阅读说明：本技术 进程注入攻击检测方法、装置、电子设备及存储介质 (Process injection attack detection method and device, electronic equipment and storage medium ) 是由 黄超华 于 2021-07-30 设计创作，主要内容包括：本发明公开了一种进程注入攻击检测方法、装置、电子设备及存储介质,通过获取应用程序运行时产生的第一maps信息以及终端的配置信息,计算出应用程序的最新版本的第一特征值,基于第一特征值与预先定义的正常特征值进行比较,若两者不一致,则提取异常部分信息进行异常分析,输出攻击检测结果,若两者一致,则对第一maps信息中的路径信息进行验证,得到攻击检测结果。通过上述方法实现进程注入攻击的检测,不需要大量收集攻击案例来学习,只需要设定正常的界限,即可实现不同场景的攻击检测的兼容使用,并且该正常特征值的设定结合了应用程序本身信息、终端信息和运行信息,使得该值更加贴近于攻击案例,大大提高了检测的精准度。(The invention discloses a process injection attack detection method, a device, electronic equipment and a storage medium, wherein a first characteristic value of the latest version of an application program is calculated by acquiring first maps information generated when the application program runs and configuration information of a terminal, the first characteristic value is compared with a predefined normal characteristic value, if the first characteristic value and the predefined normal characteristic value are not consistent, abnormal part information is extracted for abnormal analysis, an attack detection result is output, and if the first characteristic value and the predefined normal characteristic value are consistent, path information in the first maps information is verified to obtain the attack detection result. The detection of the process injection attack is realized through the method, a large number of attack cases do not need to be collected for learning, the compatible use of the attack detection of different scenes can be realized only by setting a normal boundary, and the setting of the normal characteristic value combines the information of the application program, the terminal information and the operation information, so that the value is closer to the attack cases, and the detection accuracy is greatly improved.)

1. A process injection attack detection method is characterized by comprising the following steps:

acquiring configuration information of a terminal and first maps information generated during operation of an application program operated based on the terminal;

extracting path information in the first maps information, and calculating a first characteristic value of the latest version of the application program based on the path information and the configuration information;

comparing and analyzing the first characteristic value with a predefined normal characteristic value to obtain a comparison and analysis result;

if the comparison analysis result is inconsistent, extracting abnormal part information in the application program for abnormal analysis, and outputting an attack detection result;

and if the comparison and analysis result is consistent, carrying out consistency verification on the path information, and outputting an attack detection result based on the verification result.

2. The method according to claim 1, wherein the obtaining configuration information of a terminal and first maps information generated during operation of an application program executed by the terminal comprises:

when detecting that an application program is operated in a terminal, acquiring baseband information of the terminal, and extracting system version information and a model device model of the terminal based on the baseband information;

and calling a security monitoring tool on the terminal to execute a preset collection strategy, acquiring all process information of the application program and the latest version number of the application program from the running background of the terminal by executing the collection strategy, and generating first maps information based on all the process information.

3. The method according to claim 2, wherein the calculating the corresponding feature value based on the path information and the configuration information comprises:

splicing the path information, the latest version number, the system version information and the model equipment model according to a preset definition rule of a normal characteristic value to obtain the characteristic value when the application program runs, wherein the definition rule is a random combination at least comprising the following information: system version information, model equipment model, latest version number and maps information.

4. The method according to claim 3, wherein the extracting of the abnormal part information in the application program for the abnormal analysis and the outputting of the attack detection result comprise:

determining whether the first characteristic value is greater than a normal characteristic value;

if yes, extracting a loading file which is added out relative to the maps information of the previous version in the first maps information;

if not, extracting the loading file which is missing relative to the maps information of the previous version in the first maps information;

and carrying out attack analysis according to the excessive loaded files or the missing loaded files to obtain an attack detection result.

5. The method according to claim 4, wherein the performing attack analysis based on the excess loaded files or the missing loaded files to obtain the attack detection result comprises:

judging whether the excessive loading files or the missing loading files are code files or not;

if so, extracting the code file of the abnormal part in the code file of the current version and the code file of the previous version, returning the code file of the abnormal part to a server background corresponding to the terminal for testing and analyzing the source of the abnormal part, and generating a first attack detection result based on the test result and the source;

and if not, the loading file is transmitted back to a server background corresponding to the terminal to analyze the source of the loading file, and a second attack detection result is generated based on the source.

6. The method according to claim 5, wherein the step of returning the code file of the abnormal portion to a server background corresponding to the terminal for testing and analyzing a source thereof, and the step of generating a first attack detection result based on a test result and the source comprises:

extracting a corresponding path file according to the loading file, and returning the path file to a corresponding server background through an added system interface;

and analyzing the logical relationship and the source by using a reverse analysis method, and generating a first attack detection result based on the logical relationship and the source obtained by analysis.

7. The method according to claim 1, wherein the verifying the consistency of the path information and outputting the attack detection result based on the verification result comprises:

calculating a hash value of the path information by using a hash algorithm;

comparing the hash value with a hash value or a preset value of path information of the application program of the previous version;

and if the comparison result is inconsistent, analyzing the logical relationship and the source in the comparison result by using a reverse analysis method, and generating a third attack detection result based on the logical relationship and the source obtained by analysis.

8. A process injection attack detection apparatus, characterized in that the process injection attack detection apparatus comprises:

the acquisition module is used for acquiring configuration information of a terminal and first maps information generated during operation of an application program operated based on the terminal;

the calculation module is used for extracting path information in the first maps information and calculating a first characteristic value of the latest version of the application program based on the path information and the configuration information;

the comparison module is used for comparing and analyzing the first characteristic value with a predefined normal characteristic value to obtain a comparison and analysis result;

the detection module is used for extracting abnormal part information in the application program for abnormal analysis and outputting an attack detection result when the comparison analysis result is inconsistent; and when the comparison and analysis results are consistent, carrying out consistency verification on the path information, and outputting an attack detection result based on the verification result.

9. An electronic device, comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor;

the processor, when executing the computer program, implements the steps in the process injection attack detection method of any one of claims 1 to 7.

10. A computer-readable storage medium, comprising: a computer program stored in the computer readable storage medium;

the computer program, when executed by a processor, implements the steps in a process injection attack detection method according to any one of claims 1 to 7.

Technical Field

The present invention relates to the field of terminal detection technologies, and in particular, to a method and an apparatus for detecting a process injection attack, an electronic device, and a storage medium.

Background

With the advent of the mobile internet, the research and development and popularization of mobile terminal technology have been rapidly developed, and the technology is a mobile application program APP on a mobile terminal, especially an application program on an android system and a Windows system. In order to adapt to the use requirements of users, third-party applications for implementing various functions are continuously developed by third parties, and the third-party applications are basically in open popularization, and due to the open popularization, execution codes or underlying codes of the third-party applications are easily tampered and inserted into malicious attack programs or are attacked by some viruses, so that clients are affected, and even privacy information of users is leaked.

Based on this, the solution to the above problem is to set a detection tool on the client, where some possible attack behaviors are preset in the detection tool, and then monitor whether the same attack behavior exists in the execution process of the application program, if so, it is determined that there is an injection attack in the application program, otherwise, it does not exist, but in such an implementation manner, a relatively large amount of data is required for collecting the attack behaviors, and a new attack behavior cannot be detected, which results in a low detection accuracy and a low scene fitness.

Disclosure of Invention

The invention mainly aims to provide a process injection attack detection method, a process injection attack detection device, electronic equipment and a storage medium, and aims to solve the technical problem that the existing attack detection cannot adapt to the attack detection of a new scene, so that the detection accuracy is not high.

The first aspect of the present invention provides a process injection attack detection method, which includes:

acquiring configuration information of a terminal and first maps information generated during operation of an application program operated based on the terminal;

extracting path information in the first maps information, and calculating a first characteristic value of the latest version of the application program based on the path information and the configuration information;

comparing and analyzing the first characteristic value with a predefined normal characteristic value to obtain a comparison and analysis result;

if the comparison analysis result is inconsistent, extracting abnormal part information in the application program for abnormal analysis, and outputting an attack detection result;

and if the comparison and analysis result is consistent, carrying out consistency verification on the path information, and outputting an attack detection result based on the verification result.

Optionally, in a first implementation manner of the first aspect of the present invention, the obtaining configuration information of the terminal and the first maps information generated when the application running on the basis of the terminal runs includes:

when detecting that an application program is operated in a terminal, acquiring baseband information of the terminal, and extracting system version information and a model device model of the terminal based on the baseband information;

and calling a security monitoring tool on the terminal to execute a preset collection strategy, acquiring all process information of the application program and the latest version number of the application program from the running background of the terminal by executing the collection strategy, and generating first maps information based on all the process information.

Optionally, in a second implementation manner of the first aspect of the present invention, the calculating a first feature value of a latest version of the application program based on the path information and the configuration information includes:

splicing the path information, the latest version number, the system version information and the model equipment model according to a preset definition rule of a normal characteristic value to obtain a first characteristic value when the application program runs, wherein the definition rule is a random combination at least comprising the following information: system version information, model equipment model, latest version number and maps information.

Optionally, in a third implementation manner of the first aspect of the present invention, the extracting information of an abnormal part in the application program for performing an abnormal analysis, and outputting an attack detection result includes:

determining whether the first characteristic value is greater than a normal characteristic value;

if yes, extracting a loading file which is added out relative to the maps information of the previous version in the first maps information;

if not, extracting the loading file which is missing relative to the maps information of the previous version in the first maps information;

and carrying out attack analysis according to the excessive loaded files or the missing loaded files to obtain an attack detection result.

Optionally, in a fourth implementation manner of the first aspect of the present invention, the performing attack analysis based on the excess loaded files or the missing loaded files, and obtaining an attack detection result includes:

judging whether the excessive loading files or the missing loading files are code files or not;

if so, extracting the code file of the abnormal part in the code file of the current version and the code file of the previous version, returning the code file of the abnormal part to a server background corresponding to the terminal for testing and analyzing the source of the abnormal part, and generating a first attack detection result based on the test result and the source;

and if not, the loading file is transmitted back to a server background corresponding to the terminal to analyze the source of the loading file, and a second attack detection result is generated based on the source.

Optionally, in a fifth implementation manner of the first aspect of the present invention, the returning the code file of the abnormal portion to a server background corresponding to the terminal for testing and analyzing a source of the abnormal portion, and generating a first attack detection result based on a test result and the source includes:

extracting a corresponding path file according to the loading file, and returning the path file to a corresponding server background through an added system interface;

and analyzing the logical relationship and the source by using a reverse analysis method, and generating a first attack detection result based on the logical relationship and the source obtained by analysis.

Optionally, in a sixth implementation manner of the first aspect of the present invention, the verifying the consistency of the path information, and outputting an attack detection result based on a verification result includes:

calculating a hash value of the path information by using a hash algorithm;

comparing the hash value with a hash value or a preset value of path information of the application program of the previous version;

and if the comparison result is inconsistent, analyzing the logical relationship and the source in the comparison result by using a reverse analysis method, and generating a third attack detection result based on the logical relationship and the source obtained by analysis.

A second aspect of the present invention provides a process injection attack detection apparatus, including:

the acquisition module is used for acquiring configuration information of a terminal and first maps information generated during operation of an application program operated based on the terminal;

the calculation module is used for extracting path information in the first maps information and calculating a first characteristic value of the latest version of the application program based on the path information and the configuration information;

the comparison module is used for comparing and analyzing the first characteristic value with a predefined normal characteristic value to obtain a comparison and analysis result;

the detection module is used for extracting abnormal part information in the application program for abnormal analysis and outputting an attack detection result when the comparison analysis result is inconsistent; and when the comparison and analysis results are consistent, carrying out consistency verification on the path information, and outputting an attack detection result based on the verification result.

Optionally, in a first implementation manner of the second aspect of the present invention, the acquisition module includes:

the terminal comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring baseband information of the terminal when detecting that an application program is operated in the terminal, and extracting system version information and the model of machine type equipment of the terminal based on the baseband information;

and the second acquisition unit is used for calling a security monitoring tool on the terminal to execute a preset collection strategy, acquiring all process information of the application program and the latest version number of the application program from the running background of the terminal by executing the collection strategy, and generating first maps information based on all the process information.

Optionally, in a second implementation manner of the second aspect of the present invention, the calculation module is specifically configured to:

splicing the path information, the latest version number, the system version information and the model equipment model according to a preset definition rule of a normal characteristic value to obtain a first characteristic value when the application program runs, wherein the definition rule is a random combination at least comprising the following information: system version information, model equipment model, latest version number and maps information.

Optionally, in a third implementation manner of the second aspect of the present invention, the detection module includes:

a determination unit configured to determine whether the first feature value is greater than a normal feature value;

the first extraction unit is used for extracting a loading file which is added relative to the maps information of the previous version in the first maps information when the first characteristic value is determined to be larger than the normal characteristic value;

the second extraction unit is used for extracting the loading file which is missing relative to the map information of the previous version in the first map information when the first characteristic value is determined not to be larger than the normal characteristic value;

and the detection unit is used for carrying out attack analysis according to the excessive loaded files or the missing loaded files to obtain an attack detection result.

Optionally, in a fourth implementation manner of the second aspect of the present invention, the detection unit is specifically configured to:

judging whether the excessive loading files or the missing loading files are code files or not;

if so, extracting the code file of the abnormal part in the code file of the current version and the code file of the previous version, returning the code file of the abnormal part to a server background corresponding to the terminal for testing and analyzing the source of the abnormal part, and generating a first attack detection result based on the test result and the source;

and if not, the loading file is transmitted back to a server background corresponding to the terminal to analyze the source of the loading file, and a second attack detection result is generated based on the source.

Optionally, in a fifth implementation manner of the second aspect of the present invention, the detecting unit is specifically configured to:

extracting a corresponding path file according to the loading file, and returning the path file to a corresponding server background through an added system interface;

and analyzing the logical relationship and the source by using a reverse analysis method, and generating a first attack detection result based on the logical relationship and the source obtained by analysis.

Optionally, in a sixth implementation manner of the second aspect of the present invention, the detection module further includes:

a hash calculation unit for calculating a hash value of the path information using a hash algorithm;

the second comparison unit is used for comparing the hash value with the hash value or the preset value of the path information of the application program of the previous version;

and the output unit is used for analyzing the logic relationship and the source in the hash value and the hash value of the path information of the application program of the previous version by using a reverse analysis method when the hash value is inconsistent with the hash value or the preset value, and generating a third attack detection result based on the logic relationship and the source obtained by analysis.

A third aspect of the present invention provides an electronic device comprising: the system comprises a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the process injection attack detection method provided by the first aspect when executing the computer program.

A fourth aspect of the present invention provides a computer-readable storage medium, which stores a computer program that, when executed by a processor, implements the steps in the process injection attack detection method provided by the first aspect.

According to the technical scheme, the first characteristic value of the latest version of the application program is calculated by obtaining the first maps information generated when the application program runs and the configuration information of the terminal, the comparison is carried out based on the first characteristic value and the predefined normal characteristic value, if the first characteristic value and the predefined normal characteristic value are inconsistent, abnormal part information is extracted for abnormal analysis, an attack detection result is output, and if the first characteristic value and the predefined normal characteristic value are consistent, path information in the first maps information is verified to obtain the attack detection result.

Furthermore, the setting of the normal characteristic value combines the information of the application program, the terminal information and the operation information, so that the value is closer to an attack case, the detection accuracy is greatly improved, whether the application program is attacked by injection can be detected, a foundation is laid for timely taking defense measures to prevent the application program from being attacked by an injection tool, the experience of using the application program by a user is improved, and the possibility of information leakage of the user is reduced.

Drawings

FIG. 1 is a schematic diagram of a first embodiment of a process injection attack detection method according to the present invention;

FIG. 2 is a diagram of a second embodiment of a process injection attack detection method according to the present invention;

FIG. 3 is a diagram of a third embodiment of a method for detecting a process injection attack according to the present invention;

FIG. 4 is a diagram of an embodiment of a process injection attack detection apparatus according to the present invention;

FIG. 5 is a schematic diagram of another embodiment of a process injection attack detection apparatus according to the present invention;

fig. 6 is a schematic diagram of an embodiment of an electronic device in the invention.

Detailed Description

The embodiment of the invention provides a process injection attack detection method, a device, electronic equipment and a storage medium, wherein the method predefines a normal operation value, namely a normal characteristic value, based on the operation condition of an application program, then acquires the maps information of the corresponding application program on a terminal in real time, calculates the real-time characteristic value based on the maps information and the configuration information of the terminal, compares the real-time characteristic value with the normal characteristic value, if the comparison is inconsistent, extracts inconsistent loading files in the maps information to carry out attack detection, and avoids the collection of attack cases or attack characteristics by comparing with the normal value.

The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," or "having," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

For convenience of understanding, a specific process of the embodiment of the present invention is described below, and after detecting that a process has a risk of injection attack, a system is prompted to perform processing such as interception in time, so as to avoid loss of user information. Referring to fig. 1, a first embodiment of a process injection attack detection method according to an embodiment of the present invention includes:

101. acquiring configuration information of a terminal and first maps information generated during operation of an application program based on operation of the terminal;

in this embodiment, the terminal refers to a terminal in which a third-party application may be installed, such as a computer, a tablet, a mobile phone, and the like, and a user downloads an application package through an application mall or a web page to perform operation and installation.

In this step, the configuration information of the terminal refers to software system related information and hardware related information of the terminal, such as system version information and a unique identifier of the terminal, and these information can be specifically obtained from system settings in the terminal, and its implementation steps are as follows:

when detecting that an application program is operated in a terminal, acquiring baseband information of the terminal, and extracting system version information and a model device model of the terminal based on the baseband information;

and calling a security monitoring tool on the terminal to execute a preset collection strategy, acquiring all process information of the application program and the latest version number of the application program from the running background of the terminal by executing the collection strategy, and generating first maps information based on all the process information.

In practical application, after an attack detection program is injected in a starting process, the program starts a system at the background through an operation interface of a software system of a calling terminal, specifically, a setting function is called, an interface of system information is called through the calling setting function, character information in the interface is identified through an OCR (optical character recognition) technology, and a system field and an equipment field are extracted, so that a system version number and a model equipment model are obtained. For example, a mobile phone starts a setting function, schedules a function of 'about the mobile phone' to display system information and equipment information of the mobile phone, extracts information in an interface by scheduling a character recognition function on the mobile phone, and finally screens out a system version number and a model equipment model of the equipment from the extracted information to obtain baseband information, wherein the baseband information refers to equipment information including software system and equipment information.

In this embodiment, the first maps information may be understood as a process record of the terminal, and in practical application, monitoring acquisition may be performed according to a requirement of a user, or monitoring acquisition may be performed on the terminal, for example, when the terminal needs to perform program installation, the user triggers an installation operation of an application program on the terminal, acquires a name of the corresponding application program according to the operation of the user, searches process information in a background of the terminal based on the name, screens out all processes corresponding to the name, generates corresponding first maps information according to all processes, of course, further detects whether historical version information corresponding to the name exists in the terminal, and if so, searches a process record closest to current time from the background of the terminal using a historical version as a query index, and generates corresponding second maps information based on the process record.

102. Extracting path information in the first maps information, and calculating a first characteristic value of the latest version of the application program based on the path information and the configuration information;

the maps file is a memory mapping table file of the software system, each line represents a section of memory in the memory, including the starting and ending addresses of the memory section, the memory authority (code section with execution authority) and the file (if any) mapped to the memory section, and the address range of all code sections of the process and the information of the module mapped to the code section can be obtained through the maps file.

In this embodiment, when extracting the path information, the first maps information is specifically analyzed according to the maps format, each line of information in the first maps information is extracted, and the start address and the end address of each code segment in the code file of the application program are determined based on each line of information, so as to obtain the path information. The latest version number of the application program can be obtained by analyzing the installation package of the application program.

In this step, the first characteristic value of the latest version of the application program calculated based on the path information and the configuration information is obtained by splicing the path information and the configuration information, and the first characteristic value is actually an information combination including the system version number of the terminal, the model device model number, the version number of the application program, and the maps information. The calculation is performed according to a predefined sorting rule, and certainly, in order to ensure the security and consistency of the information, the calculation may be performed by performing sorting encryption calculation through an encryption algorithm, where the first feature value is an encrypted ciphertext.

103. Comparing and analyzing the first characteristic value with a predefined normal characteristic value to obtain a comparison and analysis result;

in the step, whether the first characteristic value is consistent with the normal characteristic value is compared, if not, different recorded files exist in the application program of the latest version, and the comparison result is output according to the loaded files.

104. If the comparison analysis result is inconsistent, extracting abnormal part information in the application program for abnormal analysis, and outputting an attack detection result;

in the step, extra or missing loading information in the first maps information is extracted, and injection attack detection is performed on the part of loading information, wherein the detection is specifically to analyze the source of the loading information, and an injection attack alarm is output if the source is added by an illegal or untrusted user.

105. And if the comparison and analysis result is consistent, verifying the consistency of the path information, and outputting an attack detection result based on the verification result.

In this embodiment, the consistency of the path information is verified, specifically, the path information may be converted by using a verification algorithm to obtain a unique reference quantity, and whether the path information is normal is verified based on the reference quantity, wherein the reference quantity is compared with a preset reference value to obtain a verification result, and an attack detection result is obtained based on the verification result.

In practical application, in addition to the above-mentioned verification method, the verification method may further compare the path information generated by the previous version, specifically, compare the two path information, or respectively calculate the verification values of the path information generated when the application programs of the two versions run by using a verification algorithm, compare the two verification values, and if the two verification values are consistent, output no injection attack, and if the two verification values are inconsistent, output an injection attack.

In this embodiment, for the verification of the anomaly analysis and the consistency, the test verification and the implementation may be specifically performed by extracting the corresponding loading information and returning the loading information to the background of the terminal, for example, the file is acquired by adding an interface in the system and returned to the server background through the network connection and the interface, the security developer downloads the file, and the logic in the file is further performed by a technical analysis method such as reverse analysis. Meanwhile, the internal tester also tries to repeat internally and follow up.

In the embodiment of the invention, the normal characteristic value is set by combining the information of the application program, the information of the terminal and the operation information, then, the maps information of the corresponding application program on the terminal in running is obtained in real time, the real-time characteristic value is calculated based on the maps information and the configuration information of the terminal, the real-time characteristic value is compared with the normal characteristic value, if the comparison is not consistent, extracting inconsistent loading files in maps information for attack detection, so that whether the application program is attacked by injection can be detected, a foundation is laid for timely taking defense measures to prevent the application program from being attacked by an injection tool, the experience of using the application program by a user is improved, the possibility of information leakage of the user is reduced, meanwhile, the detection accuracy is provided, the attack cases or the characteristics do not need to be collected, the detection process is simplified, and the universality of the scene is improved.

Referring to fig. 2, a second embodiment of the method for detecting a process injection attack according to the embodiment of the present invention includes:

201. acquiring configuration information of a terminal and first maps information generated during operation of an application program based on operation of the terminal;

in this step, the acquisition of the configuration information of the terminal may be obtained by analyzing the current system of the terminal and the baseband information of the terminal. The first maps information can be obtained through a safety tool on the terminal, for example, software such as a ' mobile phone manager ' or a certain guard ' carried by a mobile phone is set through a safety App (such as the mobile phone manager), a collection strategy is set through the safety App, process maps information of a system key process (set, phone or system, and the like) is collected once per model version every day, and information combination of a current system version (a flash version number), a model equipment model and an App version number is uploaded to a server background together, so that the first maps information is obtained.

In this embodiment, before step 201, a preset value is further defined for the running of the system program and the third-party program on the terminal, where the preset value is calling information of each software or hardware in the calling terminal for different types of application programs.

Of course, it is preferable that the definition is performed for each application program in this embodiment, that is, when the terminal first installs an application program, the definition is performed according to the version installed for the first time, and the setting of the value is continuously updated in the subsequent version, so as to ensure the safe update of the subsequent application program.

202. Extracting path information in the first maps information, and splicing the path information, the latest version number, the system version information and the model equipment type according to a preset definition rule of a normal characteristic value to obtain a first characteristic value when the application program runs;

in this step, the definition rule is system version information + model device model + latest version number + maps information. When the first characteristic value is calculated, firstly, the calling information of the application program recorded in the maps information to the software or hardware of the terminal during operation, such as the calling start address of each code segment in the code file of the application program, is analyzed according to the format of the maps information, the path information is obtained based on the start address, then the sequence of the system version information, the model equipment model, the latest version number and the path information is obtained after sequencing each information according to the sequencing in the definition rule, and the sequence is spliced front and back to obtain the first characteristic value.

In practical application, before the splicing, the method may further include marking the type of each information, that is, adding a flag bit to each information, and certainly before the marking, binary conversion of each information needs to be performed, the information is converted into a digital character string, the highest value in the digital character string is set to 1, so as to realize the marking of the information, and then the digital character strings of each information are spliced in sequence, so as to obtain the first characteristic value.

203. Comparing and analyzing the first characteristic value with a predefined normal characteristic value to obtain a comparison and analysis result;

204. if the comparison analysis result is inconsistent, determining whether the first characteristic value is greater than a normal characteristic value;

205. if so, extracting a loading file which is added out relative to the maps information of the previous version in the first maps information;

206. if not, extracting the loading file which is missing relative to the maps information of the previous version in the first maps information;

207. carrying out attack analysis according to the excessive loaded files or the missing loaded files to obtain an attack detection result;

in this embodiment, when performing attack analysis on a loaded file, specifically, the loaded file is sent to a server corresponding to a terminal for analysis, that is, when comparing real-time data uploaded to a background with a preset normal value, if it is found that pathnames (paths) in first maps information are inconsistent (for example, some privately loaded code files are added during running), abnormal situations are further analyzed. An automatic strategy can also be set, if some privately loaded code files are found out in the operation, the code files are defined as high-risk items, and a safety engineer further confirms and analyzes the high-risk items; if some other information is found in the operation, the information is defined as a low risk item and is checked regularly by a safety engineer.

Further, comparing the real-time data uploaded to the background with a preset normal value, and if the pathnames in the maps information are found to be inconsistent, dividing the following conditions:

a. some more loaded files than normal feature values

And then according to the information of the loaded file, taking out the path information, acquiring the file through an interface added in the system, and transmitting the file back to the server background through network connection and the interface, so that the security developer downloads the file, and further performs logic in the file through technical analysis methods such as reverse analysis and the like. Meanwhile, the internal tester also tries to repeat internally and follow up.

b. Is consistent with normal characteristic value

This case requires further analysis of each file for equality of md5(hash) value to the preset value. If not, the path information is taken out according to the information of the loaded file, the file is obtained through adding an interface in the system and is transmitted back to the server background through network connection and the interface, the security developer downloads the file, and logic in the file is further performed through technical analysis methods such as reverse analysis and the like. Meanwhile, the internal tester also tries to repeat internally and follow up.

c. Less than normal eigenvalues

And (5) transmitting the missing file information back to the server background, and further analyzing the reason by the developer.

208. And if the comparison and analysis result is consistent, verifying the consistency of the path information, and outputting an attack detection result based on the verification result.

In this embodiment, when the consistency of the path information is compared, an MD5 encryption algorithm is specifically used for implementing the consistency, the MD5 encryption algorithm is used for performing encryption calculation on the path information of the current version to obtain an encrypted numerical value, the encrypted numerical value is compared with a preset numerical value, and if the encrypted numerical value is not consistent with the preset numerical value, it is determined that an injection attack exists in the code of the current version of the application program.

In the embodiment of the invention, a normal operation value, namely a normal characteristic value, is predefined based on the operation condition of an application program, then, maps information of the corresponding application program on a terminal in operation is obtained in real time, the real-time characteristic value is calculated based on the maps information and the configuration information of the terminal, the real-time characteristic value is compared with the normal characteristic value, if the comparison is inconsistent, inconsistent loading files in the maps information are extracted for attack detection, and through the comparison with the normal value, an attack case or the collection of attack characteristics is not needed, so that the detection and comparison process is simplified, the compatibility of a scene is improved, and the detection accuracy is improved.

Referring to fig. 3, a third embodiment of the method for detecting a process injection attack according to the embodiment of the present invention includes:

301. defining a normal preset value;

in this embodiment, the system version (the flex version number) + the model device model + the App version number + the maps information (/ proc/pid/maps) in App run, where pid is the process id of App run, and is not fixed, and the process from each start to the end is a life cycle), constitutes the run-time information of a certain App version of a certain system version of a certain model, and this information is stored in the server background and used as a normal preset characteristic value.

302. Collecting operation data of the application program and configuration information of a terminal for operating the application program;

in the embodiment, when detecting that an application program is operated in a terminal, obtaining baseband information of the terminal, and extracting system version information and a model device model of the terminal based on the baseband information;

and calling a security monitoring tool on the terminal to execute a preset collection strategy, acquiring all process information of the application program and the latest version number of the application program from the running background of the terminal by executing the collection strategy, and generating first maps information based on all the process information.

In practical application, a collection strategy is set through a security App (such as a mobile phone manager), process maps information of system key processes (set, telephone or system, and the like) is collected once per model version every day, path information is extracted from the maps information, information such as a current system version (a flash version number) of a terminal, a model equipment model and an App version number is obtained, an information set is formed, and collected data are sent to a corresponding server background to be stored for subsequent attack detection.

303. Extracting path information in the first maps information, and calculating a first characteristic value of the latest version of the application program based on the path information and the configuration information;

splicing the path information, the latest version number, the system version information and the model equipment model according to a preset definition rule of a normal characteristic value to obtain a first characteristic value when the application program runs, wherein the definition rule is a random combination at least comprising the following information: system version information, model equipment model, latest version number, maps information, for example: in practical applications, besides the above information, the system version information + model device model + latest version number + maps information may also include other information, such as app installation time and update time.

304. Comparing and analyzing the first characteristic value with a predefined normal characteristic value to obtain a comparison and analysis result;

305. if the comparison analysis result is inconsistent, extracting abnormal part information in the application program for abnormal analysis, and outputting an attack detection result;

in this embodiment, it is determined whether the first characteristic value is greater than a normal characteristic value;

if yes, extracting a loading file which is added out relative to the maps information of the previous version in the first maps information;

if not, extracting the loading file which is missing relative to the maps information of the previous version in the first maps information;

and carrying out attack analysis according to the excessive loaded files or the missing loaded files to obtain an attack detection result.

Further, the performing attack analysis based on the excess loaded files or the missing loaded files to obtain an attack detection result includes:

judging whether the excessive loading files or the missing loading files are code files or not;

if the excessive loaded files or the missing loaded files are code files, extracting code files of abnormal parts in the code files of the current version and the code files of the previous version, returning the code files of the abnormal parts to a server background corresponding to the terminal for testing and analyzing the source of the abnormal parts, and generating a first attack detection result based on the test result and the source;

in practical application, according to the information of the loaded file, the path information is taken out, the file is obtained through an interface added in the system and is transmitted back to a server background through network connection and the interface, the file is downloaded by a security developer, and logic in the file is further realized through technical analysis methods such as reverse analysis and the like. Meanwhile, the internal tester also tries to repeat internally and follow up.

And if the excessive loading files or the missing loading files are not code files, returning the loading files to a server background corresponding to the terminal to analyze the source of the loading files, and generating a second attack detection result based on the source.

In this embodiment, the returning the code file of the abnormal portion to the server background corresponding to the terminal for testing and analyzing the source thereof, and the generating a first attack detection result based on the test result and the source includes:

extracting a corresponding path file according to the loading file, and returning the path file to a corresponding server background through an added system interface;

and analyzing the logical relationship and the source by using a reverse analysis method, and generating a first attack detection result based on the logical relationship and the source obtained by analysis.

306. If the comparison analysis result is inconsistent, calculating the hash value of the path information by using a hash algorithm;

307. comparing the hash value with the hash value or a preset value of the path information of the application program of the previous version;

308. and if the comparison result is inconsistent, analyzing the logical relationship and the source in the comparison result by using a reverse analysis method, and generating a third attack detection result based on the logical relationship and the source obtained by analysis.

Specifically, the path information is used for calculating an md5(hash) value by using an md5(hash) algorithm, and whether the calculated value is equal to a preset normal value or not is judged. If not, the path information is taken out according to the information of the loaded file, the file is obtained through adding an interface in the system and is transmitted back to the server background through network connection and the interface, the security developer downloads the file, and logic in the file is further performed through technical analysis methods such as reverse analysis and the like. Meanwhile, the internal tester also tries to repeat internally and follow up.

To sum up, in the method provided by the embodiment of the present invention, by setting a feature value of an application program running in a normal state, a feature value corresponding to maps information generated when the application program runs and is installed on a terminal is obtained, the feature value is compared with the set feature value, if the maps information is found to be inconsistent by the comparison, abnormal part information in the application program is extracted to perform abnormal analysis, and an attack detection result is output; and if the maps information is consistent through comparison, carrying out consistency verification on the path information, and outputting an attack detection result based on a verification result. The method adopts a normal value comparison mode to realize attack detection, reduces the collection and learning of attack characteristic values, is basically fixed and legal for software and hardware calls on the terminal when the terminal runs an application program, and determines that attack is possible if redundant calls exist, so that the method can realize multi-scene compatibility and improve the detection universality, and meanwhile, the method judges by taking the normal value as a boundary, can avoid the interference of scene factors, improves the detection accuracy and improves the use experience of a user on the application program.

The above describes the method for detecting a process injection attack in the embodiment of the present invention, and the following describes the apparatus for detecting a process injection attack in the embodiment of the present invention, with reference to fig. 4, where an embodiment of the apparatus for detecting a process injection attack in the embodiment of the present invention includes:

the acquisition module 401 is configured to acquire configuration information of a terminal and first maps information generated during operation of an application program operated based on the terminal;

a calculating module 402, configured to extract path information in the first maps information, and calculate a first feature value of a latest version of the application program based on the path information and the configuration information;

a comparison module 403, configured to perform comparison analysis on the first characteristic value and a predefined normal characteristic value to obtain a comparison analysis result;

a detection module 404, configured to, when the comparison analysis result is inconsistent, extract abnormal part information in the application program for abnormal analysis, and output an attack detection result; and when the comparison and analysis results are consistent, carrying out consistency verification on the path information, and outputting an attack detection result based on the verification result.

The device provided by the embodiment carries out attack detection by setting a normal characteristic value by combining the information of the application program, the terminal information and the operation information, so that the value is closer to an attack case, the detection accuracy is greatly improved, meanwhile, whether the application program is attacked by injection can be detected, a foundation is laid for timely taking defense measures to prevent the application program from being attacked by an injection tool, the experience of using the application program by a user is improved, and the possibility of divulging the information of the user is reduced.

Further, referring to fig. 5, fig. 5 is a detailed schematic diagram of each module of the process injection attack detection apparatus, where the process injection attack detection apparatus includes:

the acquisition module 401 is configured to acquire configuration information of a terminal and first maps information generated during operation of an application program operated based on the terminal;

a calculating module 402, configured to extract path information in the first maps information, and calculate a first feature value of a latest version of the application program based on the path information and the configuration information;

a comparison module 403, configured to perform comparison analysis on the first characteristic value and a predefined normal characteristic value to obtain a comparison analysis result;

a detection module 404, configured to, when the comparison analysis result is inconsistent, extract abnormal part information in the application program for abnormal analysis, and output an attack detection result; and when the comparison and analysis results are consistent, carrying out consistency verification on the path information, and outputting an attack detection result based on the verification result.

Wherein the acquisition module 401 comprises:

the first obtaining unit 4011 is configured to, when it is detected that an application program is executed in a terminal, obtain baseband information of the terminal, and extract system version information and a model device model of the terminal based on the baseband information;

the second obtaining unit 4012 is configured to invoke a security monitoring tool on the terminal to execute a preset collection policy, obtain all process information of the application and the latest version number of the application from the running background of the terminal by executing the collection policy, and generate the first maps information based on all the process information.

In another embodiment of the present application, the calculating module 402 is specifically configured to:

splicing the path information, the latest version number, the system version information and the model equipment model according to a preset definition rule of a normal characteristic value to obtain a first characteristic value when the application program runs, wherein the definition rule is a random combination at least comprising the following information: system version information, model equipment model, latest version number and maps information.

In this embodiment, the detecting module 404 includes:

a determining unit 4041, configured to determine whether the first feature value is greater than a normal feature value;

a first extracting unit 4042, configured to extract, when it is determined that the first feature value is greater than the normal feature value, a loaded file that is included in the first maps information and is excess from maps information of a previous version;

a second extracting unit 4043, configured to, when it is determined that the first feature value is not greater than the normal feature value, extract a loaded file that is missing in the first maps information with respect to a previous version of maps information;

the detecting unit 4044 is configured to perform attack analysis according to the excess loaded files or the missing loaded files, so as to obtain an attack detection result.

In another embodiment of the present application, the detecting unit 4044 is specifically configured to:

judging whether the excessive loading files or the missing loading files are code files or not;

if so, extracting the code file of the abnormal part in the code file of the current version and the code file of the previous version, returning the code file of the abnormal part to a server background corresponding to the terminal for testing and analyzing the source of the abnormal part, and generating a first attack detection result based on the test result and the source;

and if not, the loading file is transmitted back to a server background corresponding to the terminal to analyze the source of the loading file, and a second attack detection result is generated based on the source.

In another embodiment of the present application, the detection unit is specifically configured to:

extracting a corresponding path file according to the loading file, and returning the path file to a corresponding server background through an added system interface;

and analyzing the logical relationship and the source by using a reverse analysis method, and generating a first attack detection result based on the logical relationship and the source obtained by analysis.

In this embodiment, the detecting module 404 further includes:

a hash calculation unit 4045, configured to calculate a hash value of the path information using a hash algorithm;

a second comparing unit 4046, configured to compare the hash value with a hash value of path information of an application program of a previous version or a preset value;

the output unit 4047 is configured to, when the hash value is inconsistent with the hash value or the preset value of the path information of the application program of the previous version, analyze a logical relationship and a source in the hash value by using a reverse analysis method, and generate a third attack detection result based on the logical relationship and the source obtained through the analysis.

In the embodiment of the invention, a normal operation value, namely a normal characteristic value, is predefined based on the operation condition of an application program, then, maps information of the corresponding application program on a terminal in operation is obtained in real time, the real-time characteristic value is calculated based on the maps information and the configuration information of the terminal, the real-time characteristic value is compared with the normal characteristic value, if the comparison is inconsistent, inconsistent loading files in the maps information are extracted for attack detection, and in such a way, an attack case or attack characteristic does not need to be collected, so that the detection comparison process is simplified, the compatibility of a scene is improved, and the detection accuracy is improved.

Fig. 4 and fig. 5 describe the process injection attack detection apparatus in the embodiment of the present invention in detail from the perspective of the modular functional entity, and the electronic device in the embodiment of the present invention is described in detail from the perspective of hardware processing.

Fig. 6 is a schematic structural diagram of an electronic device 600, which may have a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 610 (e.g., one or more processors) and a memory 620, and one or more storage media 630 (e.g., one or more mass storage devices) for storing applications 633 or data 632. Memory 620 and storage medium 630 may be, among other things, transient or persistent storage. The program stored in the storage medium 630 may include one or more modules (not shown), each of which may include a sequence of instructions for operating the electronic device 600. Further, the processor 610 may be configured to communicate with the storage medium 630 to execute a series of instruction operations in the storage medium 630 on the electronic device 600. In practical applications, the application program 633 may be divided into functions of the acquisition module 401, the calculation module 402, the comparison module 403, and the detection module 404 (modules in a virtual device).

The electronic device 600 may also include one or more power supplies 640, one or more wired or wireless network interfaces 650, one or more input-output interfaces 660, and/or one or more operating systems 631, such as: windows Server, MacOSX, Unix, Linux, FreeBSD, etc. Those skilled in the art will appreciate that the electronic device structure shown in fig. 6 may also include more or fewer components than shown, or combine certain components, or a different arrangement of components.

An embodiment of the present invention further provides a computer-readable storage medium, which may be a non-volatile computer-readable storage medium, and may also be a volatile computer-readable storage medium, where instructions or a computer program are stored in the computer-readable storage medium, and when the instructions or the computer program are executed, the computer executes the steps of the process injection attack detection method provided in the foregoing embodiment.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses, and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.