阅读说明：本技术 一种侵入检测方法、装置、终端设备及介质 (Intrusion detection method, device, terminal equipment and medium ) 是由 不公告发明人 于 2019-06-27 设计创作，主要内容包括：本公开公开了一种侵入检测方法、装置、终端设备及介质。该方法包括检测到应用程序启动指令后,获取所述应用程序启动指令所对应应用程序的运行动态库集合,所述运行动态库集合包括至少一个运行动态库名称,所述运行动态库名称为所述应用程序启动时预设路径下动态库的名称；比较所述运行动态库集合和原始动态库集合,所述原始动态库集合包括至少一个原始动态库名称,所述原始动态库名称预先存储在所述应用程序中；根据比较结果,确定所述应用程序是否被侵入。实现了应用程序是否被侵入的检测,提升了应用程序的安全性。(The disclosure discloses an intrusion detection method, an intrusion detection device, a terminal device and a medium. The method comprises the steps of obtaining an operation dynamic library set of an application program corresponding to an application program starting instruction after detecting the application program starting instruction, wherein the operation dynamic library set comprises at least one operation dynamic library name, and the operation dynamic library name is the name of a dynamic library under a preset path when the application program is started; comparing the running dynamic library set with an original dynamic library set, wherein the original dynamic library set comprises at least one original dynamic library name, and the original dynamic library name is stored in the application program in advance; and determining whether the application program is invaded according to the comparison result. Whether the application program is invaded or not is detected, and the safety of the application program is improved.)

1. An intrusion detection method, comprising:

after an application program starting instruction is detected, acquiring an operation dynamic library set of an application program corresponding to the application program starting instruction, wherein the operation dynamic library set comprises at least one operation dynamic library name, and the operation dynamic library name is the name of a dynamic library under a preset path when the application program is started;

comparing the running dynamic library set with an original dynamic library set, wherein the original dynamic library set comprises at least one original dynamic library name, and the original dynamic library name is stored in the application program in advance;

and determining whether the application program is invaded according to the comparison result.

2. The method of claim 1, wherein comparing the running set of dynamic libraries to the original set of dynamic libraries comprises:

and traversing the names of the running dynamic library included in the running dynamic library set and the names of the original dynamic library included in the original dynamic library set, and determining whether a new dynamic library name exists in the running dynamic library set, wherein the new dynamic library name is not included in the original dynamic library set.

3. The method of claim 2, wherein determining whether the application is intrusive based on the comparison comprises:

and if the new dynamic library name exists in the running dynamic library set, determining that the application program is invaded.

4. The method of claim 3, further comprising:

and if the application program is invaded, closing the process corresponding to the new dynamic library name.

5. The method of claim 1, wherein the original set of dynamic libraries is determined during the application development phase.

6. The method of claim 1, further comprising:

and if the application program is invaded, reporting invasion information to a server, wherein the invasion information comprises the identification information of the application program.

7. The method of claim 1, further comprising:

when the application program is invaded, at least one of the following operations is executed:

and displaying prompt information, wherein the prompt information is used for informing a user that the application program is invaded, forcing the user to exit the application program and responding to a prohibition instruction of a server, and the prohibition instruction is used for prohibiting the user from logging in the application program and/or prohibiting the user from accessing data of the application program.

8. An intrusion detection device, comprising:

the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring an operation dynamic library set of an application program corresponding to an application program starting instruction after detecting the application program starting instruction, the operation dynamic library set comprises at least one operation dynamic library name, and the operation dynamic library name is the name of a dynamic library under a preset path when the application program is started;

the comparison module is used for comparing the running dynamic library set with an original dynamic library set, wherein the original dynamic library set comprises at least one original dynamic library name, and the original dynamic library name is stored in the application program in advance;

and the determining module is used for determining whether the application program is invaded or not according to the comparison result.

9. A terminal device, comprising:

one or more processing devices;

storage means for storing one or more programs;

when executed by the one or more processing devices, cause the one or more processing devices to implement the intrusion detection method according to any one of claims 1 to 7.

10. A computer-readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processing means, carries out the intrusion detection method according to any one of claims 1 to 7.

Technical Field

The embodiment of the disclosure relates to the technical field of computers, in particular to an intrusion detection method, an intrusion detection device, terminal equipment and a medium.

Background

With the development of technology, terminal devices are widely used, and operating systems of the terminal devices include a closed operating system and an open operating system. The closed operating system includes an iOS system. The closed operating system has a very low risk of intrusion of applications in the closed operating system due to its closure and signature mechanism.

However, at present, an attacker can obtain private data of an application program by injecting a dynamic library into the application program in an operating system, and further tamper the application program data, so that the application program is no longer secure. The dynamic library injection is a programming mechanism, and a section of code is injected into an application program to be invaded to be executed, so that a certain function is realized, and the attack on the application program is completed. Therefore, how to perform intrusion detection on an application to improve the security of the application is a technical problem to be solved urgently.

Disclosure of Invention

The disclosure provides an intrusion detection method, an intrusion detection device, a terminal device and a medium, which improve the security of an application program.

In a first aspect, an embodiment of the present disclosure provides an intrusion detection method, including:

after an application program starting instruction is detected, acquiring an operation dynamic library set of an application program corresponding to the application program starting instruction, wherein the operation dynamic library set comprises at least one operation dynamic library name, and the operation dynamic library name is the name of a dynamic library under a preset path when the application program is started;

comparing the running dynamic library set with an original dynamic library set, wherein the original dynamic library set comprises at least one original dynamic library name, and the original dynamic library name is stored in the application program in advance;

and determining whether the application program is invaded according to the comparison result.

In a second aspect, an embodiment of the present disclosure further provides an intrusion detection device, including:

the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring an operation dynamic library set of an application program corresponding to an application program starting instruction after detecting the application program starting instruction, the operation dynamic library set comprises at least one operation dynamic library name, and the operation dynamic library name is the name of a dynamic library under a preset path when the application program is started;

the comparison module is used for comparing the running dynamic library set with an original dynamic library set, wherein the original dynamic library set comprises at least one original dynamic library name, and the original dynamic library name is stored in the application program in advance;

and the determining module is used for determining whether the application program is invaded or not according to the comparison result.

In a third aspect, an embodiment of the present disclosure further provides a terminal device, including:

one or more processing devices;

storage means for storing one or more programs;

when the one or more programs are executed by the one or more processing devices, the one or more processing devices are caused to implement any of the intrusion detection methods provided by the embodiments of the present disclosure.

In a fourth aspect, the embodiments of the present disclosure also provide a computer-readable medium, on which a computer program is stored, where the computer program, when executed by a processing device, implements any one of the intrusion detection methods provided by the embodiments of the present disclosure.

The present disclosure provides an intrusion detection method, apparatus, terminal device and medium, after detecting an application program start instruction by using the method, acquiring an operation dynamic library set of an application program corresponding to the application program start instruction; and then comparing the running dynamic library set with the original dynamic library set, and determining whether the application program is invaded according to the comparison result. Namely, the running dynamic library set acquired when the application program is started is compared with the original dynamic library set stored in the application program in advance, so that whether the application program is invaded or not is detected, and the safety of the application program is improved.

Drawings

The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and features are not necessarily drawn to scale.

Fig. 1 is a schematic flow chart of an intrusion detection method according to an embodiment of the present disclosure;

fig. 2 is a schematic flow chart of an intrusion detection method according to a second embodiment of the present disclosure;

fig. 3 is a schematic structural diagram of an intrusion detection device according to a third embodiment of the present disclosure;

fig. 4 is a schematic structural diagram of a terminal device in the fourth embodiment of the present disclosure.

Detailed Description

Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.

It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order, and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.

The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.

It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.

It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.

The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.