called to access a set of routines, so that data or services can be obtained from other systems. The sensitive interface is an interface with high safety correlation with application running, and if malicious operation is triggered aiming at the sensitive interface, the sensitive interface can be perceived more easily.

The sensitive interfaces can be determined from the interfaces according to actual needs, for example, corresponding sensitive interfaces can be correspondingly set according to the configuration of the application operation platform. The calling operation refers to the operation of calling an interface to perform corresponding processing in the running process of the process. For example, in the running process of the application a, if the data in the application B needs to be acquired, the process of the application a may acquire the required data from the application B by calling the interface provided by the application B. The interface calling feature refers to an operation feature reflected by a process of the application for a calling operation of the sensitive interface, for example, the interface calling feature can be obtained according to the calling frequency of the calling operation. The interface calling feature can be extracted based on the calling operation of the application process on the sensitive interface. The specific form of the interface calling feature can be set according to actual needs, for example, different sensitive interfaces can correspond to the interface calling features in different forms. For example, for the interface a, the feature of the call operation can be represented by the call frequency, and the call operation can be counted to obtain the interface call feature for the interface a. And for the interface b, the feature of the calling operation is represented by the calling sequence of other interfaces, so that the direct calling sequence of the interface b and other interfaces can be determined based on the calling operation, and the interface calling feature aiming at the interface b is obtained.

Specifically, the terminal can run the target application, the target application runs at least one process on the terminal, when the terminal detects that the process of the target application meets the detection triggering condition, for example, when the process of the target application triggers to access the target resource, the terminal can detect the calling operation of the sensitive interface in the running process aiming at the process of the target application, for example, the terminal can pay attention to the calling operation of the process of the target application on the sensitive interface, record the calling operation data, and generate the interface calling feature of the sensitive interface based on the calling operation data.

Step 204, obtaining a reference feature associated with the target application; the reference feature is obtained by aggregating security call data generated by security call of the sensitive interface according to the process of the target application.

The reference feature is obtained by aggregating security call data generated by security call of the sensitive interface according to the process of the target application. That is, the reference feature can reflect the characteristics of the process of the target application when the process makes a secure call to the sensitive interface. The security call data are generated when the process of the target application carries out security call on the sensitive interface, and the security call data are aggregated, so that the reference characteristic associated with the target application can be constructed and obtained. The reference features are associated with the applications, different applications may correspond to different reference features, the reference features may also be associated with the operating environments of the applications, i.e. the reference features associated with the applications may also be different in different operating environments. Furthermore, for different versions of the application, different reference features may also be corresponded.

Specifically, the terminal acquires the reference feature associated with the target application, and specifically, the terminal can query and obtain the reference feature of the target application according to the application identifier of the target application. The reference features can be obtained by pre-aggregating security call data generated by the target application, and an association relationship between the reference features and the target application is established, so that the reference features associated with the target application can be determined based on the association relationship.

And 206, comparing the interface calling features with the reference features to obtain a feature comparison result.

The feature comparison means that the interface calling feature is compared with the reference feature, so that deviation between the interface calling feature and the reference feature can be determined. The feature comparison results may reflect differences between the interface call features and the reference features.

Specifically, the terminal can compare the interface calling feature with the reference feature, and when the terminal is specifically implemented, the terminal can match the similarity between the interface calling feature and the reference feature, namely, the feature similarity between the interface calling feature and the reference feature can be calculated, so that a feature comparison result is obtained.

And step 208, when the characteristic comparison result indicates that the calling operation does not belong to the operation type of the safe calling, blocking the calling operation of the sensitive interface for the process of the target application.

The feature comparison result indicates that the calling operation does not belong to the operation type of the safe call, namely the difference between the interface calling feature and the reference feature is larger, the calling operation of the sensitive interface by the currently running process of the target application deviates from the safe calling operation, and potential safety hazards exist, namely the current calling operation does not belong to the operation type of the safe call. The blocking processing refers to blocking the calling operation of the process of the target application on the sensitive interface, for example, the running of the process can be directly stopped, or the calling of the process on the sensitive interface can be blocked. The specific processing form of the blocking processing can be flexibly set according to actual needs.

Specifically, when the feature comparison result indicates that the calling operation does not belong to the operation type of safe calling, the terminal blocks the calling operation of the sensitive interface for the process of the target application, specifically, the running of the process can be directly stopped, and the calling of the process to the sensitive interface can be blocked, so that malicious behaviors of the target application are avoided, and the running safety of the application is ensured.

In the application process detection processing method, when the process of the target application meets the detection trigger condition, the calling operation of the sensitive interface is detected in the running process aiming at the process of the target application, the interface calling feature of the sensitive interface is obtained, the interface calling feature is compared with the reference feature associated with the target application, the reference feature is obtained by aggregating the safety calling data generated by carrying out the safety calling on the sensitive interface according to the process of the target application, and when the feature comparison result indicates that the calling operation does not belong to the operation type of the safety calling, the calling operation of the sensitive interface is blocked by the process aiming at the target application. By comparing the interface calling characteristics of the sensitive interface in the running process of the target application with the reference characteristics in the safe calling process, the detection of the actual calling behavior of the process of the target application on the sensitive interface can be realized, the accuracy of the detection of the application process can be improved, and the running safety of the application is ensured.

In one embodiment, as shown in fig. 3, the process of detecting the call operation trigger of the process of the target application, that is, when the process of the target application meets the detection trigger condition, the process of the target application detects the call operation of the sensitive interface in the running process, so as to obtain the interface call feature of the sensitive interface, which includes:

Step 302, when a process of the target application is started, historical access data is queried.

The historical access data comprises access records of various applications running in the terminal to the resources. Specifically, when the terminal detects that the process of the target application is started, the terminal indicates that the target application executes a corresponding task through the starting process, and the terminal can query historical access data. In a specific application, a history access library may be provided, in which history access data of various applications in the terminal are stored.

And 304, when the history access data contains access records of the process of the target application to the target resource, injecting an interface call detector into the process of the target application.

The target resource may be a network resource or a local resource, and may specifically include various types of resources such as text, image, audio and video. In a specific application, the target resource may be a resource in a zero trust network, i.e. each access to the target resource requires an access verification. The interface call detector is used for detecting the interface call operation of the process of the target application. The interface call detector may include a section of executable code, and by injecting the interface call detector into the process of the target application, in the running process of the target application, the call operation of the process of the target application may be detected, so as to implement detection of the process of the target application.

Specifically, the terminal may query in the historical access data, to determine whether an access record of a process of the target application for the target resource exists, that is, whether the target application accesses the target resource. If the history access data contains an access record of the process of the target application for the target resource, which indicates that the process of the target application accesses the target resource, the process of the target application may access the target resource again after being started, and the process of the target application needs to be detected in time. The terminal may inject an interface call detector into the process of the target application to detect the process of the target application through the interface call detector.

In a specific application, the historical access data may further include statistics information of each application for resource access, and based on the statistics information, it may be determined whether a process of the target application triggers access to the target resource after the process of the target application is started, so as to determine whether the process of the target application needs to be detected. For example, based on the historical access record of the application a to the target resource Y, the working time of the access time period of the application a to the target resource Y on the working day is counted, and when the process of the target application is started, the terminal can determine whether the process of the target application needs to be detected according to the current time. If the current time is a non-working day, the process start of the target application can be judged, the access to the target resource can not be triggered, and the terminal can not call the detector through the injection interface to detect.

Step 306, detecting the calling operation of the sensitive interface in the running process aiming at the process of the target application through an interface calling detector to obtain the interface calling characteristic of the sensitive interface.

The interface call detector can be specifically realized through a section of executable code, such as dll code, and can detect the call behavior of the process of the target application in the running process to obtain the interface call characteristic of the process of the target application on the sensitive interface.

Specifically, after the terminal injects the interface call detector into the process of the target application, the interface call detector can execute detection operation, in the running process of the target application, the call operation of the process on the sensitive interface is detected, call operation data are collected, and interface call characteristics on the sensitive interface are formed based on the call operation data.

In this embodiment, when a process of the target application is started and an access record of the process of the target application for the target resource exists, it is indicated that the process of the target application may trigger access to the target resource, and the terminal calls the detector to perform call behavior detection by injecting an interface into the process of the target application, so that the process of the target application can be detected in time, and detection efficiency is ensured.

In one embodiment, the application process detection processing method further includes: when the history access data does not contain access records of the process of the target application for the target resource, and the process of the target application triggers the access to the target resource, an interface call detector is injected into the process of the target application; and when the interface call detector is successfully injected into the process of the target application, updating the access record of the generated process of the target application to the target resource into the historical access data.

Specifically, the terminal may query in the historical access data, to determine whether an access record of a process of the target application for the target resource exists, that is, whether the target application accesses the target resource. If the history access data does not contain the access record of the process of the target application to the target resource, which indicates that the process of the target application does not access the target resource, the process of the target application may not access the target resource after being started, and the terminal may keep detecting the process of the target application. When the process of the target application is detected to trigger the access to the target resource, the process of the target application is indicated to possibly call an interface related to the target resource, and the terminal successfully injects an interface call detector into the process of the target application so as to timely detect the process of the target application through the interface call detector. The terminal can detect the injection result of the interface call detector, and when the interface call detector is successfully injected into the process of the target application, the interface call detector can normally detect the operation behavior, the terminal generates the access record of the process of the target application to the target resource, and specifically, the terminal can generate the access record according to the access time, the access range, the information of the application and the like. The terminal can update the access record of the process of the target application to the target resource into the historical access data so that the detector can be called through the injection interface in time to detect the calling behavior of the process of the target application when the process of the target application is started later.

In this embodiment, when a process of a target application triggers access to a target resource, a terminal invokes a detector through an injection interface to detect a calling behavior of the process of the target application, and after the interface invokes the detector to successfully inject the process of the target application, updates an access record of the process of the target application to the target resource into historical access data, so as to ensure that the process of the target application can detect the target resource in time when triggering access, thereby being beneficial to improving safety detection efficiency and ensuring operation safety of the application.

In one embodiment, the application process detection processing method further includes: when the process of the target application triggers the access to the target resource, the process of the target application is detected by a detector; and when the detection result detected by the detector indicates that the interface call detector is not injected in the process of the target application, the interface call detector is injected again in the process of the target application.

The detector detects whether the interface call detector is injected into the process of the target application, for example, the terminal can detect the running data of the process of the target application, so as to determine whether the active data of the interface call detector exists in the process of the target application. If the running data of the process of the target application does not include the activity data of the interface call detector, the terminal can inject the interface call detector, which indicates that the activity of the interface call detector does not exist in the process of the target application.

Specifically, the terminal may detect access to a process of the target application, and when it is detected that the process of the target application triggers access to the target resource, that is, when the process of the target application needs to access the target resource, the terminal may detect the process of the target application, and specifically may detect whether an interface call detector exists in the process of the target application. If the detection result detected by the detector indicates that the interface call detector is not injected in the process of the target application, namely the injection interface call detector is missed or the injection interface call detector is not successfully injected in the process of the target application, the terminal performs the injection processing of the interface call detector again for the process of the target application.

In this embodiment, when the process of the target application triggers access to the target resource, the terminal detects the process of the target application, and under the condition that the interface call detector is not injected into the process of the target application, the interface call detector is injected again, so as to ensure that when the process of the target application accesses to the target resource, the call behavior of the process can be detected through the interface call detector, so that the accuracy of detecting the application process can be improved, and the running safety of the application is ensured.

In one embodiment, a process for a target application detects a call operation of a sensitive interface in a running process to obtain an interface call feature of the sensitive interface, including: acquiring a sensitive interface list configured for the running environment of the target application; determining an interface called by a process of the target application in the running process; when the called interface belongs to the sensitive interface in the sensitive interface list, detecting the calling operation of the sensitive interface aiming at the process of the target application, and obtaining the interface calling characteristic of the sensitive interface.

The running environment refers to an environment for running the target application, and specifically may include a system platform of the running target. The sensitive interface list is used for recording each sensitive interface which needs to be detected. For different running environments, different sensitive interface lists can be configured, namely, call behavior detection can be carried out on different sensitive interfaces aiming at different running environments.

Specifically, the terminal may acquire the sensitive interface list, and may specifically determine the running environment of the target application, for example, determine the running system platform of the target application, where the terminal determines the corresponding sensitive interface list based on the running environment. The sensitive interface list can be configured for the running environment in advance according to actual needs, and different running environments can configure the sensitive interface list comprising different sensitive interfaces. The terminal determines an interface called by a process of the target application in the running process, and matches the called interface in a sensitive interface list to determine whether the process of the target application calls a sensitive interface in the sensitive interface list. When the called interface belongs to the sensitive interface in the sensitive interface list, that is, the process of the target application calls the sensitive interface in the sensitive interface list, the terminal can detect the call operation of the sensitive interface according to the process of the target application, for example, the terminal can inject the call operation of the interface to the interface call detector to detect the call behavior of the interface, so as to obtain the call characteristics of the interface of the sensitive interface.

In this embodiment, the terminal determines the sensitive interface list according to the running environment of the target application, and in the case that the process of the target application invokes the sensitive interface in the sensitive interface list, the terminal detects the invoking operation of the sensitive interface for the process of the target application, so that the sensitive interface invoking behavior detection can be performed pertinently in different running environments, the accuracy of the application process detection can be improved, and the running safety of the application is ensured.

In one embodiment, detecting a call operation of a sensitive interface by a process of a target application to obtain an interface call feature of the sensitive interface includes: detecting the calling operation of the sensitive interface aiming at the process of the target application to obtain interface calling detection data; acquiring calling feature screening conditions; and screening the interface call detection data by calling the feature screening condition to obtain the interface call feature of the sensitive interface.

The interface call detection data is data generated by a process of the target application on a call operation of the sensitive interface, and specifically may include various types of data such as operation parameters, call time, call results and the like of the call operation. The interface call detection data may be used to express call operations of processes of the target application to the sensitive interface. The call feature screening condition is used for screening the interface call detection data to obtain data capable of accurately expressing the interface call features. The call feature screening conditions can be related to the types of the sensitive interfaces, different sensitive interfaces can be set, and different call feature screening conditions can be set.

Specifically, the terminal detects a call operation of the sensitive interface for a process of the target application, for example, the call operation can be detected through an interface call detector injected into the process, and interface call detection data is obtained. The terminal acquires calling feature screening conditions, wherein the calling feature screening conditions are related to the sensitive interfaces, and the terminal can acquire the sensitive interfaces corresponding to the sensitive interfaces according to the sensitive interfaces called by the process of the target application. And the terminal screens the interface call detection data by using the call feature screening condition to obtain the interface call feature of the sensitive interface.

In this embodiment, the terminal may screen the detected interface call detection data through a preset call feature screening condition, so as to obtain an interface call feature of the sensitive interface, and ensure that the interface call feature can accurately express the feature of the process on the call behavior of the sensitive interface, and perform application process detection based on the interface call feature, thereby being beneficial to improving the accuracy of application process detection, and ensuring the running safety of the application.

In one embodiment, the feature comparison is performed on the interface calling feature and the reference feature to obtain a feature comparison result, which includes: determining a feature comparison item; the feature comparison item comprises at least one of calling interface type, interface calling statistic data, interface calling sequence or interface calling parameters; respectively comparing the characteristics of the interface calling characteristics with the characteristics of the reference characteristics to obtain characteristic deviation data; and obtaining a characteristic comparison result based on the characteristic deviation data and the characteristic deviation judging condition.

The feature comparison item is a feature item which needs to be compared in the interface calling features. The calling interface type refers to the type of an interface called by a process, the interface calling statistical data refers to statistical information obtained by counting calling behaviors of a process, the interface calling sequence refers to the calling sequence of the process to each interface, and the interface calling parameters refer to the calling parameters when the process calls the interface. The feature deviation data is a comparison result obtained by respectively comparing the interface calling feature with the reference feature according to the feature comparison item, and can reflect the difference between the interface calling feature and the reference feature on the feature comparison item. The feature deviation determination condition is used for determining a deviation result of the interface calling feature from the reference feature. For example, if the feature deviation data reflects that the difference between the interface calling feature and the reference feature is large, the calling operation of the process and the safety call can be determined to be very different according to the feature deviation judging condition, the calling operation of the process is considered not to belong to the safety call, potential safety hazards exist, and the process needs to be treated for ensuring the safe operation of the application.

Specifically, the terminal determines a feature comparison item, wherein the feature comparison item comprises at least one of calling interface type, interface calling statistics data, interface calling sequence or interface calling parameters. The feature comparison items may be related to the application type, i.e. different feature comparison items may be set for different types of applications. The feature comparison item can also be related to the sensitive interface, and different feature comparison items can be set for different sensitive interfaces called by the process. In a specific application, the terminal may determine the feature comparison item according to an application type of the target application, or according to a sensitive interface invoked by the target application. And the terminal respectively compares the characteristics of the interface calling characteristics with the characteristics of the reference characteristics. In a specific implementation, the terminal can determine the interface calling sub-feature to be subjected to feature comparison from the interface calling feature according to the feature comparison item, the terminal determines the reference sub-feature from the reference feature according to the feature comparison item, and the terminal performs feature matching on the interface calling sub-feature and the reference sub-feature, such as similarity calculation, to obtain feature deviation data.

The terminal acquires a characteristic deviation judging condition, wherein the characteristic deviation judging condition can be set for a characteristic comparison item or a target application or a sensitive interface. The feature deviation data can be judged through the feature deviation judging condition to determine whether the calling operation of the process belongs to the operation type of safe calling, so that a feature comparison result is obtained. In a specific application, the feature deviation data may include feature similarities corresponding to the feature comparison items, and the feature deviation judgment condition may be a similarity threshold, and the judgment of the process calling operation is realized through the magnitude relation between the feature similarities and the similarity threshold, so as to obtain a feature comparison result.

In this embodiment, feature comparison is performed on the interface call feature and the reference feature by calling a feature comparison item of at least one of an interface type, interface call statistics data, interface call sequence or interface call parameter, and operation type determination is performed on feature deviation data obtained by feature deviation determination conditions, so that feature comparison can be flexibly performed from multiple dimensions, which is beneficial to improving accuracy of application process detection, and thus running safety of an application is ensured.

In one embodiment, when the feature comparison result indicates that the calling operation does not belong to the operation type of the secure call, blocking the calling operation of the sensitive interface for the process of the target application includes: when the characteristic comparison result indicates that the calling operation does not belong to the operation type of the safe calling, determining a blocking mode of a process aiming at the target application; according to the blocking mode, blocking processing is carried out on calling operation of the sensitive interface aiming at the process of the target application; the blocking mode comprises at least one of stopping the running of the process of the target application, blocking the access of the process of the target application to the target resource or isolating the network.

Wherein, stopping the running of the process of the target application refers to directly ending the process of the target application; blocking the process of the target application from accessing the target resource refers to blocking the process from accessing the target resource; isolating the network refers to disconnecting the network channels. For different types of applications, different types of sensitive interfaces, different target resources and different operating environments, different blocking modes can be adopted. I.e. the blocking means is related to at least one of the application type, the sensitive interface type, the target resource or the running environment.

Specifically, under the condition that the feature comparison result indicates that the calling operation does not belong to the operation type of the safe call, the fact that if the process is continuously allowed to perform the interface call and has potential safety hazards, the process possibly generates malicious behaviors is indicated, and the terminal determines a blocking mode of the process aiming at the target application. In a specific implementation, the terminal may determine at least one of an application type, a sensitive interface type, a target resource, or a running environment, and determine a blocking manner. And the terminal performs blocking processing on the calling operation of the sensitive interface aiming at the process of the target application according to the determined blocking mode. For example, the terminal may stop the running of the process of the target application, block the access of the process of the target application to the target resource, and isolate the network, so as to implement the blocking process of the target application.

In this embodiment, the terminal performs blocking processing on the calling operation of the sensitive interface for the process of the target application according to the determined blocking mode, so that abnormal calling behavior of the process can be blocked in time, and thus running safety of the application is ensured.

In one embodiment, obtaining the reference feature associated with the target application includes: acquiring process characteristic information of a process of a target application; determining an application identifier of the target application based on the process characteristic information; and according to the application identification, inquiring to obtain the reference characteristic associated with the target application.

The process characteristic information is process information related to the process of the target application, and the target application and the process of the target application can be accurately determined through the process characteristic information. The process characteristic information may include various information such as, but not limited to, absolute path including process executable, hash information of executable, copyright information, etc. The application identifier is used for identifying a target application, and can only identify the type of the application according to different identifier granularity requirements; the application identification may also identify different versions of the application, i.e. of the same type, which may also correspond to different application identifications.

Specifically, the terminal may acquire process feature information of a process of the target application, where the process feature information may be acquired by the terminal during the process running of the process of the target application. And the terminal determines the application identification of the target application based on the process characteristic information. The process characteristic information may include information of multiple dimensions, and the target application may be accurately determined based on the process characteristic information, so as to determine an application identifier of the obtained target application. The terminal queries a reference feature associated with the target application based on the application identification of the target application. The corresponding relation between the reference feature and the application identifier can be obtained by establishing a mapping relation between the reference feature and the application identifier after the reference feature is obtained by aiming at application aggregation, so that the reference feature associated with the target application can be obtained by inquiring based on the application identifier of the target application.

In this embodiment, the terminal determines the application identifier of the target application according to the process feature information of the process of the target application, and obtains the reference feature associated with the target application by querying the application identifier, so that the target application can be accurately determined by using the process feature information, thereby obtaining the reference feature associated with the target application, so as to perform feature comparison based on the reference feature, and be beneficial to improving the processing efficiency of application detection.

In one embodiment, the application process detection processing method further includes: when at least one of starting the process of the target application or triggering the process of the target application to access the target resource is met, collecting process characteristic information of the process of the target application; and storing the process characteristic information into a cache.

When the characteristic information acquisition condition is met, the terminal can acquire the process characteristic information of the process of the target application and store the acquired process characteristic information into the cache so as to determine the application identifier of the target application by using the process characteristic information. The characteristic information collection condition may be set according to actual needs, for example, may include at least one of process start of the target application or process trigger of the target application to access the target resource.

Specifically, when the process of the target application is started, the terminal may collect process feature information of the process of the target application. When the process of the target application triggers the access to the target resource, the terminal can also collect the process characteristic information of the process of the target application. And the terminal stores the acquired process characteristic information into a cache.

Further, obtaining process characteristic information of the target application includes: and acquiring the process characteristic information of the target application from the cache.

Specifically, when the reference feature of the target application needs to be determined, the terminal acquires the process feature information of the target application from the cache, and determines the application identifier of the target application based on the process feature information, so as to obtain the reference feature associated with the target application through application identifier inquiry. In addition, when the process of the target application is detected to be ended, namely the process of the target application is ended to run, the terminal can release the cache and clear the process characteristic information in the cache.

In this embodiment, the process feature information is stored in the cache, so that the process feature information acquisition efficiency can be improved, and the reference feature acquisition efficiency can be improved, thereby improving the application detection processing efficiency.

In one embodiment, the application process detection processing method further includes: acquiring generated security call data in the process of security call of a sensitive interface by a process of a target application; dividing the security call data according to interface categories to obtain category security call data respectively associated with each interface category; and combining the class security call data according to the interface call feature aggregation condition to obtain the reference feature associated with the target application.

The security call data are data generated when the process of the target application makes security call to the sensitive interface. The interface class refers to the class of sensitive interfaces called by the process of the target application. The class security call data corresponds to the interface class. The interface call feature aggregation condition is a preset processing condition for combining the category security call data to realize feature aggregation. For example, the interface call feature aggregation conditions may include the category of the combination, the number of combinations, the order of the combinations, and the like.

Specifically, the terminal can obtain the generated security call data in the process of performing security call on the sensitive interface by the process of the target application, for example, the terminal can call the detector to perform data acquisition through the injected interface, so as to obtain the security call data. The terminal determines the interface type of the called sensitive interface, and divides the security call data according to the interface type to obtain the type security call data respectively associated with each interface type. The terminal acquires the interface calling feature aggregation conditions, and combines the category security calling data according to the aggregation dimension specified by the interface calling feature aggregation conditions to form the reference feature associated with the target application.

In this embodiment, the terminal combines the class security call data respectively associated with each interface class according to the interface call feature aggregation condition to obtain the reference feature associated with the target application, so that the characteristics of the process of the target application in the security call process can be accurately reflected through the reference feature.

In one embodiment, according to the interface calling feature aggregation condition, combining the category security calling data to obtain the reference feature associated with the target application, including: determining process characteristic information of a process of the target application; combining the category security call data according to the interface call feature aggregation condition to obtain at least one interface call combination feature; and associating at least one interface calling combination feature with the process feature information to obtain a reference feature associated with the target application.

The process characteristic information is process information related to the process of the target application, and the target application and the process of the target application can be accurately determined through the process characteristic information. The process characteristic information may include various information such as, but not limited to, absolute path including process executable, hash information of executable, copyright information, etc. The interface calling combination feature is a feature formed by combining category security calling data according to interface calling feature aggregation conditions, and can be used for expressing the characteristics of a process of a target application in a security calling process.

Specifically, the terminal determines process characteristic information of a process of the target application, and specifically, the process characteristic information acquired in advance can be read from the cache. And the terminal combines the category security call data according to the interface call feature aggregation condition to obtain at least one interface call combination feature. In specific implementation, the class security call data with different classes of certain data can be combined to form the interface call combination feature. For example, the number of the classes is 3-5, and the class security call data of different classes need to be combined, so that the terminal can select 3 or 4 or 5 class security call data of different classes to be combined, the interface call combination feature is obtained, and the expression capability of the interface call combination feature can be enhanced. And the terminal associates the interface calling combination feature with the process feature information to establish an association relationship between the target application and the reference feature.

In this embodiment, the terminal combines the class security call data according to the interface call feature aggregation condition, and associates the obtained at least one interface call combination feature with the process feature information of the process of the target application to obtain the reference feature associated with the target application, so that the association relationship between the target application and the reference feature can be established by using the process feature information.

In one embodiment, associating at least one interface call combination feature with process feature information to obtain a reference feature associated with a target application, comprising: determining the version identification of the target application according to the process characteristic information; associating the interface calling combination features belonging to the same version identifier with the process feature information to obtain version reference features of each version identifier; and screening according to the version reference features of each version identifier to obtain the reference features associated with the target application.

The version identification is used for identifying application versions of target applications, and when processes of different versions of applications call interfaces, the calling behaviors of the processes of different versions of applications can be different. The version reference feature is obtained based on the interface calling combination feature of the same version, and can reflect the calling behavior characteristics of the application of the corresponding version.

Specifically, the terminal determines the version identifier of the target application according to the process characteristic information, and associates the interface calling combination characteristic of the same version identifier with the process characteristic information to obtain the version reference characteristic of each version identifier. The interface calling combination features comprise features of different application versions, the interface calling combination features are divided through the version identifiers of the target application, so that the interface calling combination features of the same application version are associated with the process feature information, and version reference features of all the version identifiers are formed. For each version of reference feature, the terminal can perform screening so as to obtain the reference feature associated with the target application. In a specific application, the terminal may determine a distribution of the reference features of each version, and determine the reference features based on the distribution. For example, the terminal may use the version reference feature with the highest occurrence frequency as the reference feature of the target application. As another example, the terminal may directly use each reference feature as the reference feature of the target application.

In this embodiment, the terminal correlates the interface calling combination features belonging to the same version identifier with the process feature information to obtain version reference features of each version identifier, and screens the version reference features of each version identifier to obtain reference features associated with the target application, so that the reference features refer to the application version, which is favorable for the aggregation degree of the reference features, thereby improving the expression capability of the reference features, and realizing accurate application security detection based on the reference features.

In one embodiment, the application process detection processing method further includes: when the process of the target application triggers the access to the target resource, acquiring access request parameters associated with the target application according to the access verification condition; generating an access ticket based on the access request parameters; and carrying out access verification through the access ticket request, and accessing the target resource when the access verification is passed and the blocking processing is not triggered by the calling operation of the sensitive interface.

And when the access verification condition is that the process of the target application accesses the target resource, the constraint of the data to be verified is performed. Different target resources may correspond to different access authentication conditions. The access request parameter is a parameter which needs to be verified when the target application accesses the target resource. The access ticket is a credential for the target application to access the target resource. By accessing the ticket for access verification, the validity of the access can be ensured.

Specifically, the process of the target application triggers access to the target resource, which indicates that the process of the target application needs to access the target resource, and the terminal can determine the access verification condition, specifically, can determine the corresponding access verification condition according to the target resource. The terminal obtains access request parameters associated with the target application according to the access verification condition, which may include, but not limited to, various parameters including a source IP or domain name, a source port, a destination IP or domain name, a destination port, a process PID (Process Identity) corresponding to the application, and the like. The terminal generates an access ticket based on the access request parameter and performs access verification by using the access ticket request. Under the condition that the access verification is passed and the blocking processing is not triggered by the calling operation of the sensitive interface, the terminal supports the process of the target application to access the target resource, so that the process of the target application can acquire the target resource to perform corresponding processing.

In this embodiment, access verification is performed through the access ticket generated by the access request parameter, and when the access verification is passed, the target resource is accessed, so that the validity of the access to the target resource can be ensured, and the security of the access to the target resource is ensured.

In one embodiment, the application process detection processing method further includes: displaying an access policy configuration area aiming at a target application, and obtaining access policy configuration information of the target application through the access policy configuration area; displaying a resource access configuration area aiming at the target resource, and obtaining resource access configuration information of the target resource through the resource access configuration area; and generating access verification conditions according to the access policy configuration information and the access policy configuration information.

The access policy configuration area is used for configuring access policies of the application, and the access policy configuration information is the access policies configured for the target application. The resource access configuration area is an area configured for resource access, and the resource access configuration information is an access requirement for a target resource. Specifically, when configuring the access verification condition, the terminal may display an access policy configuration area for the target application, where various access policy configuration items may be included, and obtain access policy configuration information of the target application through the access policy configuration area. The terminal can also display a resource access configuration area aiming at the target resource, various resource access configuration items can be displayed in the resource access configuration area, and the terminal obtains the resource access configuration information of the target resource through the resource access configuration area. And the terminal generates access verification conditions according to the obtained access policy configuration information and the access policy configuration information, so that access to the target resource is performed by triggering the application through the access verification conditions, and the security of the access is ensured.

In this embodiment, according to the configured access policy configuration information and the access policy configuration information, an access verification condition is generated, so that access to the target resource is performed by triggering the application through the access verification condition, so as to ensure security of access.

The application also provides an application scene, which applies the application process detection processing method. Specifically, the application of the application process detection processing method in the application scene is as follows:

In the scenario of deciding whether to release an application to access an enterprise resource, the prior art typically uses a combination of application process blacklist and post-asynchronous hash inspection. When the access body accesses enterprise resources through a certain application process, a network access ticket needs to be applied to a server or a client security component. When the bill is applied, the access agent or the flow hijacking component collects flow characteristics, equipment information and an application process executable file hash value are sent to a client security component or a server related interface issued by the network access bill. After the application process blacklist is filtered through the local cache, the application process belonging to the blacklist sends a response for refusing network access, otherwise, the normal response bill is accessed, the scheme mainly considers that the high-risk process is far lower than the normal application process, most of the occurred malicious processes can be filtered through long-time blacklist maintenance, most of the applications not in the blacklist belong to harmless unknown applications, and the system safety is not greatly damaged when the application process is temporarily accessed. On the other hand, considering user experience, the time delay of bill application and response is reduced as much as possible. After the unknown application is put through, the terminal collects more detailed characteristic information of the application process, including copyright, process digital signature information and the like, and sends the characteristic information to the server, and the characteristic information is sent to threat information cloud checking service to check whether the application has risks. The prior art adopts a detection scheme of filtering a blacklist locally cached at a server side or a device side in advance and applying feature inspection asynchronous treatment after the fact. The scheme mainly has two defects, the first point is that a terminal has various malicious codes or module injection means, and process injection operations are executed in various modes such as QueueUserAPC, inter-process memory writing, inter-process memory attribute modification, remote thread injection, window callback modification and the like, and the auxiliary body is bad in legal processes and is difficult to detect by the traditional method of combining hash blacklist filtering and asynchronous sending and detecting. QueueUserAPC refers to the process of adding an APC (Asynchronous Procedure Call asynchronous procedure call) object to the APC queue of a given thread. The second point is that whether the method is through blacklist filtration or asynchronous inspection, the method is post detection, and malicious behaviors deviating from normal behaviors can not be identified when a suspected abnormal process or a normal process with unknown legal state is in the enterprise resource access process. The terminal access agent is deployed at the terminal agent of the controlled equipment for initiating the security access, is responsible for initiating the request of the trusted identity authentication of the access main body, verifies the trusted identity, can establish encrypted access connection with the access gateway, and is also a policy execution point of access control.

Based on this, compared with the detection scheme of filtering the blacklist locally cached at the server side or the device side and performing asynchronous treatment on the post-application feature by the prior art, the application process detection processing method provided by the embodiment associates the application process with the API features executed by the application process in a certain time window in the enterprise resource access process, solves the API call difference of the application processes of different versions through the voting algorithm, and aggregates the interface call behaviors of the application processes of the same version to form the reference feature. In the terminal zero trust network architecture, API behaviors of application processes are detected in real time, the application processes deviating from the standard are automatically treated, behavior characteristics are analyzed, and the behavior characteristics are incorporated into a subsequent detection flow. The method and the device can improve the detection accuracy of the trusted application in the zero-trust network architecture, timely detect and process malicious behaviors deviating from normal operation, which appear in the enterprise resource access process of a process or a normal process suspected to be abnormal but unknown in legal state, improve the initiative countermeasure capability against APT (APT, advanced Persistent Threat) advanced persistent threat, reduce the risk of 0Day of equipment infection in an enterprise, and improve the risk perception capability and the security of enterprise office work. The trusted application obtains the trust of the management end, and the terminal can access an application carrier of the internal service system, wherein the application carrier comprises an application name, an application MD5, signature information and the like.

Specifically, the application process detection processing method provided by the embodiment can be applied to a zero trust security management system to ensure efficient and stable remote collaborative office experience, and promote the application of the zero trust technology in the digital industry to be landed. In a specific application, as shown in fig. 4, the configuration page of the internet application access policy on the web page console is a configuration page, in which a user can set the internet application access policy, and specifically includes various configuration items such as a policy name, a forbidden access list, a forbidden access resource list, and a terminal matching condition. As shown in fig. 5, in the configuration interface of the internet application resource, the user may set various configuration items of the internet application resource, including a resource name, a resource category, a domain name, a port, a resource group, a protocol type, and the like. By configuring the Internet application access policy and the Internet application resources, the safe operation of the Internet application can be ensured.

The application process detection processing method provided by the embodiment can be realized through the security service client. As shown in fig. 6, the security client acts as a zero-trust network security service provider, provides a unified portal for an access subject to request access to a resource of an object through a network through a zero-trust proxy and an access gateway, and provides authentication operation for the unified portal, and only the network request passing authentication can be forwarded to the access gateway by the zero-trust proxy, and the access of an actual service system is proxied through the access gateway. The access subject refers to a person, equipment or application which initiates access to the intranet business resources in the network, and is a digital entity formed by single or combination of factors such as the person, the equipment and the application. The access object refers to a party to be accessed, namely, business resources of an enterprise intranet in a network, and the party to be accessed comprises an application, a system (development test environment, operation and maintenance environment, production environment and the like), data, interfaces, functions and the like.

Further, as shown in fig. 7, for the zero trust network access system of the PC (Personal Computer ) side, the core module mainly includes a secure client, a secure server, an access proxy and an intelligent gateway. The security client is a security client Agent installed on staff working equipment and is responsible for verifying the trusted identity of a user on the equipment, verifying whether the equipment is trusted and whether the application is trusted; the unknown process may also be applied to the server for process review. The access proxy terminal hives the equipment flow through the TUN/TAP virtual network card, is responsible for forwarding the request to the intelligent gateway after authentication is carried out by the security client terminal, and if the request does not pass the authentication, the connection is directly connected or interrupted. The intelligent gateway is deployed at the entrance of enterprise application program and data resource, and is responsible for the verification, authorization and forwarding of each session request for accessing enterprise resource. The security server performs security scheduling on the service flow through a policy control engine, and authorizes according to granularity of the person-equipment-software-application. The identity verification module verifies the identity of the user, the equipment trusted module verifies the equipment hardware information and the equipment safety state, and the application detection module detects whether an application process is safe or not, if so, whether a vulnerability exists, whether a virus Trojan exists or not and the like. The server periodically initiates file inspection to the threat information cloud inspection service or the cloud disinfection server, and the client is informed of executing asynchronous blocking operation after the malicious process is identified.

In the process of accessing an application on a terminal, an access subject initiates an access request aiming at an access object through the application, a security client hives to a network request through an access proxy, the access proxy initiates an authentication request to the security client, namely the access proxy applies a certificate of the current network request to the security client, namely a request bill, and the request parameters comprise a source IP or domain name, a source port, a destination IP or domain name, a destination port, a process PID corresponding to the application and the like. The security client acquires process characteristics such as MD5, process paths, process latest modification time, copyright information, signature information and the like of the process through the process PID sent by the access proxy, and applies notes to the security server together with a source IP or domain name, a source port, a destination IP or domain name and a destination port of a network request transmitted by the access proxy, and specifically sends the process to the security server for notes replacement. If the application is successful, the security client sends the ticket, the maximum number of times of using the ticket, and the valid time of the ticket is used as a response to the access proxy. The access proxy first initiates Https a request to the intelligent gateway, wherein the authentication header field carries the network request credential (ticket) transmitted by the security client, and the network request credential is Authorization information issued by the security server for a single network request, and is used for identifying the Authorization status of the network request. After receiving the request of the access proxy, the intelligent gateway analyzes the bill in the head field, checks the bill with the security server, if the check is successful, the intelligent gateway establishes connection with the access proxy successfully, then the access proxy sends the original network request to the intelligent gateway, and the intelligent gateway forwards the original network request to the corresponding service server to proxy the actual application network access; if the intelligent gateway check bill fails, the connection between the access proxy end and the access gateway is interrupted, and the flow of the specific site is accessed for the application beyond the zero trust strategy, so that the network access request can be directly initiated to the target service server through the access proxy end to realize direct connection access. In the zero-trust network access architecture, a certain application initiates a network access request to a station, after hijacking traffic by a full-traffic agent, network access is initiated to the target station via the full-traffic agent, namely direct connection access is initiated, and the full-traffic agent sends a network response of the target station to the application, wherein the access mode is called direct connection access.

The proxy client hijacking the device traffic through the TUN/TAP virtual network card. If the zero trust access control strategy judges that the access type is the proxy access type, the proxy client requests a network access bill from the security client, the security client further applies the bill from the security server, the security client responds to the access proxy after successfully applying the bill, and the access proxy sends the actual network access flow to the intelligent gateway through the physical network card, and the intelligent gateway proxies the actual service access. In the zero-trust network access architecture, a certain application initiates a network access request to a station, after hijacking traffic by a full-traffic agent, the full-traffic agent initiates traffic forwarding to an intelligent gateway, the intelligent gateway agent accesses a target service station, the intelligent gateway sends a network response of the target station to the full-traffic agent after accessing, and the full-traffic agent forwards the network response of the target station to the application, and the access mode is called agent access. If the access control policy is determined to be the direct access type through zero trust, the access proxy terminal hives the original network access flow, and then directly performs network access and response processes with the corresponding destination service site through the physical network card, so as to realize direct access. The zero-trust access control strategy consists of process information (trusted application) which can be used by a user and accessible service sites (reachable areas), and under the condition of opening the authority, the user can access any reachable area through any one trusted application. The granularity of the zero-trust access control policy is for the login user, allowing different zero-trust policies to be formulated for different login users. The reachable area refers to the list of internal sites that end users can access the enterprise set through the zero trust network.

Further, the advanced persistent threat (APT, advanced Persistent Threat) has the characteristics of tight organization, strong concealment, strong pertinence, long duration and the like of an attacker, and conventionally utilizes customized malicious software, 0Day loopholes or related escape technologies to break through traditional defense detection equipment based on file characteristics such as IPC (Inter-Process Communication), firewall, AV (Anti-Virus) and the like, and attack against unknown loopholes in a system and known loopholes which cannot be repaired in time. After the device is successfully attacked, an attacker executes process injection operation in various modes such as QueueUserAPC (Asyncroneus Procedure Call, asynchronous process call), inter-process memory writing, inter-process memory attribute modification, remote thread injection, window callback modification and the like, injects malicious codes or modules into legal applications, dislikes in legal processes, steals data by using legal identities, and accesses enterprise resources in a illegal manner.

The prior art aims at the prior blacklist filtering and the post asynchronous tracing, can not solve the problem that malicious codes or modules are wrongly injected into normal application processes, and can not identify malicious behaviors deviating from normal behaviors, which occur in the process of accessing enterprise resources, of suspected abnormal processes with unknown legal states or normal processes. According to the method, the application process is associated with the API features executed by the application process in a certain time window in the enterprise resource access process, API call differences of application processes of different versions are solved through a voting algorithm, interface call behaviors of the application processes of the same version are aggregated, and the reference features are formed. In the terminal zero trust network architecture, API behaviors of application processes are detected in real time, the application processes deviating from the standard are automatically treated, behavior characteristics are analyzed, and the behavior characteristics are incorporated into a subsequent detection flow. Therefore, the risk of 0Day of equipment infection in the enterprise is reduced, the risk perception capability is improved, and the security of the zero trust network architecture and the security of the enterprise office are improved.

Specifically, in the application process detection processing method provided in this embodiment, the secure client component writes the secure module responsible for detecting the specified API list into the terminal local specified directory during installation. An attacker is good at injecting the attacker into legal or trusted application processes through various injection methods in the equipment so as to hide the malicious behaviors of the attacker. Because of the numerous modules in the terminal environment, taking windows platform as an example, the number of system modules is up to hundreds, and more than thousands of API interfaces and COM (Cluster Communication port, serial communication ports, serial ports for short) interfaces derived by each module are included, including tens of subcategories such as network class, system service class, authority class, document class and the like. Detecting all these classes of APIs for an application process would result in a huge log and is not necessary at all. The embodiment mainly records whether the application process triggers the operation of the sensitive API or not, or has the action deviating from the reference API call. Thus only the APIs of sensitive operations that might be utilized by an attacker are detected. Furthermore, APIs that probe for sensitive operations of an application process are not meant to be malicious acts, and may be normal, logically triggered interface calls of the application process itself.

The list of sensitive APIs is configured by an administrator at the management end, the strategy is issued to the terminal, the detection list is received, analyzed and updated by the security client installation full module. Including acquire process information classes (e.g., libc:: proc_ pidinfo, proc_ listpids) for MAC platforms, keyboard record classes (NSEvent addGlobalMonitorForEvents, CGEVENTTAPCREATE, etc.), acquire clipboard operations (nspasteboard. General for MAC platforms), acquire screen shots for entire screens (CGWindowListCreateImage), query system cores (processorCount), acquire network connection information (proc_ pidfdinfo), file operation classes (NSMetadataQuery for MAC platforms, deleteFile for Windows platforms), acquire process paths (libc:: proc pidpath, etc.), acquire system information classes (GetSystemInfo, getUserName, getComputeName, etc. in Windows platforms), token operation classes (OpenProcessToken, duplicateTokenEx, etc. for Windows platforms). Different system platforms can configure different detection API lists, the detection API lists are configured, updated and issued by an enterprise administrator, and after the detection API lists are received by a terminal security module, the terminal security module is responsible for analysis and execution, and records triggered by a specific application process API acquired by a terminal are reported to a server.

The secure client performs persistent sensitive API detection for application processes accessing enterprise resources with respect to the zero trust network architecture. The application process characteristic information of the enterprise resources accessed through the zero trust network architecture in the terminal comprises application version information, copyright information, a digital signature chain, process executable file hash and absolute paths of the process executable files, which are recorded by the secure client and stored in the terminal persistence library. The driving layer of the secure client sets the callbacks of the process start and the process exit through PsSetCreateProcessNotifyRoutine, and completes the detection of the creation and the exit of all the processes in the device. When a process is started, acquiring characteristic information of the process, including an absolute path of an executable file of the process, hash information of the executable file, copyright information and the like, storing the characteristic information into a cache, and clearing the cache when the process exits so as to accelerate the query efficiency of the characteristic information of the process. And when the process is started, inquiring whether an enterprise resource access history record corresponding to the process characteristic exists in a persistence library of the terminal. If the security module exists, the security client executes the injection operation of the security module (dll executable file), namely the security module is injected into the application process, the security module can be used as an interface call detector to detect the call operation of the sensitive interface in the running process of the target application; if not, then the injection operation is re-performed when the application process initiates access to the enterprise resource. The data persistence is that the data structure or the object model in the memory is converted into a relational model, XML (Extensible Markup Language ), JSON (JavaScript Object Notation, JS object numbered) and binary stream, and the like, and the storage model is converted into the data model in the memory, and the persistence library is that the storage medium of the content such as the relational model, XML, JSON and binary stream which is stored in a local disk file or a data file of the device and is converted from the data structure or the object model in the memory can be realized by using an encryption file, an embedded database and the like.

When a process initiates a request for enterprise resources, a bill application needs to be initiated to a bill module of a security client through an access agency, and the bill module then initiates a bill application request to a server. When the bill module of the security client receives the bill application request of the access agent, the characteristic information of the process is firstly acquired according to the process ID of the application process sent by the access agent, and particularly, the process characteristic cache information maintained by the driving layer can be queried to improve the query efficiency, and then whether the process is stored in the persistence library is queried. If the process is stored, detecting whether the security module is injected into the process, and if the process is not injected, executing the injection of the security module; if there is no record of the process in the persistent library, injection of the security module is performed for the process and the process information is inserted into the persistent library. By the operation, the injection of the security module is automatically injected when an application process accessing enterprise resources through the zero trust network is started, the injection is detected when the network access ticket is applied, and if the injection is not successful, the injection of the security module is executed again; for application processes that do not access enterprise resources through the zero trust network, the injection of the security module is performed again when the enterprise resources are accessed for the first time through the zero trust network.

Further, as shown in fig. 8, for the application process accessing the enterprise resource, security module process detection is injected, and the security module performs sensitive API detection according to the sensitive API rule, including APIs of various categories such as a system information acquisition category, a keyboard record category, a Token operation category, and the like. The API detected by the security module injected into the application process is not reported to the server in a full-disc manner, but is reported to the server for further processing through the data reporting service after the operation of extracting the API trigger record is executed according to the API extraction rule issued by the server. The API extraction rule includes a time window (recording an API record during the period from start to stop of an application process or recording an API record in a period of time before and after access to an enterprise resource), a combination relationship of API calls (a precedence relationship of API calls), a frequency (sending to a server for subsequent statistics), an API trigger record deduplication rule, and the like. Through the operation, continuous sensitive API detection operation is implemented on the application process accessing the enterprise resource, and the API operation, the corresponding process version and other characteristic information are reported to the server.

After receiving the API detection operation reported by the terminal, the server counts the rule triggered by the sensitive API by taking the type of the application as a unit, and aggregates the APIs of the same type to form a plurality of API combinations which are associated with the specific application. After receiving the API trigger record reported by the terminal, the server forms an association relation between a specific application type and a plurality of API combinations according to the reporting structure of the terminal. As shown in fig. 9, a, b, c … f and the like refer to sub-categories to which APIs belong, such as TOKEN operation class, system information acquisition class, keyboard operation class and the like, and numerals in fig. 9 refer to API numbers in the sub-categories to which the APIs belong, and different numbers refer to different APIs in the same category, for example, api_a1 and api_a3 refer to different interfaces in the same category, and api_e1 and api_f5 refer to different interfaces in different categories. The same API combination is composed of APIs of different categories, is generated by a terminal extraction rule, can contain the sequence of calling the APIs or the set relation with higher occurrence frequency, specifically can not contain the sequence, only represents the set relation, if a plurality of APIs are frequently and simultaneously present, the sequence is not fixed, and the set relation is used for representing the common characteristics of interface calling.

Aiming at the iterative evolution of the versions of the same type of application process, the scene of regular change of the API appears, the voting algorithm is executed by adopting the data reported by the terminal application software, and the interface calling behaviors of the application processes of the same version are aggregated to form the reference feature. The server associates a specific application type with a plurality of API combinations, and simultaneously takes the version number as an important identifier and as a key attribute of the specific application, and if an application process does not have an explicit version number identifier, the version number is replaced by the hash of the executable file. Different versions of application API call features are different, some application version numbers are different, and triggered API call features are completely different, so that corresponding adjustment is required to be made for the association of the API and the application for the iteration of the same application process version. Generally, as shown in fig. 10, as an application version iterates, the low version upgrades to the high version, so the low version application presents a declining trend, and then the high version application presents a gradual rising trend, so some API combinations associated with the application will gradually disappear, or new API combinations will be added, or specific interfaces will be added or deleted by the API combinations. Through mole voting and other algorithms, the server calculates the API characteristic information that a certain application in the enterprise triggers in majority. If the application features are distributed with a plurality of versions and a certain version does not exist to present overwhelming advantages, the server takes the API features corresponding to each version number as a plurality of reference features of the application type, and judges whether deviation exists or not according to the reference features corresponding to the application version query; if a specific version exists in an application in an enterprise to occupy a main stream position, taking an API characteristic corresponding to the version as a benchmark characteristic.

In the terminal zero trust network architecture, the API behaviors of the application processes can be detected in real time, and the application processes deviating from the reference are automatically treated. And after the terminal security module is injected into the target process, detecting the sensitive API behaviors of the application process in real time. If the API trigger record deviating from the reference characteristic appears, the server side issues the known reference characteristic to the terminal, the terminal inquires the reference characteristic according to the version number of the application, if the process shows the interface calling behavior deviating from the sensitive API characteristic, the execution of the process is automatically stopped or the channel of the application for accessing enterprise resources is blocked according to the disposal rule, for example, the issuing of a network access bill can be forbidden, the access can be blocked directly by an access agent, and the like. In addition, the terminal can only be responsible for detecting and reporting the API trigger record, the server detects whether a scene deviating from the reference characteristic appears, and if so, the server issues a command to the terminal to execute process blocking or terminal network isolation network operation.

Further, rules for determining whether an API of an application process deviates from the benchmark feature are formulated by the server, and may be executed by the server or by the client. The decision rule of the benchmark feature may comprise various forms, mainly including minimum range that must be covered, API records that do not occur, frequency of related API triggers, order of specific API calls and related parameters, etc.

The minimum range that must be covered represents a range formed by combining some APIs that an application process must call, for example, a combination of a1, c4 and e3 must occur in the process that the application process accesses enterprise resources, if only some items, not all items, of the API trigger records of a certain application process are included, the reference deviation is considered to exist, the deviated parameters can be configured in the rule, if the actual deviation value is greater than the parameters, the reference deviation is considered to occur, and otherwise, the deviation is not treated in the allowed range.

The application program API record which cannot appear is based on the type of the application (instant messaging software, security management software, office software and the like), the application range (the scene and application applied by the application) and the data analysis executed on the result of long-term detection of the application program API of a certain version, and the operation which cannot be touched by the application is limited. The API record that does not appear is typically a sensitive operation of the configuration, such as, for example, raising rights, obtaining system information, reading the memory of a third party process, etc. If an application touches an API that is not expected to be called, it is reasonable to consider that the application deviates from the benchmark, and a certain security risk exists.

The frequency of the related API trigger is that the calling frequency of some representative interfaces is extracted as a reference on the basis of counting the calling records of the application process API in a relatively large period. If the frequency of application occurrences exceeds an expected API call, such as multiple calls, probing network ports, etc., during certain observation periods, a benchmark deviation is determined.

The order of particular API calls and related parameters indicate the relative order of the API calls, and whether the parameter values of certain API calls are expected. The rule is strict, and is suitable for fully knowing the execution logic of the application and the scene of the call parameters, and is obviously different from other rules (taking the execution logic of the third party application as a black box). The rule is applied to self-research software in an enterprise, a plurality of standard point positions for program execution can be pre-embedded, and under the condition that the application is not interfered by a third party and the application is normally executed, the data detected by the detection module is expected to be consistent with the pre-embedded calling sequence and the calling parameters of the interface. If the relative order of call parameters or specific APIs deviates from the expected value, the application is considered to be at risk of tampering by a third party module or injection of malicious code.

In a specific application, if the server executes logic for judging whether the API of a certain application process deviates from the reference characteristic, the client is only responsible for reporting the trigger record of a specific application process to the server and receiving an instruction issued by the server to block the process or isolate the network, and the application is not interfered in the process of accessing the network by the process; if the latter is the case, the client may perform operations of prohibiting execution or blocking access on a process deviating from the reference by itself based on rules issued by the server.

According to the application process detection processing method provided by the embodiment, the application process is associated with the API features executed in a certain time window in the enterprise resource access process, the interface calling behaviors of the application process of the same version are aggregated, and the reference features are formed. And detecting the API behaviors of the application process in real time at the terminal, automatically disposing the application process deviating from the standard, analyzing the behavior characteristics and incorporating the behavior characteristics into a subsequent detection flow. The method and the system can greatly improve the detection accuracy of the trusted application in the zero-trust network architecture, timely detect and process malicious behaviors deviating from normal operation, which appear in the process of accessing enterprise resources of a process or a normal process suspected to be abnormal but unknown in legal state, improve the initiative countermeasure capability against APT advanced persistence threat, reduce the risk of 0Day of equipment infection in the enterprise, improve the risk perception capability and the safety of enterprise office work, and enhance the availability and the safety of the zero-trust network control system.

It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides an application process detection processing system for realizing the above related application process detection processing method. The implementation of the solution provided by the system is similar to the implementation described in the above method, so the specific limitation in the embodiments of the application process detection processing system or application process detection processing systems provided below may be referred to the limitation of the application process detection processing method hereinabove, and will not be described herein.

In one embodiment, as shown in FIG. 11, an application process detection processing system 1100 is provided, comprising: a terminal 1102 and a server 1104, wherein:

the terminal 1102 is configured to detect a call operation of the sensitive interface in a running process according to a process of the target application when the process of the target application meets a detection trigger condition, so as to obtain an interface call feature of the sensitive interface;

A server 1104 for acquiring reference features associated with the target application; the reference feature is obtained by aggregating security call data generated by security call of the sensitive interface according to the process of the target application; comparing the interface calling features with the reference features to obtain feature comparison results;

The terminal 1102 is further configured to block, when the feature comparison result indicates that the calling operation does not belong to an operation type of secure call, the calling operation of the sensitive interface with respect to a process of the target application.

Based on the same inventive concept, the embodiment of the application also provides an application process detection processing device for realizing the above related application process detection processing method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the application process detection processing device or devices provided below may refer to the limitation of the application process detection processing method hereinabove, and will not be repeated herein.

In one embodiment, as shown in fig. 12, there is provided an application process detection processing apparatus 1200, including: an interface call feature acquisition module 1202, a reference feature acquisition module 1204, a feature comparison module 1206, and a blocking processing module 1208, wherein:

the interface calling feature obtaining module 1202 is configured to detect a calling operation of the sensitive interface in a running process according to a process of the target application when the process of the target application meets a detection trigger condition, and obtain an interface calling feature of the sensitive interface;

a reference feature acquiring module 1204, configured to acquire a reference feature associated with the target application; the reference feature is obtained by aggregating security call data generated by security call of the sensitive interface according to the process of the target application;

a feature comparison module 1206, configured to perform feature comparison on the interface calling feature and the reference feature to obtain a feature comparison result;

And the blocking processing module 1208 is configured to block the calling operation of the sensitive interface for the process of the target application when the feature comparison result indicates that the calling operation does not belong to the operation type of the secure call.

In one embodiment, the interface invokes the feature retrieval module 1202 further configured to query historical access data when a process of the target application is started; when the history access data contains access records of the process of the target application aiming at the target resource, an interface call detector is injected into the process of the target application; and detecting the calling operation of the sensitive interface in the running process aiming at the process of the target application through an interface calling detector to obtain the interface calling characteristics of the sensitive interface.

In one embodiment, the interface call feature obtaining module 1202 is further configured to inject the interface call detector into the process of the target application when the access record of the process of the target application for the target resource does not exist in the history access data and the process of the target application triggers access to the target resource; and when the interface call detector is successfully injected into the process of the target application, updating the access record of the generated process of the target application to the target resource into the historical access data.

In one embodiment, the interface calls the feature obtaining module 1202, and is further configured to, when the process of the target application triggers access to the target resource, perform detector detection on the process of the target application; and when the detection result detected by the detector indicates that the interface call detector is not injected in the process of the target application, the interface call detector is injected again in the process of the target application.

In one embodiment, the interface call feature obtaining module 1202 is further configured to obtain a list of sensitive interfaces configured for the running environment of the target application; determining an interface called by a process of the target application in the running process; when the called interface belongs to the sensitive interface in the sensitive interface list, detecting the calling operation of the sensitive interface aiming at the process of the target application, and obtaining the interface calling characteristic of the sensitive interface.

In one embodiment, the interface call feature obtaining module 1202 is further configured to detect a call operation of the sensitive interface with respect to a process of the target application, to obtain interface call detection data; acquiring calling feature screening conditions; and screening the interface call detection data by calling the feature screening condition to obtain the interface call feature of the sensitive interface.

In one embodiment, the feature comparison module 1206 is further configured to determine a feature comparison term; the feature comparison item comprises at least one of calling interface type, interface calling statistic data, interface calling sequence or interface calling parameters; respectively comparing the characteristics of the interface calling characteristics with the characteristics of the reference characteristics to obtain characteristic deviation data; and obtaining a characteristic comparison result based on the characteristic deviation data and the characteristic deviation judging condition.

In one embodiment, the blocking processing module 1208 is further configured to determine a blocking manner of the process for the target application when the feature comparison result indicates that the calling operation does not belong to an operation type of the secure call; according to the blocking mode, blocking processing is carried out on calling operation of the sensitive interface aiming at the process of the target application; the blocking mode comprises at least one of stopping the running of the process of the target application, blocking the access of the process of the target application to the target resource or isolating the network.

In one embodiment, the reference feature obtaining module 1204 is further configured to obtain process feature information of a process of the target application; determining an application identifier of the target application based on the process characteristic information; and according to the application identification, inquiring to obtain the reference characteristic associated with the target application.

In one embodiment, the reference feature obtaining module 1204 is further configured to, when at least one of starting a process of the target application or triggering access to the target resource by the process of the target application is satisfied, collect process feature information of the process of the target application; storing the process characteristic information into a cache; and acquiring the process characteristic information of the target application from the cache.

In one embodiment, the system further comprises a reference feature generation module, which is used for acquiring generated security call data in the process of the target application for performing security call on the sensitive interface; dividing the security call data according to interface categories to obtain category security call data respectively associated with each interface category; and combining the class security call data according to the interface call feature aggregation condition to obtain the reference feature associated with the target application.

In one embodiment, the reference feature generating module is further configured to determine process feature information of a process of the target application; combining the category security call data according to the interface call feature aggregation condition to obtain at least one interface call combination feature; and associating at least one interface calling combination feature with the process feature information to obtain a reference feature associated with the target application.

In one embodiment, the reference feature generating module is further configured to determine a version identifier of the target application according to the process feature information; associating the interface calling combination features belonging to the same version identifier with the process feature information to obtain version reference features of each version identifier; and screening according to the version reference features of each version identifier to obtain the reference features associated with the target application.

In one embodiment, the system further comprises an access verification module, which is used for accessing the target resource when the process of the target application triggers, and acquiring access request parameters associated with the target application according to the access verification condition; generating an access ticket based on the access request parameters; and carrying out access verification through the access ticket request, and accessing the target resource when the access verification is passed and the blocking processing is not triggered by the calling operation of the sensitive interface.

In one embodiment, the system further comprises a verification condition generation module, configured to display an access policy configuration area for the target application, and obtain access policy configuration information of the target application through the access policy configuration area; displaying a resource access configuration area aiming at the target resource, and obtaining resource access configuration information of the target resource through the resource access configuration area; and generating access verification conditions according to the access policy configuration information and the access policy configuration information.

The above-described respective modules in the application process detection processing device may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, a computer device is provided, which may be a server or a terminal, and the internal structure of which may be as shown in fig. 13. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is for storing baseline characteristic data. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements an application process detection processing method.

It will be appreciated by those skilled in the art that the structure shown in FIG. 13 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.

In an embodiment, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.

In one embodiment, a computer-readable storage medium is provided, storing a computer program which, when executed by a processor, implements the steps of the method embodiments described above.

In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.

It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magneto-resistive random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims

1. An application process detection processing method, characterized in that the method comprises:

When a process of a target application meets a detection trigger condition, detecting a calling operation of a sensitive interface in the running process aiming at the process of the target application, and obtaining an interface calling characteristic of the sensitive interface;

acquiring a reference feature associated with the target application; the reference feature is obtained by aggregating security call data generated by security call of the sensitive interface according to the process of the target application;

comparing the interface calling feature with the reference feature to obtain a feature comparison result;

And when the characteristic comparison result indicates that the calling operation does not belong to the operation type of safe calling, blocking the calling operation of the sensitive interface aiming at the process of the target application.

2. The method according to claim 1, wherein when the process of the target application satisfies the detection trigger condition, detecting a call operation of a sensitive interface in a running process for the process of the target application, to obtain an interface call feature of the sensitive interface, includes:

When the process of the target application is started, inquiring historical access data;

When the history access data contains access records of the process of the target application aiming at the target resource, an interface call detector is injected into the process of the target application;

And detecting the calling operation of the sensitive interface in the running process aiming at the process of the target application through the interface calling detector to obtain the interface calling characteristics of the sensitive interface.

3. The method according to claim 2, wherein the method further comprises:

When the history access data does not contain access records of the process of the target application for the target resource, and the process of the target application triggers access to the target resource, the interface call detector is injected into the process of the target application;

and when the interface call detector is successfully injected into the process of the target application, updating the generated access record of the process of the target application to the target resource into the historical access data.

4. The method according to claim 2, wherein the method further comprises:

when the process of the target application triggers the access to the target resource, the process of the target application is detected by a detector;

And when the detection result detected by the detector indicates that the interface call detector is not injected in the process of the target application, the interface call detector is injected again in the process of the target application.

5. The method according to claim 1, wherein the detecting, during the running process, the call operation of the sensitive interface by the process for the target application, to obtain the interface call feature of the sensitive interface, includes:

Acquiring a sensitive interface list configured for the running environment of the target application;

determining an interface called by a process of the target application in the running process;

and when the called interface belongs to the sensitive interface in the sensitive interface list, detecting the calling operation of the sensitive interface aiming at the process of the target application to obtain the interface calling characteristic of the sensitive interface.

6. The method of claim 5, wherein the detecting, by the process for the target application, a call operation to the sensitive interface to obtain an interface call feature to the sensitive interface, comprises:

Detecting the calling operation of the sensitive interface aiming at the process of the target application to obtain interface calling detection data;

Acquiring calling feature screening conditions;

And screening the interface call detection data through the call feature screening condition to obtain the interface call feature of the sensitive interface.

7. The method according to claim 1, wherein the step of comparing the feature of the interface call with the reference feature to obtain a feature comparison result includes:

determining a feature comparison item; the feature comparison item comprises at least one of calling interface type, interface calling statistic data, interface calling sequence or interface calling parameters;

respectively comparing the interface calling feature with the feature comparison items in the reference feature to obtain feature deviation data;

and obtaining a characteristic comparison result based on the characteristic deviation data and the characteristic deviation judging condition.

8. The method according to claim 1, wherein when the feature comparison result indicates that the call operation is not of an operation type of a secure call, blocking the call operation of the sensitive interface for the process of the target application includes:

When the characteristic comparison result indicates that the calling operation does not belong to the operation type of safe calling, determining a blocking mode of a process aiming at the target application;

According to the blocking mode, blocking the calling operation of the sensitive interface aiming at the process of the target application;

The blocking mode comprises at least one of stopping the running of the process of the target application, blocking the access of the process of the target application to the target resource or isolating the network.

9. The method of claim 1, wherein the obtaining the reference feature associated with the target application comprises:

acquiring process characteristic information of a process of the target application;

Determining an application identifier of the target application based on the process characteristic information;

and inquiring to obtain the reference characteristic associated with the target application according to the application identifier.

10. The method according to claim 9, wherein the method further comprises:

When the process starting of the target application is met or the process of the target application triggers at least one of accessing the target resource, collecting process characteristic information of the process of the target application;

storing the process characteristic information into a cache;

The obtaining the process characteristic information of the target application includes:

and acquiring the process characteristic information of the target application from the cache.

11. The method according to claim 1, wherein the method further comprises:

Acquiring generated security call data in the process of security call of the sensitive interface by the process of the target application;

Dividing the security call data according to interface categories to obtain category security call data respectively associated with each interface category;

And combining the class security call data according to the interface call feature aggregation condition to obtain the reference feature associated with the target application.

12. The method according to claim 11, wherein said combining the class security call data according to the interface call feature aggregation condition to obtain the reference feature associated with the target application comprises:

Determining process characteristic information of a process of the target application;

combining the class security call data according to the interface call feature aggregation condition to obtain at least one interface call combination feature;

And associating the at least one interface calling combination feature with the process feature information to obtain a reference feature associated with the target application.

13. The method of claim 12, wherein associating the at least one interface call combination feature with the process feature information to obtain a benchmark feature associated with the target application comprises:

Determining the version identification of the target application according to the process characteristic information;

Associating the interface calling combination features belonging to the same version identifier with the process feature information to obtain version reference features of each version identifier;

And screening according to the version reference features of the version identifiers to obtain the reference features associated with the target application.

14. The method according to any one of claims 1 to 13, further comprising:

When the process of the target application triggers the access to the target resource, acquiring access request parameters associated with the target application according to access verification conditions;

generating an access ticket based on the access request parameters;

and carrying out access verification through the access bill request, and accessing the target resource when the access verification is passed and the blocking processing is not triggered by the calling operation of the sensitive interface.

15. The method of claim 14, wherein the method further comprises:

Displaying an access policy configuration area aiming at the target application, and obtaining access policy configuration information of the target application through the access policy configuration area;

Displaying a resource access configuration area aiming at the target resource, and obtaining resource access configuration information of the target resource through the resource access configuration area;

And generating the access verification condition according to the access policy configuration information and the access policy configuration information.

16. An application process detection processing system, the system comprising:

The terminal is used for detecting the calling operation of the sensitive interface in the running process aiming at the process of the target application when the process of the target application meets the detection triggering condition, so as to obtain the interface calling characteristic of the sensitive interface;

The server is used for acquiring the reference characteristics associated with the target application; the reference feature is obtained by aggregating security call data generated by security call of the sensitive interface according to the process of the target application; comparing the interface calling feature with the reference feature to obtain a feature comparison result;

And the terminal is further used for blocking the calling operation of the sensitive interface aiming at the process of the target application when the characteristic comparison result indicates that the calling operation does not belong to the operation type of safe calling.

17. An application process detection processing apparatus, the apparatus comprising:

and the blocking processing module is used for blocking the calling operation of the sensitive interface aiming at the process of the target application when the characteristic comparison result indicates that the calling operation does not belong to the operation type of safe calling.

18. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 15 when the computer program is executed.

19. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 15.

20. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any one of claims 1 to 15.