阅读说明：本技术 针对企业级移动应用的安全监测溯源管控方法及系统 (Security monitoring traceability management and control method and system for enterprise-level mobile application ) 是由 李永发 陈亚婷 刘扬 吴雨希 陈中伟 常棕垲 于 2021-07-30 设计创作，主要内容包括：本发明公开了一种针对企业级移动应用的安全监测溯源管控方法,包括构建安全监测溯源管控的SDK探针；将SDK探针集成到待监测的企业级移动应用中得到具有安全监测溯源管控的移动应用；在安全运行模式下运行移动应用并开启实时安全监测溯源管控；实时上报安全监测溯源管控数据并进行安全监测和溯源管控；对安全监测溯源管控数据进行处理和展示。本发明为企业级的移动应用提供了一整套完整的运行期间的安全监测、溯源及管控的方案,实现了应用和对应终端的监控的全方位覆盖；而且本发明实现了安全监测SDK一次嵌入,全方位、多应用的监测,适用于现今应用场合,而且可靠性高、实用性好。(The invention discloses a security monitoring traceability control method for enterprise-level mobile application, which comprises the steps of constructing an SDK probe for security monitoring traceability control; integrating the SDK probe into enterprise-level mobile application to be monitored to obtain mobile application with safety monitoring traceability control; running the mobile application in a safe running mode and starting real-time safety monitoring traceability management and control; reporting safety monitoring traceability control data in real time, and carrying out safety monitoring and traceability control; and processing and displaying the safety monitoring traceability control data. The invention provides a complete set of complete safety monitoring, tracing and control scheme during the operation period for enterprise-level mobile application, and realizes the omnibearing coverage of monitoring of the application and the corresponding terminal; the invention realizes the one-time embedding of the safety monitoring SDK, omnibearing and multi-application monitoring, is suitable for the current application occasions, and has high reliability and good practicability.)

1. A safety monitoring traceability management and control method for enterprise-level mobile application comprises the following steps:

s1, constructing an SDK probe for safety monitoring traceability control;

s2, integrating the SDK probe constructed in the step S1 into enterprise-level mobile application to be monitored to obtain mobile application with safety monitoring traceability control;

s3, the mobile application obtained in the step S2 is operated in a safe operation mode, and real-time safety monitoring traceability control is started;

s4, reporting the safety monitoring and traceability control data in the step S3 in real time, and carrying out safety monitoring and traceability control on the mobile application;

and S5, processing and displaying the safety monitoring traceability control data acquired in the step S4.

2. The method for security monitoring, traceability management and control of enterprise-level mobile applications as claimed in claim 1, wherein said step S1 of constructing the SDK probe for security monitoring, traceability management and control specifically comprises the following steps:

A. aiming at the android system, an android system SDK probe for safety monitoring traceability control is constructed, and monitoring interface service, traceability information interface service and control strategy issuing interface service which are called externally are provided;

B. aiming at an IOS system, an IOS system SDK probe for safety monitoring traceability control is constructed, and monitoring interface service, traceability information interface service and control strategy issuing interface service which are called externally are provided;

C. and aiming at the micro application, a sandbox platform with a safety function is constructed.

3. The method according to claim 2, wherein the step S2 of integrating the SDK probe constructed in step S1 into the enterprise-level mobile application to be monitored to obtain the mobile application with security monitoring traceability management, specifically includes the following steps:

a. fusing the constructed android system SDK probe with an android application source code, and calling monitoring interface service, traceability information interface service and management and control strategy issuing interface service provided by the android system SDK probe;

b. fusing the constructed IOS system SDK probe with an IOS application source code, and calling monitoring interface service, traceability information interface service and management and control strategy issuing interface service provided by the IOS system SDK probe;

c. and aiming at the micro application program, the constructed android system SDK probe and the constructed IOS system SDK probe are merged into the constructed sandbox platform.

4. The method according to claim 3, wherein the security monitoring and traceability management and control of the mobile application in step S4 specifically includes the following steps:

(1) the SDK probe calls a kernel program of the mobile application to monitor the safety of the running environment;

(2) the SDK probe calls an interface program of the mobile application to monitor the behavior of the mobile application;

(3) when the mobile application is subjected to suspicious attack or suspicious action, source tracing management and control are carried out.

5. The safety monitoring, tracing and controlling method for enterprise-level mobile applications as claimed in claim 4, wherein the safety monitoring of the operating environment specifically includes jail-crossing monitoring, simulator operation monitoring, geographic location falsification monitoring and attack framework monitoring of the mobile device.

6. The security monitoring traceability management and control method for enterprise-level mobile applications as claimed in claim 5, wherein the behavior monitoring of the mobile applications specifically comprises attack behavior monitoring and sensitive behavior monitoring; the attack behavior monitoring comprises comprehensive framework attack, injection attack, HOST file forgery attack, USB debugging attack, decompiling attack, remote code execution attack, unauthorized access and sensitive information leakage; the sensitive behavior monitoring comprises a peripheral equipment unauthorized use behavior, a privacy data unauthorized use behavior, an enterprise confidential data unauthorized use behavior and an application starting unauthorized behavior.

7. The safety monitoring traceability management and control method for enterprise-level mobile applications as claimed in claim 6, wherein the traceability management and control specifically comprises terminal traceability and terminal management and control; when the terminal tracing includes that the mobile application is attacked, the SDK probe records the IP addresses, application packet names and service user names of a local machine and the Internet of the terminal, and simultaneously cooperates with a security access gateway to identify a message protocol, and modifies an XFF field of an HTTP message into the local machine and the Internet IP address of the terminal to finally form a tracing log; and the terminal management and control comprises the steps that when the mobile application is attacked, the SDK probe is linked with the security access gateway, the terminal is forcibly offline, the application is forcibly quitted, the access authority is adjusted or closed, a blacklist is added, and a management and control log is formed.

8. The method for managing and controlling the security monitoring traceability of enterprise-level mobile applications as claimed in claim 7, wherein the terminal traceability specifically comprises the security monitoring SDK providing an application and terminal basic traceability information interface, comprising a terminal local IPv4/IPv6 address, a terminal internet IPv4/IPv6 address, an application packet name, and a service user name; before establishing a security channel, the security access SDK calls a monitoring SDK interface to obtain basic traceability information, stores the basic traceability information in terminal scanning information and reports the terminal scanning information to a gateway; the gateway intercepts service application messages, identifies the message types of an application layer, and modifies the XFF content of the messages into 'terminal local machine IPv4/IPv6 addresses and terminal internet IPv4/IPv6 addresses'; recording the online state and the offline state of the terminal, and configuring message tracing information recorded according to requirements, wherein the format of the normalized log is as follows: log type identifier | millisecond time | terminal unique identifier | APPID | terminal local IPv4/IPv6 address | terminal internet IPv4/IPv6 address | application packet name | service username | message protocol type |.

9. The method for security monitoring, traceability management and control of enterprise-level mobile applications as claimed in claim 8, wherein the step S5 of processing and displaying the security monitoring, traceability management and control data obtained in the step S4 specifically comprises the following steps:

1) classifying and receiving the monitoring data, and storing the monitoring data in a database;

2) classifying and receiving the tracing logs and the control logs, and storing the tracing logs and the control logs into a database;

3) analyzing the data stored in the step 1) and the step 2), and displaying the analysis result to the front end of the server;

4) and when the safety monitoring traceability management and control processing is completed, removing the management and control limitation of the mobile application.

10. The system for implementing the safety monitoring traceability management and control method for enterprise-level mobile applications as claimed in any one of claims 1 to 9, is characterized by comprising a client module, a data acquisition end module, a server module and a display end module; the client module, the data acquisition end module, the server module and the display end module are sequentially connected; the client module is used for fusing the constructed SDK probes and reporting various information data; the data acquisition end module is used for receiving the information data uploaded by the client end module and uploading the information data to the server end module; the server module is used for processing the received data information and forming a comprehensive analysis result, and is also used for issuing a security monitoring traceability control strategy so as to perform security monitoring and traceability control on the client; and the display end module is used for displaying the data of the system.

Technical Field

The invention belongs to the field of information security, and particularly relates to a security monitoring traceability management and control method and system for enterprise-level mobile application.

Background

With the large-area popularization and application of the 5G technology, the traditional Internet age begins to take a step into the intelligent and mobile age of everything interconnection. With the popularization of intelligent terminals and the proliferation of the types and the number of mobile applications, more and more industries and fields begin to advance to the mobile market, and mobile applications are continuously researched and designed to meet the increasing mobile business requirements. Among them, the demand of enterprise mobile office is the most prominent, such as online office, electronic signature, communication exchange, notice, target management, target assessment, etc. involved in mobile office.

Although the occurrence of mobile applications greatly assists the transformation and development of enterprises, the potential risks and potential safety hazards of the mobile applications cause great loss to the enterprises to some extent, such as the loss of confidential data of the enterprises, the leakage of business core data and the like. This poses a serious security risk to the survival and development of the enterprise.

However, the security monitoring traceability management and control for enterprise-level mobile applications is often not highly reliable, and has poor practicability, and is no longer suitable for the current application occasions.

Disclosure of Invention

One of the purposes of the present invention is to provide a security monitoring traceability management and control method for enterprise-level mobile applications, which is suitable for the current application occasions and has high reliability and good practicability.

The second objective of the present invention is to provide a system for implementing the security monitoring traceability management and control method for enterprise-level mobile applications.

The safety monitoring traceability management and control method for enterprise-level mobile application provided by the invention comprises the following steps:

s1, constructing an SDK probe for safety monitoring traceability control;

s2, integrating the SDK probe constructed in the step S1 into enterprise-level mobile application to be monitored to obtain mobile application with safety monitoring traceability control;

s3, the mobile application obtained in the step S2 is operated in a safe operation mode, and real-time safety monitoring traceability control is started;

s4, reporting the safety monitoring and traceability control data in the step S3 in real time, and carrying out safety monitoring and traceability control on the mobile application;

and S5, processing and displaying the safety monitoring traceability control data acquired in the step S4.

The construction of the SDK probe for safety monitoring traceability control, described in step S1, specifically includes the following steps:

A. aiming at the android system, an android system SDK probe for safety monitoring traceability control is constructed, and monitoring interface service, traceability information interface service and control strategy issuing interface service which are called externally are provided;

B. aiming at an IOS system, an IOS system SDK probe for safety monitoring traceability control is constructed, and monitoring interface service, traceability information interface service and control strategy issuing interface service which are called externally are provided;

C. and aiming at the micro application, a sandbox platform with a safety function is constructed.

Step S2, integrating the SDK probe constructed in step S1 into an enterprise-level mobile application to be monitored, to obtain a mobile application with security monitoring traceability control, specifically including the following steps:

a. fusing the constructed android system SDK probe with an android application source code, and calling monitoring interface service, traceability information interface service and management and control strategy issuing interface service provided by the android system SDK probe;

b. fusing the constructed IOS system SDK probe with an IOS application source code, and calling monitoring interface service, traceability information interface service and management and control strategy issuing interface service provided by the IOS system SDK probe;

c. and aiming at the micro application program, the constructed android system SDK probe and the constructed IOS system SDK probe are merged into the constructed sandbox platform.

The security monitoring and traceability management and control of the mobile application in step S4 includes the following steps:

(1) the SDK probe calls a kernel program of the mobile application to monitor the safety of the running environment;

(2) the SDK probe calls an interface program of the mobile application to monitor the behavior of the mobile application;

(3) when the mobile application is subjected to suspicious attack or suspicious action, source tracing management and control are carried out.

The safety monitoring of the operating environment specifically comprises jail crossing monitoring, simulator operation monitoring, geographic position counterfeiting monitoring and attack frame monitoring of the mobile device.

The behavior monitoring of the mobile application specifically comprises attack behavior monitoring and sensitive behavior monitoring; the attack behavior monitoring comprises comprehensive framework attack, injection attack, HOST file forgery attack, USB debugging attack, decompiling attack, remote code execution attack, unauthorized access and sensitive information leakage; the sensitive behavior monitoring comprises a peripheral equipment unauthorized use behavior, a privacy data unauthorized use behavior, an enterprise confidential data unauthorized use behavior and an application starting unauthorized behavior.

The source tracing control specifically comprises terminal source tracing and terminal control; when the terminal tracing includes that the mobile application is attacked, the SDK probe records the IP addresses, application packet names and service user names of a local machine and the Internet of the terminal, and simultaneously cooperates with a security access gateway to identify a message protocol, and modifies an XFF field of an HTTP message into the local machine and the Internet IP address of the terminal to finally form a tracing log; and the terminal management and control comprises the steps that when the mobile application is attacked, the SDK probe is linked with the security access gateway, the terminal is forcibly offline, the application is forcibly quitted, the access authority is adjusted or closed, a blacklist is added, and a management and control log is formed.

The terminal tracing specifically comprises an application and terminal basic tracing information interface provided by the safety monitoring SDK, and the interface comprises a terminal local machine IPv4/IPv6 address, a terminal internet IPv4/IPv6 address, an application packet name and a service user name; before establishing a security channel, the security access SDK calls a monitoring SDK interface to obtain basic traceability information, stores the basic traceability information in terminal scanning information and reports the terminal scanning information to a gateway; the gateway intercepts service application messages, identifies the message types of an application layer, and modifies the XFF content of the messages into 'terminal local machine IPv4/IPv6 addresses and terminal internet IPv4/IPv6 addresses'; recording the online state and the offline state of the terminal, and configuring message tracing information recorded according to requirements, wherein the format of the normalized log is as follows: log type identifier | millisecond time | terminal unique identifier | APPID | terminal local IPv4/IPv6 address | terminal internet IPv4/IPv6 address | application packet name | service username | message protocol type |.

The processing and displaying of the safety monitoring traceability management and control data obtained in the step S4, which is described in the step S5, specifically includes the following steps:

1) classifying and receiving the monitoring data, and storing the monitoring data in a database;

2) classifying and receiving the tracing logs and the control logs, and storing the tracing logs and the control logs into a database;

3) analyzing the data stored in the step 1) and the step 2), and displaying the analysis result to the front end of the server;

4) and when the safety monitoring traceability management and control processing is completed, removing the management and control limitation of the mobile application.

The invention also discloses a system for realizing the safety monitoring traceability control method aiming at the enterprise-level mobile application, which comprises a client module, a data acquisition end module, a server module and a display end module; the client module, the data acquisition end module, the server module and the display end module are sequentially connected; the client module is used for fusing the constructed SDK probes and reporting various information data; the data acquisition end module is used for receiving the information data uploaded by the client end module and uploading the information data to the server end module; the server module is used for processing the received data information and forming a comprehensive analysis result, and is also used for issuing a security monitoring traceability control strategy so as to perform security monitoring and traceability control on the client; and the display end module is used for displaying the data of the system.

The safety monitoring traceability management and control method and system for enterprise-level mobile application provided by the invention provide a complete set of complete safety monitoring, traceability and management and control scheme during operation for enterprise-level mobile application, greatly improve the safety risk management and control capability of enterprise mobile application, introduce global analysis monitoring and management and control consciousness, and realize the omnibearing coverage of monitoring of application and corresponding terminal; the invention realizes the one-time embedding of the safety monitoring SDK, omnibearing and multi-application monitoring, is suitable for the current application occasions, and has high reliability and good practicability.

Drawings

FIG. 1 is a schematic process flow diagram of the process of the present invention.

FIG. 2 is a functional block diagram of the system of the present invention.

Detailed Description

FIG. 1 is a schematic flow chart of the method of the present invention: the safety monitoring traceability management and control method for enterprise-level mobile application provided by the invention comprises the following steps:

s1, constructing an SDK probe for safety monitoring traceability control; the method specifically comprises the following steps:

A. aiming at the android system, an android system SDK probe for safety monitoring traceability control is constructed, and monitoring interface service, traceability information interface service and control strategy issuing interface service which are called externally are provided;

B. aiming at an IOS system, an IOS system SDK probe for safety monitoring traceability control is constructed, and monitoring interface service, traceability information interface service and control strategy issuing interface service which are called externally are provided;

C. aiming at the micro application, a sandbox platform with a safety function is constructed;

s2, integrating the SDK probe constructed in the step S1 into enterprise-level mobile application to be monitored to obtain mobile application with safety monitoring traceability control; the method specifically comprises the following steps:

a. fusing the constructed android system SDK probe with an android application source code, and calling monitoring interface service, traceability information interface service and management and control strategy issuing interface service provided by the android system SDK probe;

b. fusing the constructed IOS system SDK probe with an IOS application source code, and calling monitoring interface service, traceability information interface service and management and control strategy issuing interface service provided by the IOS system SDK probe;

c. aiming at the micro application program, the constructed android system SDK probe and the constructed IOS system SDK probe are fused into the constructed sandbox platform;

s3, the mobile application obtained in the step S2 is operated in a safe operation mode, and real-time safety monitoring traceability control is started;

s4, reporting the safety monitoring and traceability control data in the step S3 in real time, and carrying out safety monitoring and traceability control on the mobile application; the safety monitoring and traceability management and control of the mobile application specifically comprise the following steps:

(1) the SDK probe calls a kernel program of the mobile application to monitor the safety of the running environment; the safety monitoring of the operating environment specifically comprises prison crossing monitoring of the mobile device (whether a ROOT operating event occurs or not is judged by detecting the executable authority of an SU system file), simulator operating monitoring (whether a current mobile application is in the simulator operating environment or not is judged by acquiring a system characteristic value), geographic position forgery monitoring and attack frame monitoring;

(2) the SDK probe calls an interface program of the mobile application to monitor the behavior of the mobile application; the behavior monitoring of the mobile application specifically comprises attack behavior monitoring and sensitive behavior monitoring; the attack behavior monitoring comprises comprehensive framework attack, injection attack, HOST file forgery attack, USB debugging attack, decompiling attack, remote code execution attack, unauthorized access and sensitive information leakage; the sensitive behavior monitoring comprises a peripheral equipment unauthorized use behavior, a private data unauthorized use behavior, an enterprise confidential data unauthorized use behavior and an application starting unauthorized behavior;

(3) when the mobile application is subjected to suspicious attack or suspicious action, carrying out traceability management and control; the traceability management and control specifically comprises terminal traceability and terminal management and control; when the terminal tracing includes that the mobile application is attacked, the SDK probe records the IP addresses, application packet names and service user names of a local machine and the Internet of the terminal, and simultaneously cooperates with a security access gateway to identify a message protocol, and modifies an XFF field of an HTTP message into the local machine and the Internet IP address of the terminal to finally form a tracing log; the terminal management and control comprises the steps that when the mobile application is attacked, the SDK probe is linked with the security access gateway, the terminal is forcibly offline, the application is forcibly quitted, the access authority is adjusted or closed, a blacklist is added, and a management and control log is formed;

during specific implementation, the safety monitoring SDK provides an application and terminal basic traceability information interface, and the interface comprises a terminal local machine IPv4/IPv6 address, a terminal internet IPv4/IPv6 address, an application packet name and a service user name; before establishing a security channel, the security access SDK calls a monitoring SDK interface to obtain basic traceability information, stores the basic traceability information in terminal scanning information and reports the terminal scanning information to a gateway; the gateway intercepts service application messages, identifies the message types of an application layer, and modifies the XFF content of the messages into 'terminal local machine IPv4/IPv6 addresses and terminal internet IPv4/IPv6 addresses'; recording the online state and the offline state of the terminal, and configuring message tracing information recorded according to requirements, wherein the format of the normalized log is as follows: a log type identifier | millisecond time | terminal unique identification code | APPID | terminal local machine IPv4/IPv6 address | terminal internet IPv4/IPv6 address | application packet name | service user name | message protocol type |;

the terminal tracing specifically comprises (1) terminal data information acquired by an SDK probe, and 1) terminal information acquired by security monitoring SDK scanning, wherein the terminal information comprises a terminal unique identification code (terminal information hash value), an application package name, an application version number, a system version number, a terminal name, a security monitoring SDK version number, a service user name, a password and a terminal internet IPv4/IPv6 address; 2) safely accessing terminal information acquired by the SDK, wherein the terminal information comprises a digital certificate APPID (application ID, derived from a digital certificate) and a terminal unique identification code (terminal information hash value); (2) the gateway tracing and management control method comprises the following steps that 1) the gateway tracing information comprises millisecond time, terminal unique identification codes, APPID, terminal internet IPv4/IPv6 addresses, terminal local machine IPv4/IPv6 addresses, application packet names, service user names and message protocol types; 2) the method comprises the steps that information required by terminal online and offline statistics is carried out, wherein the terminal online comprises a terminal online identification, millisecond time, a terminal unique identification code, an APPID, a terminal internet IPv4/IPv6 address, a terminal local machine IPv4/IPv6 address and an application packet name; the terminal offline comprises a terminal offline identification, millisecond time, a terminal unique identification code, an APPID, a terminal internet IPv4/IPv6 address, a terminal local machine IPv4/IPv6 address and an application packet name;

s5, processing and displaying the safety monitoring traceability control data acquired in the step S4; the method specifically comprises the following steps:

1) classifying and receiving the monitoring data, and storing the monitoring data in a database;

2) classifying and receiving the tracing logs and the control logs, and storing the tracing logs and the control logs into a database;

3) analyzing the data stored in the step 1) and the step 2), and displaying the analysis result to the front end of the server;

4) and when the safety monitoring traceability management and control processing is completed, removing the management and control limitation of the mobile application.

FIG. 2 shows a functional block diagram of the system of the present invention: the system for realizing the safety monitoring traceability management and control method for enterprise-level mobile application comprises a client module, a data acquisition end module, a server module and a display end module; the client module, the data acquisition end module, the server module and the display end module are sequentially connected; the client module is used for fusing the constructed SDK probes and reporting various information data; the data acquisition end module is used for receiving the information data uploaded by the client end module and uploading the information data to the server end module; the server module is used for processing the received data information and forming a comprehensive analysis result, and is also used for issuing a security monitoring traceability control strategy so as to perform security monitoring and traceability control on the client; and the display end module is used for displaying the data of the system.

In specific implementation, the system database adopts various data of an open-source MySQL storage system, including security policy data, equipment information data, application operation and monitoring data and information data. The database and the WebService are used as a cache bridge through Redis non-relational data, and the data reading and storing efficiency is improved. WebService is the most important part in the system architecture, provides an interactive interface for the safety monitoring SDK and the system integration module, collects and transmits data, and outputs the collected data to Web visual service after processing such as duplicate removal, cleaning, replacement, statistics and the like.

The SDK probe automatically collects and reports two major types of data of safety and operation. The safety data mainly comprises alarm information reported by starting safety conditions and stored safety strategy information; the running data comprises basic information of the application and the equipment, and daily running state and environmental information; and then storing the acquired data into a database for persistent storage, and simultaneously issuing a strategy to the SDK probe for execution according to the change starting condition of the security environment by the security strategy information of the database so as to protect the safe operation of the mobile application.

The basic data of the equipment acquired by the data acquisition module comprises information such as the type, version number, geographical position and the like of an operating system; the application running data comprises an application package name, a version number, a reinforcement condition, application running environment information and the like; the safety alarm information comprises the category of the attack behavior, the degree of danger (high, medium and low levels), the time of the attack, the IP of the attack, the type of the sensitive behavior (screen capture, screen recording, copying and pasting), and the like.

The server module security policy comprises blacklist configuration, attack feature matching, security event configuration and blocking policy configuration; the comprehensive analysis comprises information correlation, security event correlation, service operation behavior correlation and equipment portrait; the intelligence base comprises black-production equipment, application, SIM card, IP and WIFI.