CN117521087A - Equipment risk behavior detection method, system and storage medium - Google Patents
Equipment risk behavior detection method, system and storage medium Download PDFInfo
- Publication number
- CN117521087A CN117521087A CN202410009563.0A CN202410009563A CN117521087A CN 117521087 A CN117521087 A CN 117521087A CN 202410009563 A CN202410009563 A CN 202410009563A CN 117521087 A CN117521087 A CN 117521087A
- Authority
- CN
- China
- Prior art keywords
- risk
- detection
- target terminal
- sandbox
- plug
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 248
- 244000035744 Hura crepitans Species 0.000 claims abstract description 88
- 238000000034 method Methods 0.000 claims abstract description 42
- 230000006399 behavior Effects 0.000 claims description 103
- 230000008569 process Effects 0.000 claims description 7
- 238000004891 communication Methods 0.000 claims description 5
- 238000009659 non-destructive testing Methods 0.000 claims description 4
- 238000011161 development Methods 0.000 claims description 3
- 230000026676 system process Effects 0.000 claims description 3
- 230000006870 function Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012216 screening Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
- G06F9/44526—Plug-ins; Add-ons
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The method comprises the steps of obtaining a target terminal identifier to be detected, performing nondestructive detection on a sandbox of target terminal equipment through a detection plug-in, detecting a risk log file of the target terminal equipment through the detection plug-in according to generated sandbox detection information, accessing a permission directory of the target terminal equipment through the detection plug-in if the risk log file is not detected, and generating a risk behavior detection report according to feedback result information of the permission directory of the access target terminal equipment. According to the method and the device, the risk behavior of the electronic equipment is accurately detected by combining multiple detection modes such as the detection of the sandbox of the target terminal equipment, the detection of the risk log file, the access of the permission directory of the target terminal equipment and the like, so that the running safety of the application program is improved.
Description
Technical Field
The application relates to the technical field of intelligent equipment security, in particular to an equipment risk behavior detection method, an equipment risk behavior detection system and a storage medium.
Background
The method is characterized in that the higher authority of the electronic equipment is obtained through a system vulnerability of the electronic equipment or a three-party plug-in tool. Although the behavior can acquire higher authority and freely install third-party applications or plug-ins, the behavior can cause unstable systems of the electronic equipment, so that the electronic equipment frequently suffers from the problems of flash back, dead halt and the like.
In order to detect whether the electronic device has risk behaviors, a developer of the application program inserts a risk behavior detection plug-in into the application program. When the application program is installed on the electronic device, the detection plug-in can automatically detect the running environment of the electronic device, so that damage to the application program caused by risk behaviors is reduced.
However, part of risk behaviors can avoid risk detection of the detection plugin by means of skipping risk file access, skipping risk related character strings and the like, so that the detection plugin cannot accurately detect the risk behaviors, and therefore an application program can be attacked by the risk behaviors, and the running of the application program is affected.
Disclosure of Invention
In order to solve the problem that the detection plug-in cannot accurately detect the risk behavior of the electronic device, in a first aspect, some embodiments of the present application provide a device risk behavior detection method, including:
acquiring a target terminal identifier to be detected, wherein the target terminal identifier is used for representing target terminal equipment provided with a target application, and the target application comprises a detection plug-in;
performing nondestructive testing on a sandbox of a target terminal device through the detection plug-in to generate sandbox detection information, wherein the sandbox is used for providing a safe network environment for the target terminal device;
detecting a risk log file of the target terminal equipment through the detection plug-in according to the sandbox detection information, wherein the risk log event is a log file generated when the target terminal equipment generates a risk behavior;
if the risk log file is not detected, accessing a permission directory of the target terminal equipment through the detection plug-in, wherein the permission directory is a directory file which cannot be accessed under a secure network environment;
and generating a risk behavior detection report according to feedback result information of the authority list of the target terminal equipment.
In some embodiments, the sandbox detection information includes sandbox damage information and sandbox security information, and the step of detecting, by the detection plug-in, the risk log file of the target terminal according to the sandbox detection information includes:
detecting a system sub-process through the detection plug-in, wherein the system sub-process is a branch process constructed according to the system process of the target terminal;
outputting sand box damage information if the system subprocess is detected, wherein the sand box damage information is used for representing that the sand box is damaged;
if the system subprocess is not detected, detecting a risk log file of the target terminal through the detection plug-in, and outputting sand box safety information, wherein the sand box safety information is used for representing that the sand box is not damaged.
In some embodiments, detecting the system sub-process by the detection plug-in includes:
acquiring a subprocess return value through a detection plug-in;
and detecting the system subprocess according to the subprocess return value.
In some embodiments, the step of detecting the system sub-process from the sub-process return value comprises:
setting a sub-process threshold;
when the subprocess return value is greater than or equal to a subprocess threshold value, outputting a first detection result, wherein the first detection result is used for representing that the system subprocess is detected;
and when the subprocess return value is smaller than a subprocess threshold value, outputting a second detection result, wherein the second detection result is used for representing that the system subprocess is not detected.
In some embodiments, if the sandbox damage information is output, the step of generating a risk behavior detection report according to feedback result information of the authority directory accessing the target terminal device includes:
generating a first risk document according to the sandbox damage information;
if the risk log file is detected, generating a second risk document according to the risk log file;
the risk behavior detection report is generated according to risk data, wherein the risk data comprises the first risk document and the second risk document.
In some embodiments, the risk data further includes a third risk document, and before the step of detecting, by the detection plug-in, the risk log file of the target terminal device, the method further includes:
detecting a risk plugin of the target terminal device through the detection plugin;
and if the target terminal equipment comprises the risk plugin, generating a third risk document according to the risk plugin.
In some embodiments, the step of generating a risk behavior detection report according to feedback result information of the authority directory of the target terminal device includes:
if the feedback result information is that the access is successful, a risk behavior detection report with risk behaviors is generated;
and if the feedback result information is access failure, generating a risk behavior detection report without risk behaviors.
In some embodiments, before the step of obtaining the target terminal identifier to be detected, the method further includes:
integrating the detection plug-in a development tool of the target application;
setting detection parameters of the detection plug-in;
and when the terminal equipment is detected to be installed with the target application, configuring the terminal equipment according to the detection parameters so as to obtain the target terminal identification.
In a second aspect, some embodiments of the present application provide a device risk behavior detection system, including a server and a target terminal device, where the server establishes a communication connection with at least one target terminal device, the target terminal device is a terminal device on which a target application is installed, and the target application includes a detection plug-in, and the server is configured to:
acquiring a target terminal identifier to be detected, wherein the target terminal identifier is used for representing target terminal equipment provided with a target application, and the target application comprises a detection plug-in;
performing nondestructive testing on a sandbox of a target terminal device through the detection plug-in to generate sandbox detection information, wherein the sandbox is used for providing a safe network environment for the target terminal device;
detecting a risk log file of the target terminal equipment through the detection plug-in according to the sandbox detection information, wherein the risk log event is a log file generated when the target terminal equipment generates a risk behavior;
if the risk log file is not detected, accessing a permission directory of the target terminal equipment through the detection plug-in, wherein the permission directory is a directory file which cannot be accessed under a secure network environment;
and generating a risk behavior detection report according to feedback result information of the authority list of the target terminal equipment.
In a third aspect, some embodiments of the present application provide a computer-readable storage medium, where the computer-readable storage medium includes computer instructions for instructing a computer to execute the device risk behavior detection method according to the first aspect.
According to the technical content, the application provides a device risk behavior detection method, a system and a storage medium, wherein the method comprises the steps of obtaining a target terminal identifier to be detected, performing nondestructive detection on a sandbox of the target terminal device through a detection plug-in, detecting a risk log file of the target terminal device through the detection plug-in according to generated sandbox detection information, accessing a permission directory of the target terminal device through the detection plug-in if the risk log file is not detected, and generating a risk behavior detection report according to feedback result information of the permission directory of the access target terminal device. According to the method and the device, the risk behavior of the electronic equipment is accurately detected by combining multiple detection modes such as the detection of the sandbox of the target terminal equipment, the detection of the risk log file, the access of the permission directory of the target terminal equipment and the like, so that the running safety of the application program is improved.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings that are needed in the embodiments will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a flowchart of a device risk behavior detection method provided in an embodiment of the present application;
FIG. 2 is a schematic flow chart of a system establishment subroutine in an embodiment of the present application;
FIG. 3 is a flowchart of outputting sandbox detection information according to a sub-process return value according to an embodiment of the present application;
FIG. 4 is a flowchart of generating a risk behavior detection report according to risk data according to an embodiment of the present application;
FIG. 5 is a flowchart of generating a third risk document by detecting a risk plugin according to an embodiment of the present application;
fig. 6 is a block diagram of a device risk behavior detection system according to an embodiment of the present application.
Detailed Description
For purposes of clarity and implementation of the present application, the following description will make clear and complete descriptions of exemplary implementations of the present application with reference to the accompanying drawings in which exemplary implementations of the present application are illustrated, it being apparent that the exemplary implementations described are only some, but not all, of the examples of the present application.
It should be noted that the brief description of the terms in the present application is only for convenience in understanding the embodiments described below, and is not intended to limit the embodiments of the present application. Unless otherwise indicated, these terms should be construed in their ordinary and customary meaning.
The terms "first," second, "" third and the like in the description and in the claims and in the above-described figures are used for distinguishing between similar or similar objects or entities and not necessarily for limiting a particular order or sequence, unless otherwise indicated. It is to be understood that the terms so used are interchangeable under appropriate circumstances.
The terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a product or apparatus that comprises a list of elements is not necessarily limited to all elements explicitly listed, but may include other elements not expressly listed or inherent to such product or apparatus.
An electronic device is a device that implements various functions through electronic technology, such as a smart phone, a computer, an industrial detector, and the like. The electronic device may also have a communication function to enable transmission and exchange of information or data, for example, a user may use a smart phone to send data or a transmission instruction to other electronic devices through the internet to enable communication.
In order to facilitate management of the operation behavior of the user, some functions of the electronic device may also be set with rights, which may be set and managed by the device owner or administrator. These rights may include access to the network, push information, access to cameras/microphones, obtain geographic locations, obtain call rights, access to files, etc.
However, part of functions of the electronic device cannot be changed through user-defined settings, and part of users can choose to acquire larger use rights of the electronic device through risk behaviors. For example, a vulnerability of the electronic device or a third party plug-in tool can be utilized to enable the electronic device to obtain higher authority, but a mode of utilizing the vulnerability of the electronic device or the third party plug-in tool to obtain higher authority also has a great security risk, so that a system of the electronic device is unstable, and the electronic device frequently suffers from problems such as flash back and dead halt.
It should be noted that, the embodiments described above are merely taken as exemplary descriptions of risk behaviors, and the risk behaviors detected in practical applications may include modification of device rights, active or passive malicious network attacks, access to illegal websites, and illegal behaviors such as electronic viruses.
During the process of installing or running an application program by the electronic device, the electronic device is in a risk environment, so that the risk of being attacked by a foreign person maliciously exists, and the application program is damaged. For this purpose, the developer of the application will insert a detection plug-in into the application for detecting the risk behaviour or risk environment. When the electronic device installs or runs the application program, the detection plug-in can automatically detect the running environment of the electronic device, so that the risk of damage to the application program caused by risk behaviors is reduced.
However, part of risk behaviors can avoid risk detection of the detection plugin by means of skipping risk file access, skipping risk related character strings and the like, so that the detection plugin cannot accurately detect the risk behaviors, and therefore an application program can be attacked by the risk behaviors, and the running of the application program is affected.
In order to solve the problem that the detection plug-in cannot accurately detect the risk behavior of the electronic device, some embodiments of the present application provide a device risk behavior detection method, as shown in fig. 1, including:
s100: and obtaining the target terminal identification to be detected.
The target terminal identifier is used to indicate the target terminal device in which the target application is installed, and in this embodiment, the target terminal device may be determined by the target terminal identifier. When the terminal equipment installs the target application, a target terminal identifier can be generated at a status bar corresponding to the terminal equipment so as to indicate that the current terminal equipment has installed the target application, and the current terminal equipment is the target terminal equipment.
The target application comprises a detection plug-in, and the detection plug-in is used for executing risk detection in the running environment of the target terminal so as to generate a corresponding detection report according to the running environment.
In some embodiments, after the target terminal device installs the target application, a first risk detection is performed on the target terminal device by a detection plug-in of the target application. After the first risk detection is completed, since the target terminal device has a certain time interval between the installation of the target application and the operation of the target application, in order to avoid risk behaviors of the target terminal device in the time interval between the installation of the target application and the operation of the target application, when the target terminal device operates, the second risk detection can be performed on the target terminal device through the detection plug-in, so that the safety of the operation of the application program is improved.
Based on the above embodiment, in order to distinguish between the state of installing the target application in the target terminal device and the state of running the target application in the target terminal device, different target terminal identifiers may also be set, for example, when the target terminal device installs the target application, a first terminal identifier may be set, and when the target terminal device runs the target application, the first terminal identifier may be switched to a second terminal identifier to distinguish between the state of installing the target application and the state of running the target application, where the first terminal identifier is an identifier symbol or a graphic different from the second terminal identifier.
In some embodiments, during the process of developing the target application, the detection plugin may also be integrated in a development tool of the target application, and detection parameters of the detection plugin may be set, for example, setting a start parameter of the detection plugin, such as start after the target application is installed, or start after the target application is run.
When the terminal equipment is detected to be provided with the target application, the detection plug-in can configure the terminal equipment according to the preset detection parameters, and after the configuration is completed, the terminal equipment is marked as a target terminal identifier, and the terminal equipment is the target terminal equipment to be detected.
S200: and carrying out nondestructive detection on the sandbox of the target terminal equipment through the detection plug-in unit so as to generate sandbox detection information.
The sandbox is used for providing a secure network environment for the target terminal equipment. The sandbox is a security mechanism in the field of computer security, and can provide a secure network environment for target terminal equipment. When detecting the target terminal device through the detection plug-in, nondestructive detection needs to be performed on the sandbox of the target terminal device to generate sandbox detection information, so that the integrity of the sandbox is determined.
The sand box detection information may include sand box damage information and sand box safety information, and when the sand box damage information is output, the sand box of the target terminal device is indicated to be damaged, the target terminal device has risk behaviors, and when the sand box safety information is output, the sand box of the target terminal device is indicated to be intact, so that subsequent detection can be continuously performed.
Fig. 2 is a schematic flow chart of a system establishment subroutine in the embodiment of the present application. Referring to fig. 2, when the sandbox is intact, the sandbox of the device system of the target terminal device may block creation of the system sub-process, and thus, in some embodiments, the sandbox detection information may be generated by detecting whether the system sub-process is present in the target terminal device by the detection plug-in. In this embodiment, the system sub-process, which is a branching process constructed by a fork () function according to the system process of the target terminal, may be detected by detecting the plug-in.
As shown in fig. 3, when the detection plug-in detects a system sub-process in the target terminal device, it is explained that the sandbox does not successfully block the fork () function from creating the system sub-process, the sandbox is destroyed, and the detection plug-in outputs the sandbox damage information. If the detection plug-in does not detect the system subprocess, the detection plug-in indicates that the sand box is good, and the detection plug-in outputs the sand box safety information.
In some embodiments, the system subprogram in the target terminal device may also be detected by the return value of fork (), and different return values of fork () are used to represent different sandbox detection information, so the detection plug-in may also detect the system subprocess by acquiring the subprocess return value of the target terminal device and according to the subprocess return value.
When the sandbox is intact, the fork () cannot normally create the system sub-program due to the blocking of the sandbox, and at this time, the target terminal outputs a negative value at the sub-process return value of the fork () to indicate that the system sub-program fails to be created or cannot be created. When the sandbox is destroyed, the sandbox loses blocking capability, and the fork () can normally create the system subroutine, and the return value of the subprocess of the fork () outputs a positive value or 0 to indicate that the system subroutine is successfully created.
In order to accurately output the sandbox detection information, a subprocess threshold value can be set, the subprocess threshold value is used for judging the creation condition of a system subprogram, and after the detection plug-in detects a subprogram return value, the judgment can be performed on the subprocess return value based on the subprocess threshold value. For example, the sub-process threshold may be set to 0, and when the sub-process return value acquired by the detection plug-in is greater than or equal to 0, it indicates that the system sub-process has been successfully created, and the detection plug-in outputs a first detection result, where the first detection is used to characterize that the system sub-process is detected. When the subprocess return value obtained by the detection plug-in is smaller than 0, the detection plug-in outputs a second detection result, wherein the second detection result is used for representing that the system subprogram is not detected, and the subprocess return value is indicated to be failed to be created or can not be created by the system subprogram.
S300: and detecting the risk log file of the target terminal equipment through the detection plug-in according to the sandbox detection information.
When the sand box damage information generated by the plug-in is detected, the risk behavior of the target terminal equipment is indicated, but the specific position or the specific path of the risk behavior is not determined. For this reason, in this embodiment, the risk log file of the target terminal device may also be detected according to the detection plug-in.
The risk log event is a log file generated when the target terminal device generates a risk action, and the risk log file may include: frame work/Cepheui,/usr/lib sustitute. Dylib,/usr/lib/sustitute-insert. Dylib,/usr/lib/sustitute/substateLoader. Dylib, etc.
Because the data size of the target terminal device is large, in the process of detecting the risk log file by the detection plug-in, hierarchical screening can be performed on the files in the target terminal device, for example, screening conditions such as a log file or a patch file which are easy to generate risk behaviors are set, priority detection is performed on the files which are easy to generate risk behaviors, and the remaining files are sequentially detected according to a default sequence or the screening conditions with relatively low priority, so that the detection efficiency of the risk log file is improved.
S400: if the risk log file is not detected, accessing the authority directory of the target terminal device through the detection plug-in, wherein the authority directory is a directory file which cannot be accessed in a secure network environment.
When the detection plug-in detects the risk log file, the detection plug-in can generate a risk behavior detection report according to the detected risk log file so as to determine that the target terminal equipment has risk behaviors. However, in the process of the detection, the detection plug-in only performs detection on the risk log files of the known type, and part of the risk log files cannot be accurately detected because part of the risk behaviors can bypass the detection of the risk log files of the detection plug-in when the updating of the risk behaviors occurs.
When the detection plugin does not detect the risk log file, in order to reduce the problem that part of the risk log file bypasses detection, the detection plugin can also initiate an access request for generating the permission directory of the target terminal equipment. The authority directory is a directory file which cannot be accessed under a secure network environment, when the target terminal equipment has risk behaviors, the authority of the target terminal equipment can be increased, so that the file information under the authority directory can be accessed, and the read-write operation of the file under the authority directory is realized. Therefore, the detection plug-in can realize accurate detection of the risk log file by accessing the authority directory of the target terminal device.
S500: and generating a risk behavior detection report according to feedback result information of the authority list of the target terminal equipment.
The detection plug-in can send the access request to the authority directory, and the authority directory can generate corresponding feedback result information based on the current authority range of the target terminal equipment.
When the feedback result information is that the access is successful, the fact that the risk log file is stored in the target terminal equipment by bypassing the detection of the detection plug-in unit is indicated, the target terminal equipment has risk behaviors, and the detection plug-in unit generates a risk behavior detection report with risk behaviors. When the feedback result is that the access fails, the target terminal equipment is not provided with a risk log file, the target terminal equipment is not provided with risk behaviors, and the detection plug-in generates a risk behavior detection report without risk behaviors.
In some embodiments, after the detection plug-in generates the detection report of the risk action, prompt information may also be generated based on the risk action detection report to prompt the user that the target terminal device has the risk action. For example, when a user runs a target application by using user terminal equipment, the detection plugin generates a risk behavior detection report of risk behaviors after the detection plugin is applied to the user terminal equipment, and displays the risk behavior detection report in a display screen of the user terminal equipment to prompt popup to prompt the user terminal equipment that the risk exists.
In the embodiment of the application, the detection plug-in unit combines a plurality of detection modes such as detection of the sandbox of the target terminal device, detection of the risk log file, access to the authority directory of the target terminal device and the like, so that the detection accuracy of the risk behavior is improved. In order to accurately locate the risk behavior in the target terminal device, a risk document can also be generated by a detection plug-in according to the detection result of each detection mode. In order to save the memory of the target terminal device, in this embodiment, as shown in fig. 4, the detection plug-in may generate the risk document only for the risk result, for example, when the detection plug-in performs nondestructive detection on the sandbox, the detection plug-in outputs the sandbox damage information, and the detection plug-in may generate the first risk document according to the sandbox damage information. And when the detection plug-in detects the risk log file, generating a second risk document according to the risk log file. The detection plug-in may thereby generate a risk behavior detection report from risk data, wherein the risk data comprises a first risk document and a second risk document. The user can determine the position of risk data generated by the risk behaviors through the risk behavior detection report, so that the risk data is cleared.
In some embodiments, the risk data may further include a third risk document, the third risk document being a risk document generated from a risk plug-in, indicating that the target terminal device is at risk behavior when the risk plug-in is present in the target terminal device. As shown in fig. 5, before the detection plug-in detects the risk log file of the target terminal device, the detection plug-in may also detect a risk plug-in of the target terminal device, where the risk plug-in may include a cyscript plug-in, a Flex plug-in, a Frida plug-in, a Cephei plug-in, an xCon plug-in, and the like. When the detection plug-in detects that the risk plug-in is installed in the target terminal device, a third risk archive can be generated according to the risk plug-in.
Fig. 6 is a block diagram of a device risk behavior detection system according to an embodiment of the present application. In order to facilitate the execution of the method described above, referring to fig. 6, some embodiments of the present application further provide a device risk behavior detection system, where the system includes a server and a target terminal device, where the server may provide a detection environment for performing risk detection on multiple target terminal devices at the same time, and before the server performs detection on the target terminal device, a communication connection needs to be established with the target terminal device. In this embodiment. The server is configured to perform:
s100: and obtaining the target terminal identification to be detected.
The target terminal identifier is used for indicating target terminal equipment with a target application, and the target application comprises a detection plug-in;
s200: and carrying out nondestructive detection on the sandbox of the target terminal equipment through the detection plug-in unit so as to generate sandbox detection information.
The sandbox is used for providing a secure network environment for the target terminal equipment;
s300: and detecting the risk log file of the target terminal equipment through the detection plug-in according to the sandbox detection information.
The risk log event is a log file generated when the target terminal equipment generates a risk behavior;
s400: and if the risk log file is not detected, accessing the authority directory of the target terminal equipment through the detection plug-in.
The authority directory is a directory file which cannot be accessed in a secure network environment;
s500: and generating a risk behavior detection report according to feedback result information of the authority list of the target terminal equipment.
The server can be used for executing risk detection on all target terminal devices provided with target applications by a developer of the target program, acquiring a risk behavior detection report of each target terminal device, and sending risk prompt information to the target terminal devices with risk behaviors according to application requirements so as to prompt a user that the target terminal devices with risk behaviors exist.
Meanwhile, in order to protect the application program from being attacked or destroyed by malicious, after detecting that the target terminal equipment has risk behaviors, the target application can be stopped to continue running so as to protect the target application program.
Some embodiments of the present application also provide a computer-readable storage medium, where the computer-readable storage medium includes computer instructions for instructing a computer to perform the method described above.
According to the technical content, the application provides a device risk behavior detection method, a system and a storage medium, wherein the method comprises the steps of obtaining a target terminal identifier to be detected, performing nondestructive detection on a sandbox of the target terminal device through a detection plug-in, detecting a risk log file of the target terminal device through the detection plug-in according to generated sandbox detection information, accessing a permission directory of the target terminal device through the detection plug-in if the risk log file is not detected, and generating a risk behavior detection report according to feedback result information of the permission directory of the access target terminal device. According to the method and the device, the risk behavior of the electronic equipment is accurately detected by combining multiple detection modes such as the detection of the sandbox of the target terminal equipment, the detection of the risk log file, the access of the permission directory of the target terminal equipment and the like, so that the running safety of the application program is improved.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.
The foregoing description, for purposes of explanation, has been presented in conjunction with specific embodiments. However, the illustrative discussions above are not intended to be exhaustive or to limit the embodiments to the precise forms disclosed above. Many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the present disclosure and to enable others skilled in the art to best utilize the embodiments.
Claims (10)
1. A method for detecting risk behaviors of a device, comprising:
acquiring a target terminal identifier to be detected, wherein the target terminal identifier is used for representing target terminal equipment provided with a target application, and the target application comprises a detection plug-in;
performing nondestructive testing on a sandbox of a target terminal device through the detection plug-in to generate sandbox detection information, wherein the sandbox is used for providing a safe network environment for the target terminal device;
detecting a risk log file of the target terminal equipment through the detection plug-in according to the sandbox detection information, wherein the risk log event is a log file generated when the target terminal equipment generates a risk behavior;
if the risk log file is not detected, accessing a permission directory of the target terminal equipment through the detection plug-in, wherein the permission directory is a directory file which cannot be accessed under a secure network environment;
and generating a risk behavior detection report according to feedback result information of the authority list of the target terminal equipment.
2. The device risk behavior detection method according to claim 1, wherein the sandbox detection information includes sandbox damage information and sandbox security information, and the step of detecting, by the detection plug-in, the risk log file of the target terminal according to the sandbox detection information includes:
detecting a system sub-process through the detection plug-in, wherein the system sub-process is a branch process constructed according to the system process of the target terminal;
outputting sand box damage information if the system subprocess is detected, wherein the sand box damage information is used for representing that the sand box is damaged;
if the system subprocess is not detected, detecting a risk log file of the target terminal through the detection plug-in, and outputting sand box safety information, wherein the sand box safety information is used for representing that the sand box is not damaged.
3. The device risk behavior detection method according to claim 2, wherein the step of detecting a system sub-process by the detection plug-in includes:
acquiring a subprocess return value through a detection plug-in;
and detecting the system subprocess according to the subprocess return value.
4. A device risk behaviour detection method according to claim 3, wherein the step of detecting the system sub-process from the sub-process return value comprises:
setting a sub-process threshold;
when the subprocess return value is greater than or equal to a subprocess threshold value, outputting a first detection result, wherein the first detection result is used for representing that the system subprocess is detected;
and when the subprocess return value is smaller than a subprocess threshold value, outputting a second detection result, wherein the second detection result is used for representing that the system subprocess is not detected.
5. The device risk behavior detection method according to claim 2, wherein if the sandbox damage information is output, the step of generating a risk behavior detection report according to feedback result information of the authority directory accessing the target terminal device includes:
generating a first risk document according to the sandbox damage information;
if the risk log file is detected, generating a second risk document according to the risk log file;
the risk behavior detection report is generated according to risk data, wherein the risk data comprises the first risk document and the second risk document.
6. The device risk behavior detection method according to claim 5, wherein the risk data further includes a third risk document, and before the step of detecting, by the detection plug-in, the risk log file of the target terminal device, further includes:
detecting a risk plugin of the target terminal device through the detection plugin;
and if the target terminal equipment comprises the risk plugin, generating a third risk document according to the risk plugin.
7. The device risk behavior detection method according to claim 1, wherein the step of generating a risk behavior detection report from feedback result information of the rights directory accessing the target terminal device includes:
if the feedback result information is that the access is successful, a risk behavior detection report with risk behaviors is generated;
and if the feedback result information is access failure, generating a risk behavior detection report without risk behaviors.
8. The device risk behavior detection method according to claim 1, further comprising, before the step of acquiring the target terminal identifier to be detected:
integrating the detection plug-in a development tool of the target application;
setting detection parameters of the detection plug-in;
and when the terminal equipment is detected to be installed with the target application, configuring the terminal equipment according to the detection parameters so as to obtain the target terminal identification.
9. A device risk behaviour detection system, comprising a server and a target terminal device, the server establishing a communication connection with at least one of the target terminal devices, the target terminal device being a terminal device in which a target application is installed, the target application comprising a detection plug-in, the server being configured to:
acquiring a target terminal identifier to be detected, wherein the target terminal identifier is used for representing target terminal equipment provided with a target application, and the target application comprises a detection plug-in;
performing nondestructive testing on a sandbox of a target terminal device through the detection plug-in to generate sandbox detection information, wherein the sandbox is used for providing a safe network environment for the target terminal device;
detecting a risk log file of the target terminal equipment through the detection plug-in according to the sandbox detection information, wherein the risk log event is a log file generated when the target terminal equipment generates a risk behavior;
if the risk log file is not detected, accessing a permission directory of the target terminal equipment through the detection plug-in, wherein the permission directory is a directory file which cannot be accessed under a secure network environment;
and generating a risk behavior detection report according to feedback result information of the authority list of the target terminal equipment.
10. A computer-readable storage medium, comprising computer instructions for instructing a computer to perform the device risk behavior detection method of any one of claims 1-8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410009563.0A CN117521087B (en) | 2024-01-04 | 2024-01-04 | Equipment risk behavior detection method, system and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410009563.0A CN117521087B (en) | 2024-01-04 | 2024-01-04 | Equipment risk behavior detection method, system and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN117521087A true CN117521087A (en) | 2024-02-06 |
CN117521087B CN117521087B (en) | 2024-03-15 |
Family
ID=89744247
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202410009563.0A Active CN117521087B (en) | 2024-01-04 | 2024-01-04 | Equipment risk behavior detection method, system and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117521087B (en) |
Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110145926A1 (en) * | 2009-12-15 | 2011-06-16 | Mcafee, Inc. | Systems and methods for behavioral sandboxing |
CN102592086A (en) * | 2011-12-28 | 2012-07-18 | 奇智软件(北京)有限公司 | Method and device for browsing webpages in sandbox |
US20130145463A1 (en) * | 2011-12-02 | 2013-06-06 | Invincea, Inc. | Methods and apparatus for control and detection of malicious content using a sandbox environment |
CN104915594A (en) * | 2015-06-30 | 2015-09-16 | 北京奇虎科技有限公司 | Application running method and device |
CN106293667A (en) * | 2015-05-27 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of application modification detection method and device |
CN108334775A (en) * | 2018-01-23 | 2018-07-27 | 阿里巴巴集团控股有限公司 | One kind is escaped from prison plug-in detecting method and device |
CN109101815A (en) * | 2018-07-27 | 2018-12-28 | 平安科技(深圳)有限公司 | A kind of malware detection method and relevant device |
CN109597675A (en) * | 2018-10-25 | 2019-04-09 | 中国科学院信息工程研究所 | Virtual machine Malware behavioral value method and system |
US20190294779A1 (en) * | 2018-03-23 | 2019-09-26 | International Business Machines Corporation | Secure system state extraction software extensibility via plugin sandboxing |
CN112685737A (en) * | 2020-12-24 | 2021-04-20 | 恒安嘉新(北京)科技股份公司 | APP detection method, device, equipment and storage medium |
CN112988607A (en) * | 2021-05-11 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Application program component detection method and device and storage medium |
CN113641996A (en) * | 2021-05-26 | 2021-11-12 | 荣耀终端有限公司 | Detection method, graphical interface and related device |
CN114491518A (en) * | 2022-01-27 | 2022-05-13 | 中国农业银行股份有限公司 | Unauthorized access detection method, device, system and medium |
CN114861180A (en) * | 2022-05-25 | 2022-08-05 | 广东粤密技术服务有限公司 | Application program security detection method and device |
-
2024
- 2024-01-04 CN CN202410009563.0A patent/CN117521087B/en active Active
Patent Citations (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110145926A1 (en) * | 2009-12-15 | 2011-06-16 | Mcafee, Inc. | Systems and methods for behavioral sandboxing |
US20130145463A1 (en) * | 2011-12-02 | 2013-06-06 | Invincea, Inc. | Methods and apparatus for control and detection of malicious content using a sandbox environment |
CN102592086A (en) * | 2011-12-28 | 2012-07-18 | 奇智软件(北京)有限公司 | Method and device for browsing webpages in sandbox |
CN106293667A (en) * | 2015-05-27 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of application modification detection method and device |
CN104915594A (en) * | 2015-06-30 | 2015-09-16 | 北京奇虎科技有限公司 | Application running method and device |
CN108334775A (en) * | 2018-01-23 | 2018-07-27 | 阿里巴巴集团控股有限公司 | One kind is escaped from prison plug-in detecting method and device |
US20190294779A1 (en) * | 2018-03-23 | 2019-09-26 | International Business Machines Corporation | Secure system state extraction software extensibility via plugin sandboxing |
CN109101815A (en) * | 2018-07-27 | 2018-12-28 | 平安科技(深圳)有限公司 | A kind of malware detection method and relevant device |
CN109597675A (en) * | 2018-10-25 | 2019-04-09 | 中国科学院信息工程研究所 | Virtual machine Malware behavioral value method and system |
CN112685737A (en) * | 2020-12-24 | 2021-04-20 | 恒安嘉新(北京)科技股份公司 | APP detection method, device, equipment and storage medium |
CN112988607A (en) * | 2021-05-11 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Application program component detection method and device and storage medium |
CN113641996A (en) * | 2021-05-26 | 2021-11-12 | 荣耀终端有限公司 | Detection method, graphical interface and related device |
CN114491518A (en) * | 2022-01-27 | 2022-05-13 | 中国农业银行股份有限公司 | Unauthorized access detection method, device, system and medium |
CN114861180A (en) * | 2022-05-25 | 2022-08-05 | 广东粤密技术服务有限公司 | Application program security detection method and device |
Non-Patent Citations (1)
Title |
---|
冷小G: "越狱检测/越狱检测绕过-xCon", pages 2 - 4, Retrieved from the Internet <URL:https://blog.csdn.net/liangliang103377/article/details/39525377> * |
Also Published As
Publication number | Publication date |
---|---|
CN117521087B (en) | 2024-03-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9888025B2 (en) | Method and system for providing an efficient asset management and verification service | |
US9910981B2 (en) | Malicious code infection cause-and-effect analysis | |
EP2696282B1 (en) | System and method for updating authorized software | |
US11520901B2 (en) | Detecting firmware vulnerabilities | |
US8019857B2 (en) | Flexible system health and remediation agent | |
US20100082803A1 (en) | Flexible compliance agent with integrated remediation | |
US9332029B1 (en) | System and method for malware detection in a distributed network of computer nodes | |
KR20130129184A (en) | System and method for server-coupled malware prevention | |
CN101676876A (en) | Automatic hardware-based recovery of a compromised computer | |
US10839074B2 (en) | System and method of adapting patterns of dangerous behavior of programs to the computer systems of users | |
US11003772B2 (en) | System and method for adapting patterns of malicious program behavior from groups of computer systems | |
US20190109824A1 (en) | Rule enforcement in a network | |
CN112163198B (en) | Host login security detection method, system, device and storage medium | |
KR20040056998A (en) | Method and Apparatus for Detecting Malicious Executable Code using Behavior Risk Point | |
CN113132412B (en) | Computer network security test and inspection method | |
CN117521087B (en) | Equipment risk behavior detection method, system and storage medium | |
CN114386047A (en) | Application vulnerability detection method and device, electronic equipment and storage medium | |
CN111680296A (en) | Method, device and equipment for identifying malicious program in industrial control system | |
CN111783089A (en) | Method, device and storage medium for tracing malicious process | |
CN114610402B (en) | Operation authority control method and operation authority configuration method | |
CN117034210B (en) | Event image generation method and device, storage medium and electronic equipment | |
CN115577369B (en) | Source code leakage behavior detection method and device, electronic equipment and storage medium | |
CN113569242A (en) | Illegal software identification method | |
CN117271054A (en) | Container kernel fault processing method, system, storage medium and electronic equipment | |
CN116961977A (en) | Security detection method, apparatus, device and computer program product |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |