[go: up one dir, main page]

CN113468528A - Malicious device identification method and device, server and storage medium - Google Patents

Malicious device identification method and device, server and storage medium Download PDF

Info

Publication number
CN113468528A
CN113468528A CN202110732803.6A CN202110732803A CN113468528A CN 113468528 A CN113468528 A CN 113468528A CN 202110732803 A CN202110732803 A CN 202110732803A CN 113468528 A CN113468528 A CN 113468528A
Authority
CN
China
Prior art keywords
malicious
bit
target
identification
bit array
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110732803.6A
Other languages
Chinese (zh)
Inventor
陈晟豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Puhui Enterprise Management Co Ltd
Original Assignee
Ping An Puhui Enterprise Management Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Puhui Enterprise Management Co Ltd filed Critical Ping An Puhui Enterprise Management Co Ltd
Priority to CN202110732803.6A priority Critical patent/CN113468528A/en
Publication of CN113468528A publication Critical patent/CN113468528A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9014Indexing; Data structures therefor; Storage structures hash tables
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computational Linguistics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application relates to security detection, and provides a malicious device identification method, a malicious device identification device, a server and a storage medium, wherein the method comprises the following steps: acquiring first identification codes of a plurality of malicious devices, wherein the malicious devices are devices provided with malicious programs for cracking software or tampering user data; generating a bit array according to a preset bloom algorithm and a plurality of first identification codes, wherein the bit array comprises a plurality of bit values; receiving an access request sent by the terminal equipment, wherein the access request carries a second identification code of the terminal equipment; determining a plurality of target bit values from the bit array according to the second identification code; and carrying out malicious equipment identification on the terminal equipment according to the plurality of target bit values. The application also relates to a block chain technology, which can improve the identification efficiency and accuracy of malicious equipment.

Description

Malicious device identification method and device, server and storage medium
Technical Field
The present application relates to the field of security detection technologies, and in particular, to a malicious device identification method, apparatus, server, and storage medium.
Background
With the development of information technology, terminal devices such as notebooks, computers, smart phones and the like can be provided with a plurality of application programs, and various malicious programs emerge endlessly. Malicious programs are typically designed for the purpose that when a file is executed, the malicious program will load its malicious content from other sources to evade existing defense mechanisms. Malicious programs pose a great risk to users, organizations and developers, and therefore, terminal devices in which these malicious programs are installed are defined as malicious devices. In recent years, with the increase in the number of malicious program samples and the continued improvement of malicious program disguising techniques, the task of detecting malicious devices has become a major problem.
In the field of traditional malicious equipment detection, a malicious equipment identification code table is utilized to detect whether matched data exist or the matched data are mapped into a memory of terminal equipment for searching. However, in the case of millions of table data, direct table lookup consumes much time and a large amount of memory space, and the recognition efficiency is low.
Disclosure of Invention
The present application mainly aims to provide a malicious device identification method, device, server, and storage medium, and aims to improve the efficiency and accuracy of malicious device identification.
In a first aspect, the present application provides a malicious device identification method, including:
acquiring first identification codes of a plurality of malicious devices, wherein the malicious devices are devices provided with malicious programs for cracking software or tampering user data;
generating a bit array according to a preset bloom algorithm and a plurality of first identification codes, wherein the bit array comprises a plurality of bit values;
receiving an access request sent by terminal equipment, wherein the access request carries a second identification code of the terminal equipment;
determining a plurality of target bit values from the bit array according to the second identification code;
and according to the target bit values, carrying out malicious equipment identification on the terminal equipment.
In a second aspect, the present application further provides a malicious device identification apparatus, where the malicious device identification apparatus includes:
the device comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring first identification codes of a plurality of malicious devices, and the malicious devices are devices provided with malicious programs used for cracking software or tampering user data;
the generating module is used for generating a bit array according to a preset bloom algorithm and the first identification codes, wherein the bit array comprises a plurality of bit numerical values;
the receiving module is used for receiving an access request sent by terminal equipment, wherein the access request carries a second identification code of the terminal equipment;
a determining module, configured to determine a plurality of target bit values from the bit array according to the second identification code;
and the identification module is used for identifying malicious equipment for the terminal equipment according to the target bit values.
In a third aspect, the present application further provides a server, which includes a processor, a memory, and a computer program stored on the memory and executable by the processor, wherein the computer program, when executed by the processor, implements the steps of the malicious device identification method as described above.
In a fourth aspect, the present application further provides a computer-readable storage medium having a computer program stored thereon, where the computer program, when executed by a processor, implements the steps of the malicious device identification method as described above.
The application provides a malicious device identification method, a malicious device identification device, a server and a storage medium, wherein the malicious device is a device provided with a malicious program for cracking software or tampering user data, and acquires first identification codes of a plurality of malicious devices; generating a bit array according to a preset bloom algorithm and a plurality of first identification codes, wherein the bit array comprises a plurality of bit values; receiving an access request sent by the terminal equipment, wherein the access request carries a second identification code of the terminal equipment; determining a plurality of target bit values from the bit array according to the second identification code; according to the target bit values, malicious equipment is identified for the terminal equipment, the target bit values of the bit array are used for identifying the malicious equipment, the malicious equipment identification code table is not required to be searched one by one, and the identification efficiency and accuracy of the malicious equipment can be effectively improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flowchart illustrating steps of a malicious device identification method according to an embodiment of the present disclosure;
FIG. 2 is a flow chart illustrating sub-steps of the malicious device identification method in FIG. 1;
FIG. 3 is a schematic diagram of generating a bit array according to the present embodiment;
fig. 4 is a schematic block diagram of a malicious device identification apparatus according to an embodiment of the present disclosure;
fig. 5 is a schematic block diagram of sub-modules of the malicious device identification apparatus in fig. 4;
fig. 6 is a schematic block diagram of a server according to an embodiment of the present disclosure.
The implementation, functional features and advantages of the objectives of the present application will be further explained with reference to the accompanying drawings.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The flow diagrams depicted in the figures are merely illustrative and do not necessarily include all of the elements and operations/steps, nor do they necessarily have to be performed in the order depicted. For example, some operations/steps may be decomposed, combined or partially combined, so that the actual execution sequence may be changed according to the actual situation. In addition, although the division of the functional blocks is made in the device diagram, in some cases, it may be divided in blocks different from those in the device diagram.
The embodiment of the application provides a malicious device identification method, a malicious device identification device, a server and a storage medium. The malicious equipment identification method can be applied to a server, and the server can be a single server or a server cluster consisting of a plurality of servers.
Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating steps of a malicious device identification method according to an embodiment of the present disclosure.
As shown in fig. 1, the malicious device identification method includes steps S101 to S105.
Step S101, first identification codes of a plurality of malicious devices are obtained.
The malicious device is a device installed with a malicious program for cracking software or tampering user data, for example, the malicious program is a program and a code which need to use user data in a business process and can tamper forged user data at will, and the user data includes address book information, device geographical location information, call record information, and the like. The first Identifier is, for example, an Identifier for uniquely identifying a malicious device, and each terminal device including the malicious device can have Unique identification information through the first Identifier, for example, the first Identifier includes MD5, GUID (global Unique Identifier), UUID (Universally Unique Identifier), and the like.
In one embodiment, the malicious programs are programs for breaking software or otherwise tampering with user data, and illustratively include Jail Break software, which refers to software that bypasses many of the restrictions that an iOS client imposes on its device on an operating system, thereby making the underlying operating system "Root accessible". Rogue software refers to software that is difficult to clean, force to install, and even interfere with the operation of other software. The malicious programs can bring risky programs and codes to the equipment, for example, the malicious programs include trapdoors, logic bombs, trojan horses, worms, bacteria, viruses and the like, the malicious programs can interfere with the operation of the security software, great risks are caused to users, organizations and developers, and the server identifies the malicious equipment with the malicious programs, so that the risks brought by the malicious equipment can be reasonably controlled.
In one embodiment, whether a malicious program is installed in the terminal equipment to be detected is determined; if the terminal equipment to be detected is determined not to be provided with the malicious program, determining that the terminal equipment is safety equipment; and if the malicious program is determined to be installed on the terminal equipment to be detected, determining that the terminal equipment is malicious equipment, acquiring the identification code of the terminal equipment, and storing the identification code of the terminal equipment as the first identification code of the malicious equipment in a database.
Further, the first identification code of the malicious device may be classified and stored in one database or a plurality of databases. For example, the first identification codes of the malicious devices are stored in a target folder of the database according to the types of the malicious programs, the target folder corresponds to the types of the malicious programs, and the first identification codes corresponding to different types of malicious programs are stored in different folders of the database. For another example, according to the type of the malicious program, the first identification codes of the malicious devices are stored in a target database, the target database corresponds to the type of the malicious program, and the first identification codes corresponding to the different types of malicious programs are stored in different databases, so that the first identification codes of the malicious devices can be subsequently acquired from a target folder or the target database according to the type of the malicious program.
In an embodiment, the terminal device to be detected is an android client. The method comprises the steps of obtaining an application program list consisting of a plurality of application programs installed on an android client, and obtaining a preset malicious program list comprising a plurality of malicious programs, wherein the malicious programs are a call record forgery master, a telephone short message forgery expert, string change software, a ROOT modifier, a short message modifier and the like; determining whether the android client side is provided with a malicious program or not according to the application program list and the malicious program list; if the android client is determined to be provided with the malicious program, the identification code of the android client is obtained and stored in the database as the first identification code of the malicious equipment so as to execute the library falling operation, and the subsequent and quick obtaining of the first identification codes of the malicious equipment is facilitated.
In an embodiment, the manner of obtaining the first identification code of the malicious device includes: acquiring an MAC address of malicious equipment; and acquiring a first identification code of the malicious equipment according to the MAC address of the malicious equipment. It should be noted that the MAC address may be used as a first identifier of the malicious device, or the first identifier of the malicious device may be generated according to the MAC address, where the first identifier, for example, UUID, may be obtained by calculating a current timestamp, a random number, and a machine MAC address. It can be understood that the first identification code of the malicious device may also be obtained in other manners, which is not described in detail in this embodiment.
In an embodiment, the terminal device to be detected is an iOS client. Traversing a target folder of the iOS client and a plurality of subfolders under the target folder, wherein the target folder is a folder for storing an installation data package of an Application program, and the target folder can be one or more, for example, the target folder is a folder of an Application or Library path; acquiring file names of a plurality of subfolders in a traversal result, and acquiring a plurality of pre-configured check item lists of the jail crossing software; determining whether the iOS client is installed with the offshoot software, i.e., whether the check item list includes at least one subfolder within the target folder, based on a check item list of the plurality of offshoot software, e.g., including "cydia.app", "limera1n.app", "greenbook 0n.app", "blackra1n.app", "blacksnw.app", "redsinw.app", "MobileSubstrate", etc., and file names of the plurality of subfolders; the method comprises the steps that third-party software and patches are installed on an iOS client side provided with the jail-crossing software in the jail-crossing process, and malicious programs can be installed through the third-party software and the patches.
It should be noted that the iOS client installed with the jail-breaking software installs third-party software and patches during jail breaking, and the iOS client can allow a user to freely purchase store articles in a program by bypassing a manufacturer payment mechanism, and install a cracked version of APP to perform other malicious operations, and the like, so that the iOS client can be directly regarded as malicious equipment, and the iOS client installed with the jail-breaking software is prevented from causing loss to developers.
Checking whether an identification code of current running software of the iOS client is stored in a key string keyhide of the iOS client; if the identification code of the current running software is not stored, the identification code of the current running software is generated and stored in the key string keyhide persistently to obtain a first identification code of the malicious device; and if the identification code of the current running software is stored, reading the identification code of the current running software from the key string keyhide as a first identification code of the malicious device. In order to prevent the generated first identification code from being different when the APP is installed again after being deleted, the key string is required to be used for persistent storage after the identification code is generated, and the first identification code can be conveniently obtained directly from the key string.
It should be noted that, in order to further ensure the privacy and security of the relevant information such as the first identification code, the relevant information of the first identification code, for example, information such as a bit array generated according to the first identification code, may also be stored in a node of a block chain. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
Step S102, generating a bit array according to a preset bloom algorithm and a plurality of first identification codes, wherein the bit array comprises a plurality of bit values.
The server generates a plurality of bit arrays corresponding to the first identification codes based on a preset bloom algorithm or a BLOOMFilter bloom filter, where a bit array includes a plurality of bit values, and the bit values include, for example, a preset identifier and a target identifier, and optionally, the preset identifier is0 and the target identifier is 1.
In one embodiment, as shown in fig. 2, step S102 includes: substeps 1021 to substep S1024.
And a substep S1021, determining the bit number of the bit array to be generated according to the number of the first identification codes and a preset expected misjudgment rate.
Illustratively, a plurality of first identification codes are obtained from a database, the number of the first identification codes is n, the preset expected error rate is p, the expected error rate p can be flexibly set, optional p is set to be 0.3 per thousand, and the bit number m of the bit array to be generated is determined according to the number n of the first identification codes and the expected error rate p, wherein m is-n × log × mep÷(loge2)2
Substep S1022, creating an initial bit array, the initial bit array including a preset identification of the number of bits.
Illustratively, an initial bit array with a length of m is created according to the number of bits m, and the initial bit array includes m numbers of preset identifiers, for example, elements at m bit positions in the initial bit array are all preset identifiers 0, that is, the initial bit array is an array formed by m numbers of preset identifiers 0.
In the sub-step S1023, a first hash value of each first identification code is calculated by a preset hash function.
The preset Hash function includes Hash functions with better performance, such as a murmurr Hash function and an Fnv function, and may be other Hash functions. The first hash values of different first identification codes are different, and the first hash value is, for example, 128 bits, which is not specifically limited in this embodiment.
And a substep S1024 of modifying the plurality of preset identifications in the initial bit array according to the first hash value of each first identification code to obtain the bit array.
And modifying the preset identifier corresponding to the bit position pointed by the first hash value according to the first hash value of the first identification code, wherein each first hash value points to a plurality of bit positions, so that the preset identifier pointed by each first hash value to the plurality of bit positions is modified into the target identifier to obtain the bit array.
In an embodiment, a first hash value of a first identification code is divided to obtain a second hash value of a high-order byte and a third hash value of a low-order byte; calculating the absolute value of the second hash value, and performing remainder operation on the absolute value of the second hash value and the bit number to obtain a target remainder; determining a first bit position corresponding to a target remainder in the initial bit array, modifying a preset identifier of the first bit position into a target identifier, and recording the current modification times; determining the target modification times of the first identification code, and if the current modification times are smaller than the target modification times, adding the second hash value and the third hash value to obtain an updated second hash value; and continuously calculating the absolute value of the second hash value through the updated second hash value, and performing remainder operation on the absolute value of the second hash value and the bit number to obtain a target remainder until the recorded current modification times are equal to the target modification times so as to generate a bit array. Malicious equipment is identified through the bit array, and the malicious equipment identification code table does not need to be searched one by one, so that the identification efficiency and accuracy of the malicious equipment are effectively improved.
Wherein, determining the target modification times of the first identification code comprises: and determining the target modification times of the first identification codes according to the number of the plurality of first identification codes and the bit number of the bit array. For example, if the number of the plurality of first identification codes is n and the number of bits of the bit array is m, the target modification times k of the first identification codes is determined to be m ═ m ÷ n × log e2。
For example, referring to fig. 3, the first hash value of the first identification code a is, for example, 128-bit bytes, the first hash value of the 128-bit bytes is divided into 2 hash values according to upper 64-bit bytes and lower 64-bit bytes, a second hash value and a third hash value are obtained, the absolute value of the second hash value of the upper 64-bit bytes is calculated, and a remainder operation is performed on the absolute value of the second hash value and the bit number m of the bit array, so as to obtain a target remainder 1. Determining a first bit position 1 corresponding to a target remainder 1 in the initial bit array, modifying a preset identifier 0 of the first bit position 1 into a target identifier 1, and recording the current modification times as the 1 st modification. If the target modification times is determined to be 3, adding the second hash value of the upper 64-bit byte and the third hash value of the lower 64-bit byte to obtain an updated second hash value, continuing the above-mentioned residue taking operation through the updated second hash value to obtain a target remainder 4, modifying the preset identifier 0 of the first bit position 4 into the target identifier 1, and recording the current modification times as the 2 nd modification. And because the current modification times do not reach the current modification times, continuously updating the second hash value and continuously performing the above-mentioned residue taking operation through the updated second hash value to obtain a target remainder 7, modifying the preset identifier 0 of the first bit position 7 into the target identifier 1, and recording the current modification times as the 3 rd modification, wherein the first bit position corresponding to the first identification code A comprises the first bit positions 1, 4 and 7. And modifying a plurality of preset identifications in the initial bit array according to the first identification codes A, wherein the plurality of first identification codes obtained from the database are modified, and obtaining the bit array after the preset identifications on a plurality of first bit positions corresponding to each first identification code are modified into target identifications.
In an embodiment, after generating a bit array, in any implementation process of the embodiment of the present application, a ratio in which a bit value in the bit array is a target identifier is determined; and if the occupation ratio is larger than or equal to the preset occupation ratio, expanding the capacity of the bit array to obtain an updated bit array. The preset ratio can be flexibly set by a user according to actual conditions, and optionally, the preset ratio is 50%. And expanding the capacity of the bit array to obtain an updated bit array, so that the occupation ratio of the target identifier is avoided from being too large, and the accuracy of identifying the malicious equipment can be ensured.
Further, the specific manner of expanding the bit array is as follows: and continuously inputting the plurality of first identification codes into a database or a folder which stores the plurality of first identification codes so as to increase the number n of the plurality of first identification codes, wherein when the number n of the first identification codes is increased, the bit number m of the generated bit array is also increased, so that more bit positions can be provided, and the occupation ratio of the target identification is prevented from being too large.
Step S103, receiving an access request sent by the terminal equipment, wherein the access request carries a second identification code of the terminal equipment.
And when the terminal equipment runs the application software and needs to access the server, the terminal equipment generates an access request of the server, wherein the access request carries the second identification code of the terminal equipment. For example, when the terminal device runs the application software to acquire the data resource, an acquisition request of the data resource is generated, and the acquisition request of the data resource is sent to the server, wherein the access request carries the identification code of the application software of the terminal device.
The server receives an access request sent by the terminal device, and acquires a second identification code of the terminal device from the access request, where the second identification code is, for example, an identification code of application software currently running on the terminal device.
In one embodiment, the access request carries type information of application software currently running by the terminal equipment, and the server determines a corresponding bit array according to the type information of the application software; or the server determines the corresponding first identification codes of the multiple malicious devices according to the type information of the application software, and generates a bit array comprising multiple bit values according to the multiple first identification codes. It should be noted that the first identification codes corresponding to different types of malicious programs are stored in different target folders or target databases, and the first identification codes are obtained from the different target folders or target databases according to the type information of the application software and generate bit arrays, so that the efficiency and accuracy of identifying the malicious devices by the bit arrays are greatly improved.
And step S104, determining a plurality of target bit values from the bit array according to the second identification code.
After the server acquires the second identification code carried by the access request, a plurality of target bit values corresponding to the second identification code are determined from the bit array according to the second identification code, so that whether the terminal equipment sending the access request is malicious equipment or not is determined according to the plurality of target bit values.
In one embodiment, a plurality of second bit positions corresponding to the second identification code are determined according to a preset bloom algorithm and the second identification code; determining a bit value at each second bit position in the bit array to obtain a plurality of target bit values. The specific step of determining the plurality of second bit positions corresponding to the second identification code according to the preset bloom algorithm and the second identification code may refer to the step of determining the plurality of target bit positions in step S102, and is not described herein again.
Illustratively, a first hash value of the second identification code is calculated, and the first hash value of the second identification code is divided into a fourth hash value of a higher byte and a fifth hash value of a lower byte; determining the target modification times of the second identification code, wherein the target modification times can be understood as the number of second bit positions corresponding to the second identification code; generating a target hash value of the target modification times according to the fourth hash value and the fifth hash value, namely performing accumulation calculation on the fourth hash value of the upper byte, accumulating one fifth hash value each time, wherein the first target hash value is the fourth hash value, the second target hash value is the sum of the fourth hash value and the fifth hash value, and accumulating (the target modification times are n-1) times of the fifth hash value to obtain the target hash value of the target modification times; calculating the absolute value of the target hash value, and performing remainder operation on the absolute value of the target hash value and the bit number of the bit array to obtain a plurality of target remainders; and determining a plurality of second bit positions corresponding to a plurality of target remainders from the bit array, and acquiring a bit value at each second bit position to obtain a plurality of target bit values.
And S105, carrying out malicious equipment identification on the terminal equipment according to the plurality of target bit values.
And according to the target bit value on the second bit position corresponding to the second identification code, carrying out malicious equipment identification on the terminal equipment to obtain an identification result, wherein the identification result comprises that the terminal equipment belongs to malicious equipment or that the terminal equipment does not belong to the malicious equipment.
In one embodiment, determining whether the plurality of target bit values are all target identifications; if the target bit values are all target identifications, determining that the terminal equipment belongs to malicious equipment; and if at least one target bit value is not the target identifier, determining that the terminal equipment does not belong to malicious equipment. Malicious equipment is identified through a plurality of target bit values of the bit array, and the malicious equipment identification code table does not need to be searched one by one, so that the identification efficiency and accuracy of the malicious equipment can be effectively improved.
For example, if the target bit values are all target identifiers, it is indicated that the second identifier of the terminal device has fallen into the database, that is, the second identifier is stored in the preset database or the folder and belongs to one of the first identifiers of the malicious devices, and the identification result indicates that the terminal device belongs to the malicious device. If at least one target bit value is not the target identifier, that is, at least one preset identifier exists in the target bit values, it is indicated that the second identifier of the terminal device does not fall into the library, the second identifier does not belong to any one of the first identifiers of the malicious devices, and the identification result is that the terminal device does not belong to the malicious devices.
In an embodiment, after identifying a malicious device to a terminal device according to a plurality of target bit values, the method further includes: and if the terminal equipment is determined to belong to the malicious equipment, stopping responding to the access request sent by the terminal equipment, and adding the second identification code of the terminal equipment into the first identification codes of the multiple malicious equipment. And if the terminal equipment is determined not to belong to the malicious equipment, responding to the access request, generating a data packet according to the access request, and returning the data packet to the terminal equipment. It should be noted that, if it is determined that the terminal device belongs to the malicious device, the access request is not responded, the second identification code is added to the first identification codes of the multiple malicious devices, and the number of samples of the first identification codes is increased, so that the number of bits generated again subsequently is accurate for identifying the malicious devices, and the identification accuracy of the malicious devices is improved.
In the method for identifying malicious devices provided by the embodiment, the first identification codes of a plurality of malicious devices are obtained, and the malicious devices are devices provided with malicious programs for cracking software or tampering user data; generating a bit array according to a preset bloom algorithm and a plurality of first identification codes, wherein the bit array comprises a plurality of bit values; receiving an access request sent by the terminal equipment, wherein the access request carries a second identification code of the terminal equipment; determining a plurality of target bit values from the bit array according to the second identification code; according to the target bit values, malicious equipment is identified for the terminal equipment, the target bit values of the bit array are used for identifying the malicious equipment, the malicious equipment identification code table is not required to be searched one by one, and the identification efficiency and accuracy of the malicious equipment can be effectively improved.
Referring to fig. 4, fig. 4 is a schematic block diagram of a malicious device identification apparatus according to an embodiment of the present disclosure.
As shown in fig. 4, the malicious device identification apparatus 200 includes: the device comprises an acquisition module 201, a generation module 202, a receiving module 203, a determination module 204 and an identification module 205.
An obtaining module 201, configured to obtain first identification codes of multiple malicious devices, where the malicious devices are devices in which malicious programs used to crack software or tamper user data are installed;
a generating module 202, configured to generate a bit array according to a preset bloom algorithm and a plurality of the first identification codes, where the bit array includes a plurality of bit values;
a receiving module 203, configured to receive an access request sent by a terminal device, where the access request carries a second identification code of the terminal device;
a determining module 204, configured to determine a plurality of target bit values from the bit array according to the second identification code;
an identifying module 205, configured to perform malicious device identification on the terminal device according to the plurality of target bit values.
In one embodiment, as shown in FIG. 5, the generation module 202 includes:
the determining submodule 2021 is configured to determine, according to the number of the plurality of first identification codes and a preset expected false positive rate, a bit number of a bit array to be generated;
the creating submodule 2022 is configured to create an initial bit array, where the initial bit array includes a preset identifier of the bit number;
the calculating sub-module 2023 is configured to calculate a first hash value of each first identification code by using a preset hash function;
the modifying submodule 2024 is configured to modify, according to the first hash value of each first identifier, the plurality of preset identifiers in the initial bit array to obtain a bit array.
In one embodiment, the generation module 202 is further configured to:
dividing the first hash value of the first identification code to obtain a second hash value of a high-order byte and a third hash value of a low-order byte;
calculating the absolute value of the second hash value, and performing remainder operation on the absolute value of the second hash value and the bit number to obtain a target remainder;
determining a first bit position corresponding to the target remainder in the initial bit array, modifying a preset identifier of the first bit position into a target identifier, and recording the current modification times;
determining the target modification times of the first identification code, and if the current modification times are smaller than the target modification times, adding the second hash value and a third hash value to obtain an updated second hash value;
and continuously executing the absolute value of the calculated second hash value through the updated second hash value, and performing remainder operation on the absolute value of the second hash value and the bit number to obtain a target remainder until the recorded current modification times are equal to the target modification times so as to generate the bit array.
In one embodiment, the determination module 204 is further configured to:
determining a plurality of second bit positions corresponding to the second identification code according to a preset bloom algorithm and the second identification code;
and determining the bit value at each second bit position in the bit array to obtain a plurality of target bit values.
In one embodiment, the determination module 204 is further configured to:
determining whether a plurality of the target bit values are all target identifications;
if the target bit values are all target identifications, determining that the terminal equipment belongs to malicious equipment;
and if at least one target bit value is not the target identifier, determining that the terminal equipment does not belong to malicious equipment.
In one embodiment, the determination module 204 is further configured to:
and if the terminal equipment is determined to belong to the malicious equipment, stopping responding to the access request sent by the terminal equipment, and adding the second identification code of the terminal equipment into the first identification codes of the malicious equipment.
In one embodiment, the generation module 202 is further configured to:
determining the ratio of the bit value in the bit array as a target identifier;
and if the occupation ratio is larger than or equal to a preset occupation ratio, expanding the capacity of the bit array to obtain the updated bit array.
It should be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the apparatus and each module and unit described above may refer to corresponding processes in the foregoing malicious device identification method embodiment, and details are not described herein again.
The apparatus provided by the above embodiment may be implemented in a form of a computer program, and the computer program may be run on a server as shown in fig. 6.
Referring to fig. 6, fig. 6 is a schematic block diagram of a server according to an embodiment of the present disclosure.
As shown in fig. 6, the server includes a processor, a memory and a network interface connected by a system bus, where the memory may include a storage medium and an internal memory, and the storage medium may be nonvolatile or volatile.
The storage medium may store an operating system and a computer program. The computer program includes program instructions that, when executed, cause a processor to perform any one of the malicious device identification methods.
The processor is used for providing calculation and control capacity and supporting the operation of the whole server.
The internal memory provides an environment for the execution of a computer program on a storage medium, which when executed by a processor causes the processor to perform any one of the malicious device identification methods.
The network interface is used for network communication, such as sending assigned tasks and the like. Those skilled in the art will appreciate that the architecture shown in fig. 6 is a block diagram of only a portion of the architecture associated with the subject application, and does not constitute a limitation on the servers to which the subject application applies, as a particular server may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
It should be understood that the Processor may be a Central Processing Unit (CPU), and the Processor may be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, etc. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Wherein, in one embodiment, the processor is configured to execute a computer program stored in the memory to implement the steps of:
acquiring first identification codes of a plurality of malicious devices, wherein the malicious devices are devices provided with malicious programs for cracking software or tampering user data;
generating a bit array according to a preset bloom algorithm and a plurality of first identification codes, wherein the bit array comprises a plurality of bit values;
receiving an access request sent by terminal equipment, wherein the access request carries a second identification code of the terminal equipment;
determining a plurality of target bit values from the bit array according to the second identification code;
and according to the target bit values, carrying out malicious equipment identification on the terminal equipment.
In one embodiment, the processor, when implementing the generating of the bit array according to the preset bloom algorithm and the plurality of first identification codes, is configured to implement:
determining the bit number of a bit array to be generated according to the number of the first identification codes and a preset expected misjudgment rate;
creating an initial bit array, wherein the initial bit array comprises a preset identifier of the bit number;
calculating a first hash value of each first identification code through a preset hash function;
and modifying the plurality of preset identifications in the initial bit array according to the first hash value of each first identification code to obtain a bit array.
In an embodiment, when the processor implements the first hash value according to each of the first identification codes, and modifies the plurality of preset identifiers in the initial bit array to obtain a bit array, the processor is configured to implement:
dividing the first hash value of the first identification code to obtain a second hash value of a high-order byte and a third hash value of a low-order byte;
calculating the absolute value of the second hash value, and performing remainder operation on the absolute value of the second hash value and the bit number to obtain a target remainder;
determining a first bit position corresponding to the target remainder in the initial bit array, modifying a preset identifier of the first bit position into a target identifier, and recording the current modification times;
determining the target modification times of the first identification code, and if the current modification times are smaller than the target modification times, adding the second hash value and a third hash value to obtain an updated second hash value;
and continuously executing the absolute value of the calculated second hash value through the updated second hash value, and performing remainder operation on the absolute value of the second hash value and the bit number to obtain a target remainder until the recorded current modification times are equal to the target modification times so as to generate the bit array.
In one embodiment, the processor, in implementing the determining a plurality of target bit values from the bit array based on the second identification code, is configured to implement:
determining a plurality of second bit positions corresponding to the second identification code according to a preset bloom algorithm and the second identification code;
and determining the bit value at each second bit position in the bit array to obtain a plurality of target bit values.
In an embodiment, when implementing the malicious device identification on the terminal device according to the plurality of target bit values, the processor is configured to implement:
determining whether a plurality of the target bit values are all target identifications;
if the target bit values are all target identifications, determining that the terminal equipment belongs to malicious equipment;
and if at least one target bit value is not the target identifier, determining that the terminal equipment does not belong to malicious equipment.
In one embodiment, after the performing malicious device identification on the terminal device according to the plurality of target bit values, the processor is further configured to perform:
and if the terminal equipment is determined to belong to the malicious equipment, stopping responding to the access request sent by the terminal equipment, and adding the second identification code of the terminal equipment into the first identification codes of the malicious equipment.
In one embodiment, the processor is further configured to implement:
determining the ratio of the bit value in the bit array as a target identifier;
and if the occupation ratio is larger than or equal to a preset occupation ratio, expanding the capacity of the bit array to obtain the updated bit array.
It should be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the server described above may refer to a corresponding process in the foregoing malicious device identification method embodiment, and details are not described herein again.
Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, where the computer program includes program instructions, and a method implemented when the program instructions are executed may refer to various embodiments of the malicious device identification method in the present application.
The computer-readable storage medium may be an internal storage unit of the server according to the foregoing embodiment, for example, a hard disk or a memory of the server. The computer readable storage medium may also be an external storage device of the server, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the server.
It is to be understood that the terminology used in the description of the present application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments. While the invention has been described with reference to specific embodiments, the scope of the invention is not limited thereto, and those skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the invention. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A malicious device identification method, comprising:
acquiring first identification codes of a plurality of malicious devices, wherein the malicious devices are devices provided with malicious programs for cracking software or tampering user data;
generating a bit array according to a preset bloom algorithm and a plurality of first identification codes, wherein the bit array comprises a plurality of bit values;
receiving an access request sent by terminal equipment, wherein the access request carries a second identification code of the terminal equipment;
determining a plurality of target bit values from the bit array according to the second identification code;
and according to the target bit values, carrying out malicious equipment identification on the terminal equipment.
2. The malicious device identification method according to claim 1, wherein the generating a bit array according to a preset bloom algorithm and a plurality of the first identification codes includes:
determining the bit number of a bit array to be generated according to the number of the first identification codes and a preset expected misjudgment rate;
creating an initial bit array, wherein the initial bit array comprises a preset identifier of the bit number;
calculating a first hash value of each first identification code through a preset hash function;
and modifying the plurality of preset identifications in the initial bit array according to the first hash value of each first identification code to obtain a bit array.
3. The method for identifying malicious equipment according to claim 2, wherein the modifying the plurality of preset identifiers in the initial bit array according to the first hash value of each of the first identification codes to obtain a bit array comprises:
dividing the first hash value of the first identification code to obtain a second hash value of a high-order byte and a third hash value of a low-order byte;
calculating the absolute value of the second hash value, and performing remainder operation on the absolute value of the second hash value and the bit number to obtain a target remainder;
determining a first bit position corresponding to the target remainder in the initial bit array, modifying a preset identifier of the first bit position into a target identifier, and recording the current modification times;
determining the target modification times of the first identification code, and if the current modification times are smaller than the target modification times, adding the second hash value and a third hash value to obtain an updated second hash value;
and continuously executing the absolute value of the calculated second hash value through the updated second hash value, and performing remainder operation on the absolute value of the second hash value and the bit number to obtain a target remainder until the recorded current modification times are equal to the target modification times so as to generate the bit array.
4. The malicious device identification method according to any one of claims 1 to 3, wherein determining a plurality of target bit values from the bit array according to the second identification code includes:
determining a plurality of second bit positions corresponding to the second identification code according to a preset bloom algorithm and the second identification code;
and determining the bit value at each second bit position in the bit array to obtain a plurality of target bit values.
5. The method for identifying malicious equipment according to claim 4, wherein the identifying the malicious equipment for the terminal device according to the plurality of target bit values comprises:
determining whether a plurality of the target bit values are all target identifications;
if the target bit values are all target identifications, determining that the terminal equipment belongs to malicious equipment;
and if at least one target bit value is not the target identifier, determining that the terminal equipment does not belong to malicious equipment.
6. The method for identifying malicious equipment according to claim 5, wherein after identifying the malicious equipment for the terminal device according to the plurality of target bit values, the method further comprises:
and if the terminal equipment is determined to belong to the malicious equipment, stopping responding to the access request sent by the terminal equipment, and adding the second identification code of the terminal equipment into the first identification codes of the malicious equipment.
7. A malicious device identification method according to any one of claims 1 to 3, wherein the method further includes:
determining the ratio of the bit value in the bit array as a target identifier;
and if the occupation ratio is larger than or equal to a preset occupation ratio, expanding the capacity of the bit array to obtain the updated bit array.
8. A malicious device identification apparatus, comprising:
the device comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring first identification codes of a plurality of malicious devices, and the malicious devices are devices provided with malicious programs used for cracking software or tampering user data;
the generating module is used for generating a bit array according to a preset bloom algorithm and the first identification codes, wherein the bit array comprises a plurality of bit numerical values;
the receiving module is used for receiving an access request sent by terminal equipment, wherein the access request carries a second identification code of the terminal equipment;
a determining module, configured to determine a plurality of target bit values from the bit array according to the second identification code;
and the identification module is used for identifying malicious equipment for the terminal equipment according to the target bit values.
9. A server, characterized in that the server comprises a processor, a memory, and a computer program stored on the memory and executable by the processor, wherein the computer program, when executed by the processor, implements the steps of the malicious device identification method according to any one of claims 1 to 7.
10. A computer-readable storage medium, having a computer program stored thereon, wherein the computer program, when executed by a processor, performs the steps of the malicious device identification method as claimed in any one of claims 1 to 7.
CN202110732803.6A 2021-06-29 2021-06-29 Malicious device identification method and device, server and storage medium Pending CN113468528A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110732803.6A CN113468528A (en) 2021-06-29 2021-06-29 Malicious device identification method and device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110732803.6A CN113468528A (en) 2021-06-29 2021-06-29 Malicious device identification method and device, server and storage medium

Publications (1)

Publication Number Publication Date
CN113468528A true CN113468528A (en) 2021-10-01

Family

ID=77874019

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110732803.6A Pending CN113468528A (en) 2021-06-29 2021-06-29 Malicious device identification method and device, server and storage medium

Country Status (1)

Country Link
CN (1) CN113468528A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI858869B (en) * 2023-08-16 2024-10-11 臺灣中小企業銀行股份有限公司 System and method for counterfeit detection of applications on ios

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060242712A1 (en) * 2005-04-22 2006-10-26 Linn Christopher S Security methods and systems
CN103970744A (en) * 2013-01-25 2014-08-06 华中科技大学 Extendible repeated data detection method
CN106549974A (en) * 2016-12-06 2017-03-29 北京知道创宇信息技术有限公司 Prediction the social network account whether equipment of malice, method and system
US9807092B1 (en) * 2013-07-05 2017-10-31 Dcs7, Llc Systems and methods for classification of internet devices as hostile or benign
CN110399557A (en) * 2019-07-24 2019-11-01 秒针信息技术有限公司 A kind of recognition methods of visitor information, identification device and readable storage medium storing program for executing
CN111368297A (en) * 2020-02-02 2020-07-03 西安电子科技大学 Privacy protection mobile malware detection method, system, storage medium and application
CN112084501A (en) * 2020-09-18 2020-12-15 珠海豹趣科技有限公司 Malicious program detection method and device, electronic device and storage medium
CN112527433A (en) * 2020-12-08 2021-03-19 平安科技(深圳)有限公司 Page popup control method and device, computer equipment and storage medium
CN112612953A (en) * 2020-12-18 2021-04-06 平安普惠企业管理有限公司 Request identification method based on feature identification and related equipment
CN112711696A (en) * 2020-12-30 2021-04-27 平安普惠企业管理有限公司 Request access method, device, electronic equipment and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060242712A1 (en) * 2005-04-22 2006-10-26 Linn Christopher S Security methods and systems
CN103970744A (en) * 2013-01-25 2014-08-06 华中科技大学 Extendible repeated data detection method
US9807092B1 (en) * 2013-07-05 2017-10-31 Dcs7, Llc Systems and methods for classification of internet devices as hostile or benign
CN106549974A (en) * 2016-12-06 2017-03-29 北京知道创宇信息技术有限公司 Prediction the social network account whether equipment of malice, method and system
CN110399557A (en) * 2019-07-24 2019-11-01 秒针信息技术有限公司 A kind of recognition methods of visitor information, identification device and readable storage medium storing program for executing
CN111368297A (en) * 2020-02-02 2020-07-03 西安电子科技大学 Privacy protection mobile malware detection method, system, storage medium and application
CN112084501A (en) * 2020-09-18 2020-12-15 珠海豹趣科技有限公司 Malicious program detection method and device, electronic device and storage medium
CN112527433A (en) * 2020-12-08 2021-03-19 平安科技(深圳)有限公司 Page popup control method and device, computer equipment and storage medium
CN112612953A (en) * 2020-12-18 2021-04-06 平安普惠企业管理有限公司 Request identification method based on feature identification and related equipment
CN112711696A (en) * 2020-12-30 2021-04-27 平安普惠企业管理有限公司 Request access method, device, electronic equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI858869B (en) * 2023-08-16 2024-10-11 臺灣中小企業銀行股份有限公司 System and method for counterfeit detection of applications on ios

Similar Documents

Publication Publication Date Title
CN108446407B (en) Database auditing method and device based on block chain
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN108351946B (en) System and method for anonymizing log entries
US9571509B1 (en) Systems and methods for identifying variants of samples based on similarity analysis
US8413130B2 (en) System and method for self policing of authorized configuration by end points
CN104025107A (en) Fuzzy whitelisting anti-malware systems and methods
JP2019523952A (en) Streaming data distributed processing method and apparatus
CN112001376B (en) Fingerprint identification method, device, equipment and storage medium based on open source component
CN110990844B (en) Cloud data protection method based on kernel, cloud server and system
US10296743B2 (en) Method and device for constructing APK virus signature database and APK virus detection system
CN110543516A (en) Intelligent contract processing method, device, computer equipment and storage medium
US10705829B2 (en) Software discovery using exclusion
US20200302065A1 (en) Creating a secure searchable path by hashing each component of the path
CN113434122A (en) Multi-role page creation method and device, server and readable storage medium
Fu et al. Data correlation‐based analysis methods for automatic memory forensic
KR20160099160A (en) Method of modelling behavior pattern of instruction set in n-gram manner, computing device operating with the method, and program stored in storage medium configured to execute the method in computing device
US10742668B2 (en) Network attack pattern determination apparatus, determination method, and non-transitory computer readable storage medium thereof
CN113468528A (en) Malicious device identification method and device, server and storage medium
CN112347477A (en) Family variant malicious file mining method and device
CN111124467B (en) Authority role display method, system, computer equipment and readable storage medium
CN117034360A (en) File disclosure risk detection method, equipment, storage medium and device
CN114003911A (en) Virus defense method and device, electronic equipment and storage medium
CN108959486B (en) Audit field information acquisition method and device, computer equipment and storage medium
CN112637218A (en) Method, device, terminal and storage medium for configuring domain name white list
CN115186255B (en) Industrial host white list extraction method and device, terminal device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
AD01 Patent right deemed abandoned

Effective date of abandoning: 20240517

AD01 Patent right deemed abandoned