CN117439813A - Anomaly determination method, device, electronic equipment and storage medium - Google Patents

Abstract

The application provides an anomaly determination method, an anomaly determination device, electronic equipment and a storage medium, relates to the technical field of communication, and solves the problems of complex operation and low efficiency when vulnerability scanning is performed on a plurality of terminal equipment. The method comprises the following steps: sending a remote connection request to the terminal, wherein the remote connection request is used for requesting to establish remote connection with the terminal; receiving terminal information sent by the terminal, wherein the terminal information comprises a port number of the terminal; determining a service corresponding to the terminal based on the port number; determining a target plug-in based on the service corresponding to the terminal, wherein the target plug-in is used for indicating to perform security scanning on the terminal; the target plug-in is sent to the terminal; receiving at least one piece of security scanning information sent by the terminal; and under the condition that the first safety scanning information exists in the abnormal information base, determining that the terminal is abnormal, wherein the first safety scanning information is one piece of at least one piece of safety scanning information.

Description

Anomaly determination method, device, electronic equipment and storage medium

Technical field

The present application relates to the field of communication technology, and in particular to an abnormality determination method, device, electronic equipment and storage medium.

Background technique

Currently, vulnerability scanning applications can be deployed to terminal devices through manual operations to perform security scans on the terminal devices to determine whether there are abnormalities in the terminal devices.

However, in the above method, when performing vulnerability scanning on multiple terminal devices, a vulnerability scanning application needs to be manually deployed for the terminal devices, which has the problems of cumbersome operation and low efficiency, and cannot guarantee the timeliness and effectiveness of vulnerability scanning.

Contents of the invention

This application provides an anomaly determination method, device, electronic equipment and storage medium, which solves the technical problems of cumbersome operations and low efficiency when performing vulnerability scanning on multiple terminal devices.

In the first aspect, this application provides an anomaly determination method, applied to a server, including: sending a remote connection request to a terminal, the remote connection request being used to request the establishment of a remote connection with the terminal; receiving terminal information sent by the terminal, and the terminal information Including the port number of the terminal; based on the port number, determine the service corresponding to the terminal; determine the target plug-in based on the service corresponding to the terminal, the target plug-in is used to instruct security scanning of the terminal; send the target plug-in to the terminal; receive At least one piece of security scan information sent by the terminal; when the abnormality information library contains the first security scan information, it is determined that the terminal has an abnormality, and the first security scan information is one of the at least one piece of security scan information.

Optionally, the service corresponding to the above-mentioned terminal is a webpage service, and the above-mentioned terminal information includes multiple URLs corresponding to the webpage service. The above-mentioned method further includes: determining multiple parameters based on the multiple URLs corresponding to the webpage service, wherein one The parameter is a field in a URL; based on the first parameter and the preset string, the target string is determined. The first parameter is one of the multiple parameters. The target string is the service request corresponding to the abnormal service. The exception The service corresponds to the preset string; sends the target string to the terminal; receives a service response sent by the terminal, the service response is used to indicate whether the terminal exists in the abnormal service corresponding to the target string; if the terminal exists In the case of a service corresponding to the target string, it is determined that there is an exception in the terminal.

In this application, the server determines multiple parameters based on multiple URLs corresponding to the web service. The server determines the target string based on the first parameter and the preset string. The server sends the target string to the terminal, and the server receives the service response sent by the terminal. , since the target string is a service request corresponding to the abnormal service, if the terminal has a service corresponding to the target string, it means that the web service has the abnormal service. At this time, the server determines that the terminal has an exception. In this way, it can Accurately and reliably determine whether the terminal corresponding to the web page service is abnormal, ensuring the validity and reliability of abnormality determination.

Optionally, the above terminal information also includes behavior information of a target application. The above target application is an application installed on the terminal. The behavior information of the target application includes at least one behavior of the target application. The above method further includes: The terminal sends a target permission query request. The target permission query request is used to request permission information of the target application. The permission information includes executable behaviors of the target application; receives the permission information of the target application sent by the terminal; in the When there is a target behavior in the behavior information of the target application, it is determined that there is an abnormality in the terminal. The target behavior is one of at least one behavior of the target application, and the target behavior does not exist among the executable behaviors of the target application.

In this application, the server sends a target permission query request to the terminal, and the server receives the permission information of the target application sent by the terminal, because the permission information includes executable behaviors of the target application, and the target behavior is at least one behavior of the target application. One of them, the target behavior does not exist among the executable behaviors of the target application. Therefore, if the target behavior exists in the behavior information of the target application, it means that the target application has behavior that exceeds its permissions. At this time, the server determines There is an exception in the terminal.

In the second aspect, this application provides an anomaly determination method, applied to a terminal, including: receiving a remote connection request sent by a server, the remote connection request being used to request the establishment of a remote connection with the terminal; sending terminal information to the server, and the terminal The information includes a port number of the terminal; receiving a target plug-in sent by the server; performing a security scan on the terminal based on the target plug-in to obtain at least one piece of security scanning information; and sending the at least one piece of security scanning information to the server.

Optionally, the service corresponding to the above-mentioned terminal is a web page service, and the above-mentioned terminal information includes multiple URLs corresponding to the web page service. The above-mentioned method further includes: accepting a target string sent by the server, where the target string is a URL corresponding to the abnormal service. Service request, the abnormal service corresponds to the preset string; send a service response to the server, the service response is used to indicate whether the terminal exists in the abnormal service corresponding to the target string.

In this application, the terminal receives the target string sent by the server, and the terminal sends a service response to the server. The service response is used to indicate whether the terminal exists in the abnormal service corresponding to the target string. In this way, based on the service response, it can be effectively determined Check whether the web page service corresponding to the terminal includes the abnormal service, thereby ensuring the reliability of abnormal determination.

Optionally, the above terminal information also includes behavior information of the target application. The target application is an application installed on the terminal. The behavior information of the target application includes at least one behavior of the target application. The above method further includes: receiving the A target permission query request sent by the server. The target permission query request is used to request permission information of the target application. The permission information includes executable behaviors of the target application; the permission information of the target application is sent to the server.

In this application, the terminal receives the target permission query request sent by the server, and the terminal sends the permission information of the target application to the server, and the permission information includes the executable behaviors of the target application. In this way, it can help the server accurately and quickly determine the terminal Whether the corresponding target application has behavior beyond its permissions ensures the reliability of exception determination.

In the third aspect, this application provides an abnormality determination device, which is applied to a server and includes: a sending module, a receiving module and a determining module; the sending module is used to send a remote connection request to the terminal, and the remote connection request is used to request the establishment of a connection with the terminal. Remote connection; the receiving module is used to receive terminal information sent by the terminal, and the terminal information includes the port number of the terminal; the determining module is used to determine the service corresponding to the terminal based on the port number; the determining module is also used The target plug-in is determined based on the service corresponding to the terminal, and the target plug-in is used to instruct security scanning of the terminal; the sending module is also used to send the target plug-in to the terminal; the receiving module is also used to receive the information sent by the terminal. At least one piece of security scan information; the determination module is also used to determine that there is an abnormality in the terminal when the abnormal information library contains first security scan information, and the first security scan information is one of the at least one piece of security scan information. .

Optionally, the service corresponding to the terminal is a web page service, and the terminal information includes multiple URLs corresponding to the web page service; the determination module is also used to determine multiple parameters based on the multiple URLs corresponding to the web page service, wherein , one parameter is a field in a URL; the determination module is also used to determine the target string based on the first parameter and the preset string, the first parameter is one of the multiple parameters, and the target string is The service request corresponding to the abnormal service, which corresponds to the preset string; the sending module is also used to send the target string to the terminal; the receiving module is also used to receive the service response sent by the terminal, the The service response is used to indicate whether the terminal has an abnormal service corresponding to the target string; the determination module is also used to determine that the terminal has an exception when there is a service corresponding to the target string.

In this application, the terminal receives the target string sent by the server, and the terminal sends a service response to the server. The service response is used to indicate whether the terminal exists in the abnormal service corresponding to the target string. In this way, based on the service response, it can be effectively determined Check whether the web page service corresponding to the terminal includes the abnormal service, thereby ensuring the reliability of abnormal determination.

Optionally, the above terminal information also includes behavior information of the target application, the target application is an application installed on the terminal, and the behavior information of the target application includes at least one behavior of the target application; the sending module is also configured to Send a target permission query request to the terminal. The target permission query request is used to request permission information of the target application. The permission information includes executable behaviors of the target application; the receiving module is also used to receive the permission information sent by the terminal. The permission information of the target application; the determination module is also used to determine that there is an abnormality in the terminal when there is a target behavior in the behavior information of the target application, and the target behavior is one of at least one behavior of the target application. The target behavior does not exist among the behaviors that the target app can perform.

In the fourth aspect, this application provides an abnormality determination device, which is applied to a terminal and includes: a receiving module, a sending module and a processing module; the receiving module is used to receive a remote connection request sent by the server, and the remote connection request is used to request and The terminal establishes a remote connection; the sending module is used to send terminal information to the server, and the terminal information includes the port number of the terminal; the receiving module is also used to receive the target plug-in sent by the server; the processing module is used based on The target plug-in performs a security scan on the terminal and obtains at least one piece of security scan information; the sending module is also used to send the at least one piece of security scan information to the server.

Optionally, the service corresponding to the above-mentioned terminal is a web page service, and the above-mentioned terminal information includes multiple URLs corresponding to the web page service; the receiving module is also used to receive a target string sent by the server, and the target string is an abnormal service The corresponding service request, the abnormal service corresponds to the preset string; the sending module is also used to send a service response to the server, the service response is used to indicate whether the terminal exists in the abnormal service corresponding to the target string.

Optionally, the above terminal information also includes behavior information of the target application, the target application is an application installed on the terminal, and the behavior information of the target application includes at least one behavior of the target application; the receiving module is also configured to Receive a target permission query request sent by the server. The target permission query request is used to request permission information of the target application. The permission information includes executable behaviors of the target application; the sending module is also used to send a request to the server. Permission information of the target application.

In a fifth aspect, the present application provides an electronic device, including: a processor and a memory configured to store instructions executable by the processor; wherein the processor is configured to execute the instructions to implement any one of the above first aspects. An optional abnormality determination method or implement any optional abnormality determination method in the above second aspect.

In a sixth aspect, the present application provides a computer-readable storage medium. Instructions are stored on the computer-readable storage medium. When the instructions in the computer-readable storage medium are executed by an electronic device, the electronic device can execute the above-mentioned first step. Any one of the optional abnormality determination methods in the aspect or any one of the optional abnormality determination methods in the above second aspect.

In the anomaly determination method, device, electronic equipment and storage medium provided by this application, the server sends a remote connection request to the terminal. The server confirms the service corresponding to the terminal based on the port number. The server determines the target plug-in based on the service corresponding to the terminal. The server sends the request to the terminal. Target plug-in, the abnormal information library contains the first security scan information, indicating that the first security scan information is a kind of abnormal information. At this time, the server can determine that the terminal has an exception corresponding to the first security scan information. Therefore, the server After receiving at least one piece of security scan information sent by the terminal, when the abnormal information database contains the first security scan information, the server determines that there is an abnormality in the terminal. In this way, the server can remotely determine whether there is an abnormality in the terminal, ensuring the timeliness and accuracy of abnormality determination. Reliability, and then be able to determine whether each of multiple distributed terminals is abnormal, ensuring the reliability and stability of abnormal determination of distributed terminals.

Description of the drawings

In order to more clearly explain the embodiments of the present application or the technical solutions in the prior art, the drawings required to be used in the description of the embodiments or the prior art will be briefly introduced below.

Figure 1 is a schematic diagram of the network architecture of an anomaly determination system provided by an embodiment of the present application;

Figure 2 is a schematic diagram of the network architecture of another anomaly determination system provided by an embodiment of the present application;

Figure 3 is a schematic flowchart of an abnormality determination method provided by an embodiment of the present application;

Figure 4 is a schematic flowchart of another anomaly determination method provided by an embodiment of the present application;

Figure 5 is a schematic flowchart of another abnormality determination method provided by an embodiment of the present application;

Figure 6 is a schematic structural diagram of an abnormality determination device provided by an embodiment of the present application;

Figure 7 is a schematic structural diagram of another abnormality determination device provided by an embodiment of the present application;

Figure 8 is a schematic structural diagram of another abnormality determination device provided by an embodiment of the present application;

Figure 9 is a schematic structural diagram of another abnormality determination device provided by an embodiment of the present application.

Detailed ways

The abnormality determination method, device, electronic device and storage medium provided by the embodiments of the present application will be described in detail below with reference to the accompanying drawings.

Furthermore, references to the terms "including" and "having" and any variations thereof in the description of this application are intended to cover non-exclusive inclusion. For example, a process, method, system, product or device that includes a series of steps or units is not limited to the listed steps or units, but optionally also includes other unlisted steps or units, or optionally also Includes other steps or units inherent to those processes, methods, products or devices.

It should be noted that in the embodiments of this application, words such as "exemplary" or "for example" are used to represent examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "such as" in the embodiments of the present application is not to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the words "exemplary" or "such as" is intended to present the concept in a concrete manner.

In the description of this application, unless otherwise stated, the meaning of "plurality" means two or more.

Based on what is described in the background art, in related technologies, when vulnerability scanning is performed on multiple terminal devices, a vulnerability scanning application needs to be manually deployed for the terminal devices. This has problems of cumbersome operation and low efficiency, and the timeliness and effectiveness of vulnerability scanning cannot be guaranteed. effectiveness. Based on this, embodiments of the present application provide an abnormality determination method, device, electronic device and storage medium. The abnormal information database contains first security scan information, indicating that the first security scan information is a kind of abnormal information. At this time, the server can It is determined that the terminal has an abnormality corresponding to the first security scan information. Therefore, the server receives at least one piece of security scan information sent by the terminal. When the abnormal information library contains the first security scan information, the server determines that the terminal has an abnormality. In this way, The server can remotely determine whether there is an abnormality in the terminal, ensuring the timeliness and reliability of abnormality determination, and then can determine whether multiple terminals deployed in a distributed manner are abnormal, ensuring the reliability and stability of abnormality determination of distributed terminals.

The anomaly determination method, device, electronic device and storage medium provided by the embodiment of the present application can be applied to an anomaly determination system. As shown in Figure 1 , the anomaly determination system includes a server 101 and a terminal 102. Generally, in practical applications, the connection between the above-mentioned devices can be a wireless connection. In order to conveniently and intuitively represent the connection relationship between the devices, solid lines are used in Figure 1 .

The server 101 is used to send a plug-in to the terminal 102, and the plug-in is used to instruct the terminal 102 to perform a security scan.

The terminal 102 is configured to receive the plug-in sent by the server 101, and send at least one piece of security scanning information to the server 101 after the plug-in has security scanned the terminal 102.

Illustratively, the terminal that executes the abnormality determination method provided by the embodiment of the present application can be a mobile phone, a tablet computer, a desktop, a laptop, a handheld computer, a notebook computer, an ultra-mobile personal computer (UMPC), or a netbook. , as well as cellular phones, personal digital assistants (PDAs), augmented reality (AR) and virtual reality (VR) devices. The embodiments of the present application do not place special restrictions on the specific form of the terminal device. It can interact with users through one or more methods such as keyboard, touch pad, touch screen, remote control, voice interaction or handwriting device.

For example, the above-mentioned server can be an independent physical server, or a server cluster or distributed system composed of multiple physical servers, or it can provide cloud services, cloud databases, cloud computing, cloud functions, cloud storage, and network services. , cloud communications, middleware services, domain name services, security services, network acceleration services (content delivery network, CDN), and cloud servers for basic cloud computing services such as big data and artificial intelligence platforms.

As shown in Figure 2, another schematic diagram of the network architecture of the anomaly determination system provided by the embodiment of the present application includes a server 201, a router 202, a firewall 203, a 5G core network 204, a base station 205, a client device 206, and an intranet device 207 , intranet device 208 and intranet device 209.

The server 201 is used to store multiple plug-ins, and each plug-in is used to perform security scanning on different types of intranet devices to obtain security scanning information of the intranet devices.

The router 202 is used to send the data packets of the plurality of plug-ins to the firewall 203.

The firewall 203 is used to receive the data packet sent by the router 202, and determine that the data packet has access rights, and then send the data packet to the 5G core network 204.

The 5G core network 204 is used to receive the data packet and send the data packet to the base station 205.

The base station 205 is used to send the data packet to the user equipment 206.

The client device 206 is used to receive the data packet, and to connect to the intranet device 207, the intranet device 208, and the intranet device 209. That is, the client device 206 can send data to the intranet device 207, the intranet device 208, or the intranet. Device 209 sends the packet.

The intranet device 207, the intranet device 208, or the intranet device 209 is used to receive the data packet sent by the client device 206, and perform a security scan based on the plug-in corresponding to the data packet, generate security scan information, and return the security scan information.

It can be understood that the set of server 201, router 202, firewall 203, 5G core network 204, base station 205, and user equipment 206 is a GRE (Generic Route Encapsulation) tunnel, and the GRE tunnel is used to connect the The server 201 and the client device 206 implement data exchange between the server 201 and the client device 206, as well as the intranet device 207, the intranet device 208, and the intranet device 209 connected under the client device 206.

Optionally, the client equipment 206 is a CPE (Customer Premise Equipment). The CPE is used to connect multiple devices on the client side (ie, intranet equipment 207, intranet equipment 208, intranet equipment Device 209) has formed the user's intranet to ensure the user's intranet needs and asset link (the asset link is to connect multiple devices on the user side together).

Optionally, the CPE is connected to the intranet device 207, the intranet device 208, and the intranet device 209 through wifi or wired connections.

The anomaly determination method, device, electronic device, and storage medium provided by the embodiments of this application are applied to vulnerability scanning scenarios for multiple terminal devices. Specifically, the server first establishes remote connections with multiple terminal devices, determines the services corresponding to the multiple terminal devices, determines the plug-ins corresponding to the multiple terminal devices based on the services corresponding to the multiple terminal devices, and provides the corresponding plug-ins to the multiple terminal devices. The plurality of terminal devices respectively send plug-ins corresponding to the plurality of terminal devices, thereby being able to determine whether there is an abnormality in the plurality of terminal devices, and being able to receive respective abnormal information of the plurality of terminal devices, and monitor the plurality of terminal devices. The respective abnormal information is processed centrally, and centralized vulnerability scanning can be performed on multiple terminal devices deployed in a distributed manner. Compared with manually deploying plug-ins and performing vulnerability scanning, it is faster and more accurate.

As shown in Figure 3, the anomaly determination method provided by the embodiment of the present application may include S101-S112.

S101. The server sends a remote connection request to the terminal.

Wherein, the remote connection request is used to request to establish a remote connection with the terminal.

In an implementation manner of the embodiment of this application, after receiving the security scanning task sent by the terminal, the server sends a remote connection request to the terminal.

In an implementation manner of the embodiment of this application, the server first performs a survival test on the terminal, and if the terminal survives, sends a remote connection request to the terminal.

Optionally, the server is based on ICMP PING (internet control message protocol, internet control message protocol, packet internet grope, Internet packet explorer), UDP PING (user datagram protocol) or TCP PING (transmission control protocol, transmission control Protocol) and other methods to conduct survival tests on the terminal.

Among them, when performing a survivability test based on TCP PING, you need to enter the TCP PING port.

S102. The terminal receives the remote connection request sent by the server.

Optionally, the remote connection method corresponding to the remote connection request can be an SMB (server message block, server message block) connection, an RDP (remote data processing, remote data processing) connection, an SSH (secure shell, secure shell protocol) connection, TELNET (standard protocol for Internet remote login service) connection and HTTP/HTTPS (hypertext transfer protocol, hypertext transfer protocol) connection.

Among them, the SSH connection or TELNET connection can also include a host jump connection. Specifically, when the terminal is protected by a firewall or a bastion host, the server connects to the bastion host based on the SSH connection or TELNET connection, and then establishes a connection between the bastion host and the terminal. connect.

S103. The terminal sends terminal information to the server.

The terminal information includes the port number of the terminal.

S104. The server receives the terminal information sent by the terminal.

In an implementation manner of the embodiment of the present application, the server obtains the port number in the terminal based on the TCP connection.

Optionally, the TCP connection is a complete TCP connection or a TCP half connection.

S105. The server determines the service corresponding to the terminal based on the port number.

S106. The server determines the target plug-in based on the service corresponding to the terminal.

It should be understood that when the terminal corresponds to different services, the abnormal conditions that may exist in the terminal are different. At this time, the plug-in that performs security scanning on the terminal should be able to determine whether there is an abnormality in the terminal according to the service of the terminal. Therefore, the server based on the terminal corresponding The service determines the target plug-in.

In an implementation manner of the embodiment of the present application, the server determines the system corresponding to the terminal based on the port number, and determines the target plug-in based on the system corresponding to the terminal.

Optionally, the server obtains the data packet sent by the terminal, and determines the system corresponding to the terminal based on the characteristic parameters in the data packet. The characteristic parameters can be TCP Window-size, IP TTL (internet protocol time to live, IP protocol packet Time-to-live value), IP TOS (IP Type of Service, IP service type), DF bit (Don't Fragment, the header of the IP protocol), etc.

Optionally, the server sends a FIN/PSH/URG to the terminal to query a closed TCP port, and obtains the query response sent by the terminal, based on the ACK (AC Knowledge Character, confirmation character, confirmation mark in the TCP packet header) present in the response. ) to determine the type of system corresponding to the terminal.

In an implementation manner of the embodiment of this application, the server identifies the port based on a non-standard service identification technology. The non-standard service identification technology is used to identify services whose port numbers are non-conventional port numbers.

It can be understood that there is a correspondence between port numbers and standard services. For example, the mail server corresponds to port 25, the Web server corresponds to port 80, and the domain name server corresponds to port 53. Therefore, the server can determine the terminal corresponding to the port number based on the port number. service, and there are port numbers corresponding to some services that are not in the corresponding relationship between the port number and the standard service, that is, the port number is an unconventional port number. At this time, the server identifies the port based on non-standard service identification technology. Determine the service corresponding to the non-regular port number.

S107. The server sends the target plug-in to the terminal.

S108. The terminal receives the target plug-in sent by the server.

S109. The terminal performs a security scan on the terminal based on the target plug-in and obtains at least one piece of security scan information.

S110. The terminal sends at least one piece of security scanning information to the server.

S111. The server receives at least one piece of security scanning information sent by the terminal.

S112. If the first security scan information exists in the abnormal information database, the server determines that there is an abnormality in the terminal.

Wherein, the first security scan information is one of the at least one piece of security scan information.

It should be understood that the first security scan information exists in the abnormal information database, indicating that the first security scan information is a kind of abnormal information. At this time, the server can determine that the terminal has an exception corresponding to the first security scan information. At this time, The server determines that there is an exception on the terminal.

In an implementation manner of the embodiment of the present application, the corresponding target plug-in obtains the version information of the system or service of the terminal, and determines the version information of the system or service of the terminal as the security scanning information; the server is based on Comparative analysis of the system or service version information of the terminal and the vulnerability library information determines whether the system or service version information of the terminal exists in the vulnerability library information to determine whether the terminal is abnormal.

In an implementation manner of the embodiment of the present application, after the server and the terminal establish a remote connection, the terminal sends the password file (shadow) of the terminal to the server, and compares the password in the password file with the default password library. Yes, determine whether there is a weak password or weak password in the password file (that is, a password or password with a low security factor). If there is a weak password or weak password in the password file, the server determines that there is an abnormality in the terminal.

The technical solutions provided by the above embodiments can at least bring the following beneficial effects: It can be seen from S101-S112 that: the server sends a remote connection request to the terminal, the server determines the service corresponding to the terminal based on the port number, and the server determines the target plug-in based on the service corresponding to the terminal. , the server sends the target plug-in to the terminal. The first security scan information exists in the abnormal information library, indicating that the first security scan information is a kind of abnormal information. At this time, the server can determine that the terminal contains the first security scan information corresponding to the first security scan information. Abnormal, therefore, the server receives at least one piece of security scan information sent by the terminal. When the abnormal information library contains the first security scan information, the server determines that there is an abnormality in the terminal. In this way, the server can remotely determine whether there is an abnormality in the terminal, ensuring that the abnormality The timeliness and reliability of the determination can then determine whether multiple terminals deployed in a distributed manner are abnormal, ensuring the reliability and stability of abnormal determination of distributed terminals.

Further, the terminal receives the remote connection request sent by the server, the terminal sends terminal information to the server, the terminal receives the target plug-in sent by the server, the terminal performs a security scan on the terminal based on the target plug-in, and obtains at least one piece of security scan information, and the terminal sends the security scan information to the server. Send at least one piece of security scan information, so that the terminal can accurately determine the abnormality of its own existence based on the target plug-in, and send the at least one piece of security scan information to the server, so that the server can determine whether the terminal exists Exceptions, in turn, ensure the timeliness and reliability of exception determination.

In an implementation manner of the embodiment of this application, the service corresponding to the terminal is a web page service, and the terminal information includes multiple URLs (uniform resource locator, uniform resource locator) corresponding to the web page service. Combined with Figure 3, it is shown in Figure 4. In an implementation manner, the above-mentioned abnormality determination method also includes: S113-S119.

S113. The server determines multiple parameters based on multiple URLs corresponding to the web service.

Among them, one parameter is a field in the URL.

In an implementation manner of the embodiment of this application, the server obtains multiple URLs corresponding to the web service based on intelligent page crawling technology.

Specifically, the server obtains responses corresponding to multiple preset URLs based on one or more of cookies, custom request headers, preset proxies, preset authentication methods, and client certificates. After receiving the multiple preset URLs, After setting the respective corresponding responses of the URLs, the server determines the plurality of URLs based on the respective corresponding responses of the plurality of preset URLs.

Among them, the intelligent page crawling technology is based on simulating click operations to crawl web pages, including a control component and a processing component. The control component is used to control crawler strategies, control login verification data, and customize crawlable pages and unavailable pages. Control of crawling pages, etc. This processing component is used to extract links within the page, manipulate the DOM (digital orthophoto map, digital orthophoto map) data model through simulated click technology, and intercept script execution data to extract links and prevent attacks. Destruction of server data.

Specifically, the control component passes the site URL to the processing component, which obtains the web page from the terminal and parses the obtained HTML document into a DOM data model through the built-in browser kernel (deployed on the server). Then extract the URL in the web page by processing different tags in the html document. When processing the script tag, simulated click processing will be performed on the user click unit, which is to simulate human click behavior to trigger click events. And intercept the URL before triggering the change of DOM data, and at the same time intercept the modification of the DOM model to avoid the modification of the web service data.

Optionally, the server uses a multi-thread method to obtain the multiple URLs, and based on the terminal's corresponding web service capabilities, controls the number of multi-threads to ensure normal web page crawling.

Optionally, the default proxy can be http, https, sock4 or sock5, and the default authentication method can be basic, ntml or digest.

Optionally, the server can obtain the multiple URLs from static content such as HTML, HTML comments, flash, WSDL, etc. The server can also obtain the multiple URLs statically or dynamically from DOM trees, JS, and Ajax.

In an implementation manner of the embodiment of this application, the server determines multiple parameters from the multiple URLs through the target plug-in, wherein one parameter can be a URL path, a parameter in the GET method URL, or a parameter in the POST method request body. , fields in request headers, key values in cookies, response bodies, etc.

S114. The server determines the target string based on the first parameter and the preset string.

The first parameter is one of the plurality of parameters, the target string is a service request corresponding to the abnormal service, and the abnormal service corresponds to the preset string.

S115. The server sends the target string to the terminal.

S116. The terminal receives the target string sent by the server.

S117. The terminal sends a service response to the server.

The service response is used to indicate whether the terminal exists in the abnormal service corresponding to the target string.

S118. The server receives the service response sent by the terminal.

S119. When the terminal has a service corresponding to the target string, the server determines that there is an abnormality in the terminal.

It should be understood that since the target string is a service request corresponding to an abnormal service, if a service corresponding to the target string exists in the terminal, it means that the abnormal service exists in the web page service. At this time, the server determines that the terminal has an abnormality.

In an implementation manner of the embodiment of this application, the above-mentioned web page service is an open source CMS (Cloud Managed Service, cloud management service), and the server detects the open source CMS based on the target plug-in to determine whether there are abnormalities (or vulnerabilities) in the CMS.

As an example, the open source CMS can be WordPress.

In the embodiment of this application, the server determines multiple parameters based on multiple URLs corresponding to the web service. The server determines the target string based on the first parameter and the preset string. The server sends the target string to the terminal, and the server receives the string sent by the terminal. Service response. Since the target string is a service request corresponding to the abnormal service, if the terminal has a service corresponding to the target string, it means that the abnormal service exists in the web service. At this time, the server determines that the terminal has an abnormality, so , it can be accurately and reliably determined whether the terminal corresponding to the web page service is abnormal, ensuring the validity and reliability of abnormality determination.

Further, the terminal receives the target string sent by the server, and the terminal sends a service response to the server. The service response is used to indicate whether the terminal exists in the abnormal service corresponding to the target string. In this way, based on the service response, it can be effectively determined Whether the web page service corresponding to the terminal includes the abnormal service, thereby ensuring the reliability of abnormal determination.

In an implementation manner of the embodiment of the present application, the above terminal information also includes behavior information of the target application. The target application is an application installed on the terminal. The behavior information of the target application includes at least one behavior of the target application. Combined with Figure 3, it is shown in Figure 5. In an implementation manner, the above-mentioned abnormality determination method also includes S120-S124.

S120. The server sends a target permission query request to the terminal.

Wherein, the target permission query request is used to request permission information of the target application, and the permission information includes executable behaviors of the target application.

S121. The terminal receives the target permission query request sent by the server.

S122. The terminal sends the permission information of the target application to the server.

S123. The server receives the permission information of the target application sent by the terminal.

S124. When the target behavior exists in the behavior information of the target application, the server determines that there is an abnormality in the terminal.

The target behavior is one of at least one behavior of the target application, and the target behavior does not exist among the executable behaviors of the target application.

It should be understood that since the permission information includes behaviors executable by the target application, and the target behavior is one of at least one behavior of the target application, the target behavior does not exist among the behaviors executable by the target application. Therefore, in If the target behavior exists in the behavior information of the target application, it means that the target application has behavior beyond its permissions. At this time, the server determines that there is an abnormality in the terminal.

In the embodiment of this application, the server sends a target permission query request to the terminal, and the server receives the permission information of the target application sent by the terminal, because the permission information includes the executable behavior of the target application, and the target behavior is at least the target application's executable behavior. One of the behaviors. The target behavior does not exist among the behaviors that can be executed by the target application. Therefore, if the target behavior exists in the behavior information of the target application, it means that the target application has behaviors that exceed its permissions. At this time, The server determines that there is an abnormality in the terminal.

Further, the terminal receives the target permission query request sent by the server, and the terminal sends the permission information of the target application to the server, and the permission information includes the executable behaviors of the target application. In this way, it can help the server accurately and quickly determine the corresponding permissions of the terminal. Whether the target application has behavior beyond its permissions ensures the reliability of exception determination.

In one implementation manner of the embodiment of the present application, the server monitors the web service corresponding to the target application or terminal based on active malware detection technology that combines static analysis and dynamic analysis.

Specifically, the server monitors DOM objects and ActiveX controls, obtains the respective memory allocation behaviors of DOM objects and ActiveX controls, and determines the respective memory allocation behaviors of DOM objects and ActiveX controls through ActiveX ID judgment, object interface calls, or HeapSpray detection. Whether there is any behavior beyond its authority.

In an implementation manner of the embodiment of the present application, the at least one piece of security scanning information also includes log information of the target plug-in, and the log information is used to record information such as the security scanning behavior of the target plug-in.

In an implementation manner of the embodiment of the present application, when the above server determines that there is an abnormality in the terminal, it also determines the abnormality type of the terminal.

For example, the above exception types include remote information leakage, remote data modification, remote denial of service, remote command execution, local privilege escalation, client attack type: cross-site scripting attack, client attack type: content spoofing, logical attack type: Function abuse, logical attack type: denial of service, logical attack type: insufficient process verification, command execution type: buffer overflow, command execution type: LDAP injection, command execution type: system command execution, command execution type: SQL injection, command Execution type: XPath injection, Information leakage type: Directory index information leakage, Information leakage type: Information leakage, Information leakage type: Directory traversal, Information leakage type: Predictable resource location, Authentication type: Brutal guessing, Authentication type: Insufficient authentication , Authorization type: Insufficient authorization, Authorization type: Insufficient session period.

In an implementation manner of the embodiment of the present application, the server performs automated vulnerability scanning on the web service corresponding to the terminal.

Specifically, the automated vulnerability scanning technology includes site information renormalization (NSFOCUS IntelligentProfile, NSIP) technology, incremental scanning technology, intelligent remote scanning technology for known web applications, and page comparison analysis technology based on DOM structure analysis.

Among them, the server is based on the site information reorganization technology. After obtaining the information of the web service corresponding to the terminal, it calls the plug-in corresponding to the information, establishes a vulnerability knowledge base mechanism, and scans the web service corresponding to the terminal.

For example, if the web page service corresponding to the terminal is the Apache service, then only the characteristic string corresponding to the Apache service is used for scanning during the server scanning process.

Based on incremental scanning technology, the server obtains the HTTP response field, page MD5 value and other information of the web service corresponding to the terminal, and stores it in the profile file corresponding to the terminal. When the next scan is performed on the terminal, Based on the newly generated profile file of the terminal, it is determined whether the web page service has changed. If the web page service has not changed, it is determined that the web page service is normal.

The server determines whether the web page service corresponding to the terminal is a known web page service based on the intelligent remote scanning technology of known web applications. If the web page service corresponding to the terminal is a known web page service, the server determines whether the web page service corresponding to the terminal is a known web page service. Vulnerability, determine whether the web service corresponding to the terminal is abnormal.

For example, the server determines the CGI vulnerability of the web page service corresponding to the terminal based on the CGI (common gateway interface, public gateway interface) scanning module.

During incremental scanning, SQL (structured query language, structured query language) injection detection, XPath (XML (subset of standard universal markup language) path language) injection detection, and tampering detection, it is necessary to perform page changes on the pages requested before and after. Analysis to determine whether there are substantial changes to the page. The server generates a DOM tree based on the page comparison analysis technology of DOM structure analysis and the web page service corresponding to the terminal. Based on the characteristics of each node in the DOM tree, it determines the page change analysis results of the web page service corresponding to the terminal, which can more accurately determine Check whether there is any abnormality in the web service corresponding to the terminal.

Embodiments of the present application can divide electronic equipment into functional modules according to the above method examples. For example, functional modules can be divided into corresponding functional modules, or two or more functions can be integrated into one processing module. The above integrated modules can be implemented in the form of hardware or software function modules. It should be noted that the division of modules in the embodiment of the present application is schematic and is only a logical function division. In actual implementation, there may be other division methods.

In the case of dividing each functional module corresponding to each function, Figure 6 shows a possible structural diagram of the anomaly determining device involved in the above embodiment. As shown in Figure 6, the anomaly determining device 30 may include: sending Module 301, receiving module 302 and determining module 303.

The sending module 301 is used to send a remote connection request to the terminal, where the remote connection request is used to request to establish a remote connection with the terminal.

The receiving module 302 is configured to receive terminal information sent by the terminal, where the terminal information includes the port number of the terminal.

The determination module 303 is used to determine the service corresponding to the terminal based on the port number.

The determination module 303 is also configured to determine a target plug-in based on the service corresponding to the terminal. The target plug-in is used to instruct security scanning of the terminal.

The sending module 301 is also used to send the target plug-in to the terminal.

The receiving module 302 is also configured to receive at least one piece of security scanning information sent by the terminal.

The determination module 303 is also configured to determine that there is an abnormality in the terminal when the abnormality information library contains first security scan information, and the first security scan information is one of the at least one piece of security scan information.

Optionally, the service corresponding to the terminal is a web page service, and the terminal information includes multiple URLs corresponding to the web page service.

The determination module 303 is also used to determine multiple parameters based on multiple URLs corresponding to the web service, where one parameter is a field in a URL.

The determination module 303 is also configured to determine a target string based on a first parameter and a preset string. The first parameter is one of the plurality of parameters. The target string is a service request corresponding to the abnormal service. The abnormal service Corresponds to this preset string.

The sending module 301 is also used to send the target string to the terminal.

The receiving module 302 is also configured to receive a service response sent by the terminal, where the service response is used to indicate whether the terminal exists in an abnormal service corresponding to the target string.

The determination module 303 is also configured to determine that there is an abnormality in the terminal if there is a service corresponding to the target string in the terminal.

Optionally, the above terminal information also includes behavior information of a target application, the target application is an application installed on the terminal, and the behavior information of the target application includes at least one behavior of the target application.

The sending module 301 is also configured to send a target permission query request to the terminal. The target permission query request is used to request permission information of the target application, and the permission information includes executable behaviors of the target application.

The receiving module 302 is also configured to receive the permission information of the target application sent by the terminal.

The determination module 303 is also configured to determine that there is an abnormality in the terminal when there is a target behavior in the behavior information of the target application. The target behavior is one of at least one behavior of the target application and the target behavior does not exist in the target. Application executable behavior.

In the case of using an integrated unit, FIG. 7 shows a possible structural diagram of the anomaly determining device involved in the above embodiment. As shown in FIG. 7 , the abnormality determination device 40 may include: a processing module 401 and a communication module 402 . The processing module 401 may be used to control and manage the actions of the abnormality determination device 40 . The communication module 402 may be used to support communication between the anomaly determining device 40 and other entities. Optionally, as shown in FIG. 7 , the anomaly determining device 40 may also include a storage module 403 for storing program codes and data of the anomaly determining device 40 .

Among them, the processing module 401 may be a processor or a controller. The communication module 402 may be a transceiver, a transceiver circuit, a communication interface, etc. The storage module 403 may be a memory.

Wherein, when the processing module 401 is a processor, the communication module 402 is a transceiver, and the storage module 403 is a memory, the processor, transceiver and memory can be connected through a bus. The bus may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus. The bus can be divided into address bus, data bus, control bus, etc.

In the case of dividing each functional module corresponding to each function, Figure 8 shows a possible structural diagram of the anomaly determining device involved in the above embodiment. As shown in Figure 8, the anomaly determining device 50 may include: receiving Module 501, sending module 502 and processing module 503.

The receiving module 501 is configured to receive a remote connection request sent by the server, where the remote connection request is used to request the establishment of a remote connection with the terminal.

The sending module 502 is used to send terminal information to the server, where the terminal information includes the port number of the terminal.

The receiving module 502 is also used to receive the target plug-in sent by the server.

The processing module 503 is configured to perform a security scan on the terminal based on the target plug-in and obtain at least one piece of security scan information.

The sending module is also used to send the at least one piece of security scanning information to the server.

Optionally, the service corresponding to the terminal is a web page service, and the terminal information includes multiple URLs corresponding to the web page service.

The receiving module 501 is also used to receive a target string sent by the server, where the target string is a service request corresponding to an abnormal service, and the abnormal service corresponds to a preset string.

The sending module 502 is also configured to send a service response to the server, where the service response is used to indicate whether the terminal exists in an abnormal service corresponding to the target string.

Optionally, the above terminal information also includes behavior information of a target application, the target application is an application installed on the terminal, and the behavior information of the target application includes at least one behavior of the target application.

The receiving module 501 is also configured to receive a target permission query request sent by the server. The target permission query request is used to request permission information of the target application. The permission information includes executable behaviors of the target application.

The sending module 502 is also used to send the permission information of the target application to the server.

In the case of using an integrated unit, FIG. 9 shows a possible structural diagram of the anomaly determining device involved in the above embodiment. As shown in FIG. 9 , the abnormality determination device 60 may include: a processing module 601 and a communication module 602 . The processing module 601 may be used to control and manage the actions of the abnormality determination device 60 . The communication module 602 may be used to support communication between the anomaly determining device 60 and other entities. Optionally, as shown in FIG. 9 , the anomaly determining device 60 may also include a storage module 603 for storing program codes and data of the anomaly determining device 60 .

Among them, the processing module 601 may be a processor or a controller. The communication module 602 may be a transceiver, a transceiver circuit, a communication interface, etc. The storage module 603 may be a memory.

Wherein, when the processing module 601 is a processor, the communication module 602 is a transceiver, and the storage module 603 is a memory, the processor, transceiver and memory can be connected through a bus. The bus can be PCI bus or EISA bus, etc. The bus can be divided into address bus, data bus, control bus, etc.

It should be understood that in the various embodiments of the present application, the size of the sequence numbers of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its functions and internal logic, and should not be used in the embodiments of the present application. The implementation process constitutes any limitation.

Those of ordinary skill in the art will appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented with electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each specific application, but such implementations should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the systems, devices and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be described again here.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using a software program, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When computer program instructions are loaded and executed on a computer, the processes or functions described in the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transferred from a website, computer, server, or data center Transmission to another website, computer, server or data center through wired (such as coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (such as infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that can be accessed by a computer or include one or more data storage devices such as servers and data centers that can be integrated with the medium. The available media may be magnetic media (eg, floppy disk, hard disk, magnetic tape), optical media (eg, DVD), or semiconductor media (eg, solid state disk (SSD)), etc.

The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application. should be covered by the protection scope of this application. Therefore, the protection scope of this application should be determined by the protection scope of the claims.

Claims (14)

1. An anomaly determination method, applied to a server, comprising:

a remote connection request is sent to a terminal, wherein the remote connection request is used for requesting to establish remote connection with the terminal;

receiving terminal information sent by the terminal, wherein the terminal information comprises a port number of the terminal;

determining a service corresponding to the terminal based on the port number;

determining a target plug-in based on the service corresponding to the terminal, wherein the target plug-in is used for indicating to perform security scanning on the terminal;

sending the target plug-in to the terminal;

receiving at least one piece of security scanning information sent by the terminal;

and under the condition that the first safety scanning information exists in the abnormal information base, determining that the terminal is abnormal, wherein the first safety scanning information is one piece of at least one piece of safety scanning information.

2. The abnormality determination method according to claim 1, characterized in that the service corresponding to the terminal is a web service, the terminal information includes a plurality of url corresponding to the web service, the method further includes:

determining a plurality of parameters based on a plurality of urls corresponding to the web service, wherein one parameter is a field in one url;

determining a target character string based on a first parameter and a preset character string, wherein the first parameter is one of the parameters, the target character string is a service request corresponding to an abnormal service, and the abnormal service corresponds to the preset character string;

transmitting the target character string to the terminal;

receiving a service response sent by the terminal, wherein the service response is used for indicating whether the terminal exists in an abnormal service corresponding to the target character string;

and determining that the terminal has abnormality under the condition that the terminal has the service corresponding to the target character string.

3. The abnormality determination method according to claim 1 or 2, characterized in that the terminal information further includes behavior information of a target application, the target application being an application installed on the terminal, at least one behavior of the target application being included in the behavior information of the target application, the method further comprising:

Sending a target authority inquiry request to the terminal, wherein the target authority inquiry request is used for requesting to inquire authority information of the target application, and the authority information comprises executable behaviors of the target application;

receiving permission information of the target application sent by the terminal;

and under the condition that the target behavior exists in the behavior information of the target application, determining that the terminal is abnormal, wherein the target behavior is one of at least one behavior of the target application, and the target behavior does not exist in the executable behavior of the target application.

4. An anomaly determination method, applied to a terminal, comprising:

receiving a remote connection request sent by a server, wherein the remote connection request is used for requesting to establish remote connection with the terminal;

transmitting terminal information to the server, wherein the terminal information comprises a port number of a terminal;

receiving a target plug-in sent by the server;

performing security scanning on the terminal based on the target plug-in unit to obtain at least one piece of security scanning information;

and sending the at least one piece of security scanning information to the server.

5. The abnormality determination method according to claim 4, wherein the service corresponding to the terminal is a web service, and the terminal information includes a plurality of urls corresponding to the web service, the method further comprising:

Receiving a target character string sent by the server, wherein the target character string is a service request corresponding to abnormal service, and the abnormal service corresponds to a preset character string;

and sending a service response to the server, wherein the service response is used for indicating whether the terminal exists in the abnormal service corresponding to the target character string.

6. The abnormality determination method according to claim 4 or 5, characterized in that the terminal information further includes behavior information of a target application, the target application being an application installed on the terminal, at least one behavior of the target application being included in the behavior information of the target application, the method further comprising:

receiving a target authority inquiry request sent by the server, wherein the target authority inquiry request is used for requesting to inquire authority information of the target application, and the authority information comprises executable behaviors of the target application;

and sending the authority information of the target application to the server.

7. An abnormality determining apparatus, applied to a server, comprising: the device comprises a sending module, a receiving module and a determining module;

the sending module is used for sending a remote connection request to the terminal, wherein the remote connection request is used for requesting to establish remote connection with the terminal;

The receiving module is used for receiving terminal information sent by the terminal, wherein the terminal information comprises a port number of the terminal;

the determining module is used for determining the service corresponding to the terminal based on the port number;

the determining module is further configured to determine a target plugin based on a service corresponding to the terminal, where the target plugin is used to instruct security scanning on the terminal;

the sending module is further configured to send the target plugin to the terminal;

the receiving module is further used for receiving at least one piece of security scanning information sent by the terminal;

the determining module is further configured to determine that an abnormality exists in the terminal when first security scan information exists in the abnormality information base, where the first security scan information is one piece of the at least one piece of security scan information.

8. The abnormality determination apparatus according to claim 7, wherein the service corresponding to the terminal is a web service, and the terminal information includes a plurality of url corresponding to the web service;

the determining module is further configured to determine a plurality of parameters based on a plurality of urls corresponding to the web service, where one parameter is a field in one url;

The determining module is further configured to determine a target character string based on a first parameter and a preset character string, where the first parameter is one of the multiple parameters, the target character string is a service request corresponding to an abnormal service, and the abnormal service corresponds to the preset character string;

the sending module is further configured to send the target character string to the terminal;

the receiving module is further configured to receive a service response sent by the terminal, where the service response is used to indicate whether the terminal exists in an abnormal service corresponding to the target character string;

the determining module is further configured to determine that the terminal has an abnormality when the terminal has a service corresponding to the target string.

9. The abnormality determination apparatus according to claim 7 or 8, characterized in that the terminal information further includes behavior information of a target application, the target application being an application installed on the terminal, at least one behavior of the target application being included in the behavior information of the target application;

the sending module is further configured to send a target permission query request to the terminal, where the target permission query request is used to request to query permission information of the target application, and the permission information includes executable behaviors of the target application;

The receiving module is further used for receiving the permission information of the target application sent by the terminal;

the determining module is further configured to determine that, when a target behavior exists in the behavior information of the target application, the terminal has an abnormality, where the target behavior is one of at least one behavior of the target application, and the target behavior does not exist in a behavior executable by the target application.

10. An abnormality determining apparatus, characterized by being applied to a terminal, the method comprising: the device comprises a receiving module, a sending module and a processing module;

the receiving module is used for receiving a remote connection request sent by a server, wherein the remote connection request is used for requesting to establish remote connection with the terminal;

the sending module is used for sending terminal information to the server, wherein the terminal information comprises a port number of a terminal;

the receiving module is further used for receiving the target plug-in sent by the server;

the processing module is used for carrying out security scanning on the terminal based on the target plug-in unit to obtain at least one piece of security scanning information;

the sending module is further configured to send the at least one piece of security scan information to the server.

11. The abnormality determination apparatus according to claim 10, wherein the service corresponding to the terminal is a web service, and the terminal information includes a plurality of url corresponding to the web service;

the receiving module is further configured to receive a target string sent by the server, where the target string is a service request corresponding to an abnormal service, and the abnormal service corresponds to a preset string;

the sending module is further configured to send a service response to the server, where the service response is used to indicate whether the terminal exists in an abnormal service corresponding to the target string.

12. The abnormality determination apparatus according to claim 10 or 11, characterized in that the terminal information further includes behavior information of a target application, the target application being an application installed on the terminal, at least one behavior of the target application being included in the behavior information of the target application;

the receiving module is further configured to receive a target permission query request sent by the server, where the target permission query request is used to request to query permission information of the target application, and the permission information includes executable behaviors of the target application;

The sending module is further configured to send permission information of the target application to the server.

13. An electronic device, the electronic device comprising:

a processor;

a memory configured to store the processor-executable instructions;

wherein the processor is configured to execute the instructions to implement the anomaly determination method of any one of claims 1-3 or to implement the anomaly determination method of any one of claims 4-6.

14. A computer readable storage medium having instructions stored thereon, which, when executed by an electronic device, cause the electronic device to perform the anomaly determination method of any one of claims 1-3 or to perform the anomaly determination method of any one of claims 4-6.