Data detection method and apparatus, device, and storage medium
By arranging decoding indication information for each data block type, the data blocks are segmented and decoded, solving the problem of inaccurate decoding results caused by a single decoding method and achieving higher accuracy in security detection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- TENCENT TECHNOLOGY (SHENZHEN) CO LTD
- Filing Date
- 2022-07-01
- Publication Date
- 2026-06-19
AI Technical Summary
In existing technologies, when using a single decoding method to decode data, it is impossible to correctly restore the data before encoding, resulting in a decrease in the accuracy of the decoding results and affecting the accuracy of subsequent security detection.
For each data block type, corresponding decoding instruction information is arranged. Through data block segmentation and decoding processing, the decoding result under each data block type is obtained, and security detection is performed according to the detection strategy.
This improved the accuracy of decoding results and enhanced the accuracy of data security detection.
Smart Images

Figure CN117375865B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to a data detection method, apparatus, device, and storage medium. Background Technology
[0002] Currently, with the continuous development of computer technology, security protection systems (such as Web (World Wide Web) protection systems) have been widely used. These systems typically decode message data using a series of decoding methods and then perform security checks on the decoded results to obtain the detection outcome. However, existing technologies usually use a single decoding method to decode the entire data. This can lead to situations where the original data cannot be correctly reconstructed, resulting in reduced accuracy of the decoding results and affecting the accuracy of subsequent security detection. Therefore, improving the accuracy of data security detection has become a research hotspot. Summary of the Invention
[0003] This application provides a data detection method, apparatus, device, and storage medium. Based on decoding instruction information arranged for each data block type, the corresponding data block is decoded, which effectively improves the accuracy of the decoding results and thus effectively enhances the accuracy of data security detection.
[0004] On one hand, embodiments of this application provide a data detection method, the method comprising:
[0005] The target data packet to be detected is acquired, and one or more detection strategies and the data block types corresponding to each detection strategy are determined. Each determined data block type is arranged with corresponding decoding indication information.
[0006] According to the data block segmentation strategy corresponding to each data block type, the target data packet is segmented to obtain data blocks under each data block type;
[0007] Based on the decoding instruction information arranged for each data block type, the corresponding data block is decoded to obtain the decoding result of the data block under each data block type;
[0008] According to the detection strategy corresponding to each data block type, the decoding results of the data blocks under the corresponding data block type are subjected to security detection.
[0009] On the other hand, embodiments of this application provide a data detection device, the device comprising:
[0010] The acquisition unit is used to acquire the target data packet to be detected, and to determine one or more detection strategies and the data block type corresponding to each detection strategy. Each determined data block type is arranged with corresponding decoding indication information.
[0011] The processing unit is used to perform segmentation processing on the target data packet according to the data block segmentation strategy corresponding to each data block type, so as to obtain data blocks under each data block type;
[0012] The processing unit is further configured to perform decoding processing on the corresponding data block based on the decoding indication information arranged for each data block type, so as to obtain the decoding result of the data block under each data block type;
[0013] The processing unit is further configured to perform security checks on the decoding results of data blocks under the corresponding data block type according to the detection strategy corresponding to each data block type.
[0014] In another aspect, embodiments of this application provide a computer device, the computer device including a processor and a memory, wherein the memory is used to store a computer program, and the computer program, when executed by the processor, performs the following steps:
[0015] The target data packet to be detected is acquired, and one or more detection strategies and the data block types corresponding to each detection strategy are determined. Each determined data block type is arranged with corresponding decoding indication information.
[0016] According to the data block segmentation strategy corresponding to each data block type, the target data packet is segmented to obtain data blocks under each data block type;
[0017] Based on the decoding instruction information arranged for each data block type, the corresponding data block is decoded to obtain the decoding result of the data block under each data block type;
[0018] According to the detection strategy corresponding to each data block type, the decoding results of the data blocks under the corresponding data block type are subjected to security detection.
[0019] In another aspect, embodiments of this application provide a computer storage medium storing a computer program adapted for loading by a processor and executing the following steps:
[0020] The target data packet to be detected is acquired, and one or more detection strategies and the data block types corresponding to each detection strategy are determined. Each determined data block type is arranged with corresponding decoding indication information.
[0021] According to the data block segmentation strategy corresponding to each data block type, the target data packet is segmented to obtain data blocks under each data block type;
[0022] Based on the decoding instruction information arranged for each data block type, the corresponding data block is decoded to obtain the decoding result of the data block under each data block type;
[0023] According to the detection strategy corresponding to each data block type, the decoding results of the data blocks under the corresponding data block type are subjected to security detection.
[0024] In another aspect, embodiments of this application provide a computer program product, which includes a computer program that, when executed by a processor, implements the aforementioned data detection method.
[0025] In this embodiment, after obtaining the target data packet to be detected, one or more detection strategies and the corresponding data block types for each detection strategy can be determined. Each determined data block type is programmed with corresponding decoding instruction information, meaning that corresponding decoding instruction information can be flexibly programmed for each data block type. Then, according to the data block segmentation strategy corresponding to each data block type, the target data packet can be segmented to obtain data blocks under each data block type. Based on the decoding instruction information programmed for each data block type, the corresponding data blocks are decoded to obtain the decoding result of the data blocks under each data block type. This satisfies the corresponding decoding requirements of each detection strategy for data blocks under different data block types, that is, it satisfies the requirement for refined decoding of data blocks under each data block type, thereby improving the accuracy of the decoding result. Based on this, security detection can be performed on the decoding result of the data blocks under the corresponding data block type according to the detection strategy corresponding to each data block type, which can effectively improve the detection effect, that is, effectively improve the accuracy of data security detection. Attached Figure Description
[0026] To more clearly illustrate the technical solutions of the embodiments of this application, the drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0027] Figure 1a This is a flowchart illustrating a data detection scheme provided in an embodiment of this application;
[0028] Figure 1b This is a schematic diagram illustrating the interaction between a terminal and a server, provided in an embodiment of this application.
[0029] Figure 2 This is a flowchart illustrating a data detection method provided in an embodiment of this application;
[0030] Figure 3aThis is a schematic diagram of a module provided in an embodiment of this application;
[0031] Figure 3b This is a schematic diagram of a data block provided in an embodiment of this application;
[0032] Figure 4 This is a flowchart illustrating another data detection method provided in an embodiment of this application;
[0033] Figure 5a This is a schematic diagram illustrating a representation of a decoding type provided in an embodiment of this application;
[0034] Figure 5b This is a schematic diagram of a data structure provided in an embodiment of this application;
[0035] Figure 5c This is a schematic diagram of location information provided in an embodiment of this application;
[0036] Figure 5d This is a flowchart illustrating another data detection method provided in an embodiment of this application;
[0037] Figure 6 This is a schematic diagram of the structure of a data detection device provided in an embodiment of this application;
[0038] Figure 7 This is a schematic diagram of the structure of a computer device provided in an embodiment of this application. Detailed Implementation
[0039] The technical solutions in the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings.
[0040] To improve the accuracy of decoding results and thus enhance the accuracy of data security detection, this application proposes a data detection scheme: See [link to relevant documentation]. Figure 1a As shown, the general principle of the data detection scheme proposed in this application embodiment is as follows:
[0041] First, the target data packet to be detected can be obtained, and the data block type corresponding to each detection strategy and the decoding instruction information arranged for each data block type can be determined. Based on this, the data blocks under each data block type can be determined from the target data packet, and the data blocks under the corresponding data block type can be decoded based on the decoding instruction information arranged for each data block type to obtain the decoding result of the data block under each data block type. Thus, according to the detection strategy corresponding to each data block type, the decoding result under the corresponding data block type can be used for security detection.
[0042] Practice has shown that the data detection scheme proposed in this application has at least the following beneficial effects: ① It can flexibly arrange more suitable decoding instruction information for each data block type, thereby decoding the data blocks under each data block type based on the corresponding decoding instruction information, so as to meet the needs of fine-grained decoding of data blocks and the decoding performance, and thus obtain decoding results with high accuracy; ② Based on the decoding instruction information arranged for each data block type, it can meet the decoding needs of each detection strategy for data blocks under different data block types, thereby improving the accuracy of data security detection based on the decoding results with high accuracy.
[0043] In practical implementation, the data detection scheme mentioned above can be executed by a computer device, which can be a terminal or a server. The terminal mentioned here can include, but is not limited to, smartphones, tablets, laptops, desktop computers, smartwatches, smart voice interaction devices, smart home appliances, vehicle terminals, and aircraft. Various clients (apps) can run on the terminal, such as video playback clients, social media clients, browser clients, news feed clients, educational clients, and so on. The server mentioned here can be a standalone physical server, a server cluster or distributed system composed of multiple physical servers, or a cloud server providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms, etc. Cloud computing is a computing model that distributes computing tasks across a resource pool composed of a large number of computers, enabling various application systems to obtain computing power, storage space, and information services as needed. Furthermore, the computer device mentioned in the embodiments of this application can be located outside or inside the blockchain network, and there is no limitation on this. The so-called blockchain network is a network composed of a peer-to-peer network (P2P network) and a blockchain. The blockchain refers to a new application model of computer technologies such as distributed data storage, peer-to-peer transmission, consensus mechanism, and encryption algorithm. In essence, it is a decentralized database, which is a series of data blocks (or blocks) linked together using cryptographic methods.
[0044] Alternatively, in other embodiments, the data detection scheme mentioned above can also be jointly executed by a server and a terminal; the terminal and the server can be directly or indirectly connected via wired or wireless communication, which is not limited herein. For example, the terminal can acquire the target data packet to be detected, determine the data block type corresponding to each detection strategy, and the decoding instruction information arranged for each data block type, thereby sending the target data packet, each data block type, and the decoding instruction information arranged for each data block type to the server; enabling the server to obtain the data blocks under each data block type from the target data packet, and based on the decoding instruction information arranged for each data block type, perform decoding processing on the corresponding data blocks to obtain the decoding results of the data blocks under each data block type, thereby sending each decoding result to the terminal; then the terminal performs security detection on the decoding results of the data blocks under the corresponding data block type according to the detection strategy corresponding to each data block type, such as... Figure 1b As shown. For example, the terminal can acquire the target data packet to be detected and send it to the server. This allows the server to determine the data block type corresponding to each strategy, as well as the decoding instruction information arranged for each data block type. The server then retrieves the data blocks under each data block type from the target data packet, and based on the decoding instruction information arranged for each data block type, decodes the corresponding data blocks to obtain the decoding result for each data block type. Finally, according to the detection strategy corresponding to each data block type, the server performs security detection on the decoding result of the data blocks under the corresponding data block type. It should be understood that this is merely an illustrative example of two scenarios where the terminal and server jointly execute the above data detection scheme, and is not an exhaustive list.
[0045] Based on the above description of the data detection scheme, this application proposes a data detection method, which can be executed by the aforementioned computer device (terminal or server); or, the data detection method can be executed jointly by the terminal and the server. For ease of explanation, the following description will use the execution of the data detection method by a computer device as an example; please refer to [link to relevant documentation]. Figure 2 The data detection method may include the following steps S201-S204:
[0046] S201, acquire the target data packet to be detected, and determine one or more detection strategies and the data block type corresponding to each detection strategy. Each determined data block type is arranged with corresponding decoding instruction information.
[0047] In this context, any one of the one or more detection strategies corresponds to at least one data block type, and each data block type is programmed with one or more decoding indications; that is, the computer device can determine one or more detection strategies and at least one data block type corresponding to each detection strategy, and each determined data block type is programmed with one or more decoding indications.
[0048] It should be noted that the decoding indication information programmed for the same data block type corresponding to different detection strategies can be the same or different, and this application does not limit this. For example, suppose one or more detection strategies include detection strategy A and detection strategy B, and the same data block type corresponding to detection strategy A and detection strategy B includes data block type A and data block type B; wherein, the decoding indication information programmed for data block type A corresponding to detection strategy A includes decoding indication information A, the decoding indication information programmed for data block type B corresponding to detection strategy A includes decoding indication information B and decoding indication information C, the decoding indication information programmed for data block type A corresponding to detection strategy B includes decoding indication information A, and the decoding indication information programmed for data block type B corresponding to detection strategy B includes decoding indication information D; in this case, the decoding indication information programmed for data block type A corresponding to detection strategy A is the same as the decoding indication information programmed for data block type A corresponding to detection strategy B, while the decoding indication information programmed for data block type B corresponding to detection strategy A is different from the decoding indication information programmed for data block type B corresponding to detection strategy B.
[0049] In the embodiments of this application, the data type of the target data packet can be an HTTP (Hypertext Transfer Protocol) message, i.e., an HTTP data packet, or an FTP (File Transfer Protocol) message, or an XML (Extensible Markup Language) message, etc.; this application does not limit this. It should be understood that when the data type of the target data packet is different, the determined detection strategy can be different, and the data block types corresponding to the same detection strategy involving different data types can be different, and the decoding indication information arranged for the same data block type can also be different, etc.; that is, for any data type of target data packet, the determined detection strategy, the data block type corresponding to the corresponding detection strategy, and the decoding indication information arranged for each data block type must all match any data type; for ease of description, the following description will use a target data packet with the data type of HTTP data packet as an example.
[0050] It should be noted that the methods for obtaining the target data packet include, but are not limited to, the following:
[0051] The first method of acquisition: The computer device can receive network data packets sent by the requesting end and use the received network data packets as the target data packets; or, it can combine the received network data packets and use the combined data packets as the target data packets. In other words, the received network data packets may include multiple sub-data packets, and the computer device can combine the multiple sub-data packets together to obtain the target data packets.
[0052] It should be understood that computer devices can enable network management services and receive external network data packets after enabling network management services. In this case, computer devices can also establish a data session table (such as an HTTP session table) for each target data packet that needs to be detected (such as an HTTP request) to store the status information of the data. The data session table includes, but is not limited to: source IP (Internet Protocol, the protocol for interconnecting networks), destination IP, source port, and destination port, etc.
[0053] The second method of acquisition: The computer device can obtain the download link of the target data packet and download the data packet based on the download link, thereby using the downloaded data packet as the target data packet.
[0054] The third acquisition method: The computer device itself can store one or more data packets to be detected in its storage space. Then the computer device can select one data packet from the one or more stored data packets and use the selected data packet as the target data packet.
[0055] Optionally, the computer device may include a network management module. In this case, when it is necessary to combine the acquired data packets to obtain the target data packet, the computer device can combine the acquired data packets through the network management module and use the combined data packet as the target data packet. Furthermore, the computer device may also include a protection detection engine (i.e., a protection detection module). The computer device can then send the target data packet to the protection detection engine through the network management module, enabling the computer device to perform subsequent security checks through the protection detection engine.
[0056] Optionally, the computer device may also include a configuration center, which may be located within or outside the network management module; this application does not limit this. In this case, the computer device can configure the data block types corresponding to each detection strategy and the decoding indication information programmed for each data block type through the configuration center, thereby determining the data block types corresponding to each detection strategy and the decoding indication information programmed for each data block type. Furthermore, the computer device can send the data block types corresponding to each detection strategy and the decoding indication information programmed for each data block type to the protection detection engine through the configuration center, and so on.
[0057] The protection detection engine can include one or more detection engines corresponding to different detection strategies. A detection engine can also be called a detection module. That is, when a computer device includes a protection detection engine, the computer device can perform subsequent security checks through the detection engines corresponding to the various detection strategies within the protection detection engine. It should be noted that the aforementioned one or more detection strategies include, but are not limited to: SQL (Structured Query Language) injection detection strategies, XSS (Cross-Site Scripting) detection strategies, command injection detection strategies, and code injection detection strategies, etc. Correspondingly, the protection detection engine can include, but is not limited to: SQL injection detection engines, XSS detection engines, command injection detection engines, and code injection detection engines, etc.
[0058] S202, according to the data block segmentation strategy corresponding to each data block type, the target data packet is segmented to obtain data blocks under each data block type.
[0059] It should be noted that different data blocks (parts) in the target data packet may have different encoding methods; accordingly, in order to perform targeted decoding processing on each data block later, the computer device can extract the data blocks of each data block type from the target data packet.
[0060] Optionally, the computer device may include a data management module (i.e., a message management module). If the protection detection engine in the computer device receives a protection detection request (i.e., receives target data packets and other data), it can send the target data packets, the types of each data block, and the decoding instruction information arranged for each data block type to the data management module, so that the computer device can perform corresponding data processing (such as parsing processing, i.e., message parsing, etc.) through the data management module.
[0061] For example, such as Figure 3aAs shown, when the protection detection engine receives a protection detection request, it can send the target data packet, the data block type corresponding to the detection strategy of each detection engine (i.e., the data block type corresponding to each detection engine), and the decoding instruction information arranged for each data block type to the data management module. The data management module may include, but is not limited to, a segmentation management module, a programmable decoding module (i.e., a decoding module or decoder module), and a data caching module (for caching data), etc. In this case, the computer device can segment the target data packet through the segmentation management module in the data management module to obtain data blocks under each data block type.
[0062] It should be understood that, Figure 3a The schematic diagram of the module is only illustrative and is not intended to limit the scope of the application. For example, the computer device may also include a configuration center, which sends the data block type corresponding to each detection strategy and the decoding instruction information arranged for each data block type to the protection detection engine. As another example, the computer device may also include a network management module for acquiring target data packets, and so on.
[0063] It should be noted that the data block types involved in the target data packet include, but are not limited to: CGI (Common Gateway Interface), FORMARG (form parameters), COOKIE (data stored on the user's local terminal for website identification and session recording), JSONARG (JSON (JavaScript Object Notation, a lightweight data exchange format, also known as JavaScript object notation) parameters), and HEADARG (header parameters), etc.; this application does not limit these. In the embodiments of this application, COOKIE can be referred to as a session; and since JavaScript is an interpreted scripting language, the embodiments of this application can refer to JSON as interpreted scripting language object notation and JSONARG as interpreted scripting language object notation parameters.
[0064] Therefore, to achieve more refined control over the data processing of target data packets, the target data packets can be divided into different data blocks, resulting in data blocks under each data block type. This allows for separate management of the data blocks under each data block type, such as... Figure 3b As shown. It should be noted that, Figure 3b The data block is only represented by an example and is not limited thereto; for example, the above-mentioned acquisition event may not include form parameters, that is, the computer device may not acquire the data block with form parameters and may not manage the data block, etc.
[0065] S203, based on the decoding instruction information arranged for each data block type, perform decoding processing on the corresponding data block to obtain the decoding result of the data block under each data block type.
[0066] It should be understood that decoding a data block based on the decoding instruction information arranged for each data block type means: decoding a data block under the corresponding data block type based on the decoding instruction information arranged for each data block type; wherein, the number of decoding instruction information arranged for any data block type can be one or more, and one decoding instruction information arranged for any data block type corresponds to one decoding result, that is, the number of decoding results for data blocks under any data block type is the same as the number of decoding instruction information arranged for that data block type.
[0067] Specifically, for any decoding instruction information arranged for any data block type, the computer device can determine the decoding method indicated by the decoding instruction information, and perform decoding processing on the data block under the data block type according to the decoding method indicated by the decoding instruction information to obtain a decoding result of the data block under the data block type.
[0068] S204. According to the detection strategy corresponding to each data block type, perform security detection on the decoding results of the data blocks under the corresponding data block type.
[0069] Specifically, the computer device can use the detection engine indicated by the detection strategy corresponding to each data block type to perform security checks on the decoding results of data blocks under the corresponding data block type. For example, suppose one or more detection strategies include SQL injection detection strategies and XSS detection strategies. The data block types corresponding to the SQL injection detection strategies include data block type A and data block type B, and the data block types corresponding to the XSS detection strategies include data block type C. Based on this, the computer device can use the SQL injection detection engine to perform security checks on the decoding results of data blocks under data block type A and data blocks under data block type B, respectively; and use the XSS detection engine to perform security checks on the decoding results of data blocks under data block type C.
[0070] It should be understood that when a computer device includes a network management module, a protection and detection engine, and a data management module, and the computer device performs corresponding decoding processing on each data block through the data management module to obtain the decoding results of each data block, the computer device can send the decoding results of each data block to the protection and detection engine through the data management module. Correspondingly, after receiving the decoding results of data blocks of each data block type, the protection and detection engine can perform security detection (i.e., attack detection) on each decoding result to obtain the detection results. Based on this, the computer device can return the detection results to the network management module through the protection and detection engine.
[0071] Accordingly, after receiving the detection results from the protection detection engine, the network management module can query the data session table and, based on the information stored in the data session table, return the detection results to the requesting end. It should be noted that the aforementioned detection results can refer to classification results (such as allowing or blocking). After the protection detection engine returns the detection results to the network management module, i.e., after the network management module receives the detection results, the computer device can query the data session table through the network management module to obtain the requesting end's information and, based on the detection results, respond accordingly to the requesting end, i.e., allowing or blocking. In this case, when the detection result is "allow," the computer device can respond to the requesting end through the network management module; when the detection result is "block," the computer device can respond to the requesting end through the network management module, and so on.
[0072] In this embodiment, after obtaining the target data packet to be detected, one or more detection strategies and the corresponding data block types for each detection strategy can be determined. Each determined data block type is programmed with corresponding decoding instruction information, meaning that corresponding decoding instruction information can be flexibly programmed for each data block type. Then, according to the data block segmentation strategy corresponding to each data block type, the target data packet can be segmented to obtain data blocks under each data block type. Based on the decoding instruction information programmed for each data block type, the corresponding data blocks are decoded to obtain the decoding result of the data blocks under each data block type. This satisfies the corresponding decoding requirements of each detection strategy for data blocks under different data block types, that is, it satisfies the requirement for refined decoding of data blocks under each data block type, thereby improving the accuracy of the decoding result. Based on this, security detection can be performed on the decoding result of the data blocks under the corresponding data block type according to the detection strategy corresponding to each data block type, which can effectively improve the detection effect, that is, effectively improve the accuracy of data security detection.
[0073] Please see Figure 4This is a flowchart illustrating another data detection method provided in an embodiment of this application. This data detection method can be executed by the computer device (terminal or server) mentioned above; or, the data detection method can be executed jointly by the terminal and the server. For ease of explanation, the following description will use the execution of this data detection method by a computer device as an example; please refer to [link to documentation]. Figure 4 The data detection method may include the following steps S401-S405:
[0074] S401, acquire the target data packet to be detected, and determine one or more detection strategies and the data block type corresponding to each detection strategy. Each determined data block type is arranged with corresponding decoding instruction information.
[0075] In this application, any decoding indication information can be used to indicate multiple sequentially arranged decoding methods. The number of determined data block types is N, and the nth data block type is arranged with K decoding indication information, where N and K are both positive integers, and n∈[1,N]. Furthermore, one decoding method corresponds to one encoding method, so this application can also refer to the decoding method as an encoding / decoding method.
[0076] In this embodiment of the application, since there are more and more encoding and decoding methods for HTTP messages, such as HTML (HyperTextMarkup Language) entity encoding and decoding, JavaScript (JS, a lightweight, interpreted or just-in-time compiled programming language with function priority, i.e., an interpreted scripting language) encoding and decoding, Unicode (a character encoding), URL (Uniform Resource Locator) encoding and decoding, Base64 (an encoding method for transmitting 8-bit byte code) encoding and decoding, etc., it is necessary to define the format of these encoding and decoding types (i.e., decoding types) for easy management.
[0077] It should be noted that the representation of any encoding / decoding type (i.e., decoding type) can be text, symbols, or numbers, etc., and this application does not limit this; accordingly, the representation of decoding indication information includes, but is not limited to: text, symbols, and numbers, etc., and this application does not limit this.
[0078] For example, such as Figure 5aAs shown, each decoding type can be represented by a decoding category, and different decoding methods under a decoding type can be represented by corresponding decoding subcategories. In this case, a decoding category and a decoding subcategory can be used to represent a specific decoding method. For example, taking URL decoding as an example, decoding category 10 can be used to represent URL decoding, decoding subcategory 110 can be used to represent a decoding method that performs one decoding through URL decoding, decoding subcategory 111 can be used to represent a decoding method that performs two decodings through URL decoding, and so on. Based on this, representation form 10110 can be used to represent a decoding method that performs one decoding through URL decoding, and representation form 10111 can be used to represent a decoding method that performs two decodings through URL decoding, and so on.
[0079] In this embodiment, the decoding indication information may refer to a decoding vector, thereby indicating the sequentially arranged decoding methods. For example, suppose the decoding indication information is...<v1、v2、v3> And v1, v2, and v3 are the representations of decoding mode v1, decoding mode v2, and decoding mode v3, respectively; in this case, the decoding indication information can be used to represent the decoding mode v1, decoding mode v2, and decoding mode v3 arranged in sequence.
[0080] S402, according to the data block segmentation strategy corresponding to each data block type, the target data packet is segmented to obtain data blocks under each data block type.
[0081] The target data packet may include multiple data structures, each data structure containing one or more data items. Any data block segmentation strategy includes at least one structure identifier. In other words, the computer device can segment the target data packet according to the structure identifiers corresponding to each data block type. It should be understood that a data structure can refer to a function or a header field; this application does not limit this. Similarly, a structure identifier can refer to a function name or a header field name; this application does not limit this. It should be noted that a structure identifier can be data located within a data structure or data located outside of a data structure; this application does not limit this.
[0082] Specifically, for any data block type, the computer device can locate one or more target data structures in the target data packet based on the structure identifiers in the data block segmentation strategy corresponding to that data block type, and determine the arrangement position of each target data structure in the target data packet. It should be understood that the data structures in the target data packet can be arranged in a corresponding order; based on this, the computer device can determine the arrangement position of each target data structure in the target data packet according to the arrangement order of the data structures in the target data packet.
[0083] Furthermore, the computer device can, according to the aforementioned arrangement, record the position of the first data in the first target data structure in the target data packet as the data block start position, and record the position of the last data in the last target data structure in the target data packet as the data block end position. Thus, the data in the target data packet located between the data block start position and the data block end position is considered as a data block of that data block type. It should be understood that when there is only one target data structure, the first target data structure is the same as the last target data structure. Based on this, the position of the first data in that target data structure in the target data packet can be recorded as the data block start position, and the position of the last data in that target data structure in the target data packet can be recorded as the data block end position. In this embodiment, RAW (raw data) can be used to record the data block start position and data block end position.
[0084] For example, such as Figure 5b As shown, assuming the target data packet includes data structures 1, 2, 3, and 4 arranged sequentially, and the data block segmentation strategy corresponding to any data block type includes structure identifier 2 and structure identifier 3, structure identifier 2 can be used to identify data structure 2, and structure identifier 3 can be used to identify data structure 3, then the computer device can use structure identifier 2 and structure identifier 3 to treat both data structures 2 and 3 in the target data packet as target data structures. Since data structure 2 is located before data structure 3, the computer device can use the position of the first data in data structure 2 in the target data packet as the start position of the data block, and the position of the last data in data structure 3 in the target data packet as the end position of the data block, thereby obtaining the data block under any data block type.
[0085] It should be understood that the computer device may also record the position of the last data in the target data structure located at the end as the start position of the data block in the target data packet, and record the position of the first data in the target data structure located at the beginning as the end position of the data block in the target data packet, so that the data in the target data packet located between the start position and the end position of the data block is used as the data block under any data block type. This application does not limit this.
[0086] In the embodiments of this application, the position of any data in the target data packet may refer to the position of any data in the target data packet determined based on the data arrangement order, or it may refer to the position of any data in the storage space where the target data packet is stored. This application does not limit this.
[0087] Furthermore, after obtaining the data blocks under each data block type, the computer device can manage each data block separately in subsequent processes, thereby triggering parsing and decoding processes through events, and controlling the parsing and decoding status through the content running status.
[0088] S403, take each decoding method indicated by the k-th decoding instruction information arranged for the n-th data block type as the target decoding method, k∈[1,K].
[0089] It should be understood that since any decoding indication information is used to indicate multiple sequentially arranged decoding methods, the target decoding methods are arranged sequentially according to the corresponding arrangement order. For example, assuming that the decoding methods indicated by the k-th decoding indication information arranged for the nth data block type include decoding method A and decoding method B, then decoding method A and decoding method B can both be used as target decoding methods, and the arrangement order of the target decoding methods is decoding method A and decoding method B in sequence.
[0090] S404: According to the order of the target decoding methods, each target decoding method is used sequentially to recursively decode the data block under the nth data block type, and the kth decoding result of the data block under the nth data block type is obtained.
[0091] In the process of recursively decoding the data block under the nth data block type, the first target decoding method adopted is to decode the data block under the nth data block type, and the target decoding methods that are not adopted first are to decode the decoding result corresponding to the previous target decoding method.
[0092] Specifically, the computer device can sequentially traverse each target decoding method according to the order of their arrangement, and take the currently traversed decoding method as the current decoding method. Then, the decoding object corresponding to the current decoding method can be determined. If the current decoding method is the first traversed decoding method (i.e., the first target decoding method adopted), the decoding object is the data block under the nth data block type. If the current decoding method is not the first traversed decoding method (i.e., not the first adopted decoding method), the decoding object is the decoding result corresponding to the previously traversed decoding method. Based on this, the current decoding method can be used to decode the corresponding decoding object, and the traversal of each target decoding method can continue until all target decoding methods have been traversed, so as to obtain the kth decoding result of the data block under the nth data block type.
[0093] For example, suppose the target decoding methods include decoding method A, decoding method B, and decoding method C arranged in sequence. In this case, decoding method A is the first target decoding method to be used, while decoding methods B and C are not the first target decoding methods to be used. Accordingly, the computer device can use decoding method A to decode the data block under the nth data block type to obtain the decoding result corresponding to decoding method A, use decoding method B to decode the decoding result corresponding to decoding method A to obtain the decoding result corresponding to decoding method B, and use decoding method C to decode the decoding result corresponding to decoding method B to obtain the kth decoding result of the data block under the nth data block type.
[0094] It should be noted that when K is greater than 1, the K decoding indication information is used in a certain order to decode the data block under the nth data block type. In other words, the computer device can serially decode the data block under the nth data block type based on the K decoding indication information and the corresponding order of use.
[0095] Specifically, when k is greater than 1, the computer device can determine the M decoding methods indicated by the k-th decoding instruction information, where M is an integer greater than 1; and based on the M decoding methods, search for the target decoding instruction information among the first k-1 decoding instruction information determined based on the usage order; the multiple decoding methods indicated by the target decoding instruction information are the same as the first m decoding methods among the M decoding methods, where m∈[1,M]. For example, suppose the value of k is 3, and the first decoding instruction information among the first k-1 decoding instruction information is used to indicate decoding method A and decoding method B in sequence, the second decoding instruction information is used to indicate decoding method B and decoding method A in sequence, and the k-th decoding instruction information is used to indicate decoding method A, decoding method B, and decoding method C in sequence; in this case, the computer device can find the target decoding instruction information from the first k-1 decoding instruction information, that is, the first decoding instruction information among the first k-1 decoding instruction information. It should be understood that when target decoding indication information exists, starting from the (m+1)th decoding method, the remaining decoding methods are used to decode the multiplexed decoding results, which can effectively save computing resources.
[0096] Furthermore, if no target decoding indication information is found, the step of using each decoding method indicated by the k-th decoding indication information arranged for the nth data block type as the target decoding method is triggered; if the target decoding indication information is found, the decoding result obtained based on the target decoding indication information is reused, and each decoding method after the m-th decoding method among the M decoding methods is used in turn to recursively decode the reused decoding result to obtain the k-th decoding result of the data block under the nth data block type. For example, when the k-th decoding instruction information is used to indicate the sequentially arranged decoding methods A, B, C, and D, and the target decoding instruction information is used to indicate the sequentially arranged decoding methods A and B, the computer device can reuse the decoding result obtained based on the target decoding instruction information, and recursively decode the reused decoding result using the decoding methods C and D in the k-th decoding instruction information. That is, the reused decoding result can be decoded using decoding method C, and the decoding result corresponding to decoding method C can be decoded using decoding method D, so as to obtain the k-th decoding result of the data block under the n-th data block type.
[0097] It should be understood that computer devices can also perform decoding processing on data blocks of the nth data block type in parallel based on K decoding instruction information, and this application does not limit this.
[0098] In this embodiment, when the computer device recursively decodes the data block of the nth data block type by sequentially employing each target decoding method according to the order of the target decoding methods, and obtains the kth decoding result of the data block of the nth data block type, it can recursively decode the values of each keyword in the data block of the nth data block type by sequentially employing each target decoding method according to the order of the target decoding methods. Based on this, the computer device can first obtain the parsing result obtained by parsing the data block of the nth data block type. The parsing result includes: the original position of the value of each keyword in the corresponding data block. The original position of the value of any keyword refers to: the storage position of the value of any keyword before any decoding processing is performed on the value of any keyword. That is to say, the original position of the value of any keyword refers to: the storage position of the value of any keyword in the corresponding data block.
[0099] Furthermore, the computer device can decode the values of each keyword in the data block under the nth data block type according to the order of the target decoding methods, using the target decoding method at the beginning and the original position in the above parsing results, to obtain the decoding result corresponding to the target decoding method at the beginning. The obtained decoding result includes the values of each keyword obtained by the decoding process.
[0100] Correspondingly, the computer device can sequentially use the remaining target decoding methods to recursively decode the values of each keyword in the decoding result corresponding to the first target decoding method, and obtain the k-th decoding result of the data block under the n-th data block type.
[0101] It should be understood that before decoding the data block of the nth data block type using the first decoding instruction among the K decoding instruction messages, the computer device can parse the data block of the nth data block type to obtain the parsing result of the data block of the nth data block type, so as to facilitate the subsequent acquisition of the corresponding parsing result. Optionally, any parsing result may also include the original position information of each keyword in the corresponding data block. That is, the computer device can parse the data block of the nth data block type into Key & Value form, and only record the original position information of each keyword and the original position information of the value of each keyword. In the embodiments of this application, the parsing result may also be referred to as a parser.
[0102] Furthermore, the data block under the nth data block type may include H keywords, where H is a positive integer; and the kth decoding result of the data block under the nth data block type includes the values of the H keywords obtained through the last target decoding method; based on this, for the hth keyword in the data block under the nth data block type, the computer device can determine the original value of the hth keyword; this original value refers to the value of the hth keyword before any decoding processing is performed on its value, that is, the original value refers to the value of the hth keyword in the nth data block type. The values in the data block below are h∈[1,H]. Correspondingly, if the original value is the same as the value of the h-th keyword in the k-th decoding result, the original position of the h-th keyword value is recorded. That is, the original position of the h-th keyword value can be used as the storage position of the h-th keyword value in the k-th decoding result, and the storage position of the h-th keyword value in the k-th decoding result is recorded. If the original value is different from the h-th keyword value in the k-th decoding result, the storage position of the h-th keyword value in the k-th decoding result is recorded.
[0103] In this embodiment of the application, the computer device can record the original position of the value of the h-th keyword or the storage position of the value of the h-th keyword in the decoder. The decoder can save only the values that need to be modified during decoding (such as the value of the h-th keyword in the k-th decoding result when the original value is different from the value of the h-th keyword in the k-th decoding result) and record the corresponding storage position; while other values that do not need to be modified (such as the value of the h-th keyword in the k-th decoding result when the original value is the same as the value of the h-th keyword in the k-th decoding result) only need to record the corresponding original position.
[0104] Optionally, the k-th decoding result of the data block under the n-th data block type also includes: H keywords in the data block under the n-th data block type; then, correspondingly, for the h-th keyword in the data block under the n-th data block type, the decoder may also include the storage location of the h-th keyword, that is, the computer device may also record the storage location of the h-th keyword in the decoder.
[0105] In the embodiments of this application, the management of any data block includes, but is not limited to, structures such as raw data, parser, and decoder; these structures can be used to store corresponding location information, so that this application can reduce data copying during the process of fine-grained parsing and decoding control, thereby improving performance.
[0106] For example, such as Figure 5c As shown, assuming the nth data block type is configured with two decoding indication messages, the computer device can segment the target data packet, and then parse the data blocks under the nth data block type to obtain a parsing result. This result records the original position of each keyword and the original position of the corresponding keyword value in the data block under the nth data block type. Based on the parsing result and the two decoding indication messages configured for the nth data block type, the values of each keyword in the data block under the nth data block type are decoded to obtain two decoders corresponding to the decoding results. Each decoder is used to record the original position of each keyword and the original position of the corresponding keyword value, or the storage position of the corresponding keyword value in the decoding result.
[0107] It should be noted that the value of any keyword in any decoding result is different from the original value of that keyword, and when the corresponding value is obtained for the first time through decoding, the value of any keyword obtained after decoding can be stored in the target storage space; wherein, the target storage space may refer to the memory pool in the computer device, or it may refer to the mobile storage device, or it may refer to the server connected to the computer device, and this application does not limit it in this regard.
[0108] Based on this, before recording the storage location of the h-th keyword value in the k-th decoding result, the computer device can search for a value in the target storage space that matches the h-th keyword value in the k-th decoding result. If a match is found, the storage location of the found value is used as the storage location of the h-th keyword value in the k-th decoding result; if no match is found, the h-th keyword value in the k-th decoding result is saved in the target storage space, thus obtaining the storage location of the h-th keyword value in the k-th decoding result. This process can be referred to as a decoding multiplexing process in this embodiment, which can effectively save storage resources.
[0109] For example, such as Figure 5c As shown, when the value of keyword 2 in the decoding result corresponding to the two decoding indication information arranged for the nth data block type is the same, and the value of keyword 2 in the decoding result is different from the original value of keyword 2 (i.e. the value of keyword 2 in the data block under the nth data block type), the computer device can perform storage only once on the value of keyword 2 in the decoding result to obtain the corresponding storage location, and record the storage location into the two decoders respectively.
[0110] Optionally, when the computer device includes a data management module and a decoding management module (i.e., a decoding module), and the decoding management module is located outside the data management module, the data management module, upon receiving a data parsing request, can segment the target data packet according to the data block type, and then parse the data blocks under that data block type. After parsing, it can send the parsed result and decoding indication information to the decoding management module for decoding. In this case, after the decoding management module receives the data decoding request, the computer device can use the decoding management module to decode the corresponding data block according to the decoding indication information and return the decoded result to the data management module. Furthermore, after receiving the decoding result, the data management module can cache the decoding result and simultaneously return it to the protection detection engine, such as... Figure 5d As shown. The decoding management module may include, but is not limited to: multipart parsing, hexadecimal parsing, and JavaScript Unicode decoding, etc.
[0111] It should be noted that, Figure 5d This is merely an illustrative flowchart of the data detection process, and this application does not limit it; for example, a computer device can perform parsing and decoding processing on each data block through a data management module to obtain the decoding result of each data block; or, for example, a computer device can perform parsing and decoding processing on each data block through a protection detection engine, and so on.
[0112] S405 performs security checks on the decoding results of data blocks of the corresponding data block type according to the detection strategy corresponding to each data block type.
[0113] Specifically, the decoding result of a data block under any data block type includes: the values of each keyword obtained by decoding using the decoding method indicated by the decoding instruction information arranged for the corresponding data block type; then, the computer device can perform security detection on the values of each keyword in the decoding result of the data block under the corresponding data block type according to the detection strategy corresponding to each data block type.
[0114] Furthermore, the computer device can determine the decoder corresponding to each data block type. The decoder corresponding to a data block under any data block type records: the original position of each keyword in the data block under the corresponding data block type, and the original position of the value of the corresponding keyword or the storage position of the value of the corresponding keyword in the decoding result; and based on the position information in the decoder corresponding to each data block type, determine each keyword in the data block under the corresponding data block type, and the value of the keyword in the decoding result of the data block under the corresponding data block type; thereby performing security detection on the value of each keyword in the decoding result of the data block under the corresponding data block type according to the detection strategy corresponding to each data block type.
[0115] This application embodiment, after acquiring the target data packet to be detected, determines the data block type corresponding to each detection strategy and the decoding instruction information arranged for each data block type, so as to obtain the data blocks under each data block type from the target data packet; then, based on the decoding method indicated by the decoding instruction information arranged for each data block type and the arrangement order of the corresponding decoding methods, the data blocks under the corresponding data block type can be decoded recursively to obtain the decoding result of the data blocks under each data block type, which can effectively improve the accuracy of the decoding result; furthermore, according to the detection strategy corresponding to each data block type, the more accurate decoding result of the data blocks under the corresponding data block type can be used for security detection, thereby improving the accuracy of security detection and effectively avoiding detection failure problems. It can be seen that the flexible decoding scheme proposed in this application embodiment designs a programmable decoding method, and by formulating the decoding instruction information corresponding to each data block type, it can flexibly perform decoding processing, which can meet the different decoding requirements of each detection strategy for data; and, only the position information of the corresponding data can be recorded, thereby reducing data copying while performing fine-grained parsing and decoding control, thereby improving performance.
[0116] Based on the description of the relevant embodiments of the data detection method above, this application also proposes a data detection device, which can be a computer program (including program code) running on a computer device. This data detection device can execute... Figure 2 or Figure 4 The data detection method shown; please refer to [link / reference]. Figure 6 The data detection device can operate the following units:
[0117] The acquisition unit 601 is used to acquire the target data packet to be detected, and determine one or more detection strategies and the data block type corresponding to each detection strategy. Each determined data block type is arranged with corresponding decoding indication information.
[0118] Processing unit 602 is used to perform segmentation processing on the target data packet according to the data block segmentation strategy corresponding to each data block type, so as to obtain data blocks under each data block type;
[0119] The processing unit 602 is further configured to perform decoding processing on the corresponding data block based on the decoding indication information arranged for each data block type, so as to obtain the decoding result of the data block under each data block type;
[0120] The processing unit 602 is further configured to perform security detection on the decoding results of data blocks under the corresponding data block type according to the detection strategy corresponding to each data block type.
[0121] In one implementation, the target data packet includes multiple data structures, and each data structure includes one or more data; any data block segmentation strategy includes at least one structure identifier; when the processing unit 602 segments the target data packet according to the data block segmentation strategy corresponding to each data block type to obtain data blocks under each data block type, it can be specifically used for:
[0122] For any data block type, based on the structure identifiers in the data block segmentation strategy corresponding to that data block type, one or more target data structures are located in the target data packet, and the arrangement position of each target data structure in the target data packet is determined.
[0123] According to the arrangement position, the position of the first data in the first target data structure located at the top is recorded as the start position of the data block in the target data packet, and the position of the last data in the last target data structure located at the bottom is recorded as the end position of the data block in the target data packet.
[0124] The data located between the start and end positions of the data block in the target data packet is taken as the data block under any data block type.
[0125] In another implementation, any decoding indication information is used to indicate multiple sequentially arranged decoding methods, the number of determined data block types is N, and the nth data block type is arranged with K decoding indication information, where N and K are both positive integers, and n∈[1,N]; when the processing unit 602 performs decoding processing on the corresponding data block based on the decoding indication information arranged for each data block type to obtain the decoding result of the data block under each data block type, it can be specifically used for:
[0126] Each decoding method indicated by the k-th decoding indication information arranged for the n-th data block type shall be taken as the target decoding method, k∈[1,K];
[0127] According to the order of the target decoding methods, the target decoding methods are used sequentially to recursively decode the data block under the nth data block type to obtain the kth decoding result of the data block under the nth data block type.
[0128] In the process of recursively decoding the data blocks under the nth data block type, the first target decoding method adopted is to decode the data blocks under the nth data block type, and the target decoding methods not adopted are to decode the decoding results corresponding to the previous target decoding method.
[0129] In another implementation, when K is greater than 1, the K decoding indication messages are used in a usage order to decode the data block under the nth data block type; wherein, when k is greater than 1, the processing unit 602 can also be used for:
[0130] Determine the M decoding methods indicated by the k-th decoding indication information, where M is an integer greater than 1;
[0131] Based on the M decoding methods, the target decoding indication information is searched among the first k-1 decoding indication information determined based on the usage order; the multiple decoding methods indicated by the target decoding indication information are the same as the first m decoding methods among the M decoding methods, where m∈[1,M];
[0132] If the target decoding indication information is not found, the step of taking each decoding method indicated by the k-th decoding indication information arranged for the nth data block type as the target decoding method is triggered.
[0133] If the target decoding indication information is found, the decoding result obtained based on the target decoding indication information is reused, and each decoding method after the m decoding methods in the M decoding methods is used in turn to recursively decode the reused decoding result to obtain the k-th decoding result of the data block under the n-th data block type.
[0134] In another embodiment, when the processing unit 602 recursively decodes the data block of the nth data block type by sequentially employing the target decoding methods according to their arrangement order, and obtains the kth decoding result of the data block of the nth data block type, it can be specifically used for:
[0135] Obtain the parsing result obtained by parsing the data block under the nth data block type; the parsing result includes: the original position of the value of each keyword in the corresponding data block, where the original position of the value of any keyword refers to the storage location of the value of any keyword before any decoding processing is performed on the value of any keyword;
[0136] According to the order of the target decoding methods, the target decoding method at the beginning and the original position in the parsing result are used to decode the values of each keyword in the data block under the nth data block type, so as to obtain the decoding result corresponding to the target decoding method at the beginning. The obtained decoding result includes the values of each keyword obtained by the decoding process.
[0137] The remaining target decoding methods are used sequentially to recursively decode the values of each keyword in the decoding result corresponding to the first target decoding method, thereby obtaining the k-th decoding result of the data block under the n-th data block type.
[0138] In another implementation, the data block under the nth data block type includes H keywords, where H is a positive integer; the kth decoding result of the data block under the nth data block type includes the values of the H keywords obtained through the last target decoding method; the processing unit 602 can also be used for:
[0139] For the h-th keyword in the data block under the n-th data block type, determine the original value of the h-th keyword; the original value refers to the value of the h-th keyword before any decoding processing is performed, where h∈[1,H];
[0140] If the original value is the same as the value of the h-th keyword in the k-th decoding result, then record the original position of the h-th keyword value;
[0141] If the original value is different from the value of the h-th keyword in the k-th decoding result, then the storage location of the value of the h-th keyword in the k-th decoding result is recorded.
[0142] In another embodiment, before recording the storage location of the value of the h-th keyword in the k-th decoding result, the processing unit 602 may also be used for:
[0143] Search in the target storage space for a value that matches the value of the h-th keyword in the k-th decoding result;
[0144] If found, the storage location of the found value will be used as the storage location of the value of the h-th keyword in the k-th decoding result;
[0145] If not found, the value of the h-th keyword in the k-th decoding result is saved in the target storage space, thus obtaining the storage location of the h-th keyword value in the k-th decoding result.
[0146] According to one embodiment of this application, Figure 2 or Figure 4 Each step involved in the method shown can be derived from... Figure 6 This is performed by each unit in the data detection device shown. For example, Figure 2 Step S201 shown can be performed by Figure 6 The acquisition unit 601 shown is executed, and steps S202-S204 can all be performed by... Figure 6 The processing unit 602 shown executes this. For example, Figure 4 Step S401 shown can be performed by Figure 6 The acquisition unit 601 shown is executed, and steps S402-S405 can all be performed by... Figure 6 The processing unit 602 shown executes, etc.
[0147] According to another embodiment of this application, Figure 6 The data detection device shown can be composed of individual or combined units into one or more other units, or some of the units can be further divided into multiple functionally smaller units. This achieves the same operation without affecting the technical effects of the embodiments of this application. The above units are based on logical function division. In practical applications, the function of one unit can be implemented by multiple units, or the function of multiple units can be implemented by one unit. In other embodiments of this application, the data detection device may also include other units. In practical applications, these functions can also be implemented with the assistance of other units, and can be implemented collaboratively by multiple units.
[0148] According to another embodiment of this application, the following can be achieved by running on a general-purpose computing device, such as a computer, which includes processing elements and storage elements such as a central processing unit (CPU), random access memory (RAM), and read-only memory (ROM), a device capable of performing operations such as... Figure 2 or Figure 4 The computer program (including program code) for each step involved in the corresponding method shown, to construct such... Figure 6 The data detection apparatus shown herein, and the data detection method for implementing the embodiments of this application, are described. The computer program may be recorded on, for example, a computer storage medium, loaded onto the aforementioned computing device via the computer storage medium, and run therein.
[0149] In this embodiment, after obtaining the target data packet to be detected, one or more detection strategies and the corresponding data block types for each detection strategy can be determined. Each determined data block type is programmed with corresponding decoding instruction information, meaning that corresponding decoding instruction information can be flexibly programmed for each data block type. Then, according to the data block segmentation strategy corresponding to each data block type, the target data packet can be segmented to obtain data blocks under each data block type. Based on the decoding instruction information programmed for each data block type, the corresponding data blocks are decoded to obtain the decoding result of the data blocks under each data block type. This satisfies the corresponding decoding requirements of each detection strategy for data blocks under different data block types, that is, it satisfies the requirement for refined decoding of data blocks under each data block type, thereby improving the accuracy of the decoding result. Based on this, security detection can be performed on the decoding result of the data blocks under the corresponding data block type according to the detection strategy corresponding to each data block type, which can effectively improve the detection effect, that is, effectively improve the accuracy of data security detection.
[0150] Based on the description of the above method and apparatus embodiments, this application also provides a computer device. Please refer to... Figure 7 The computer device includes at least a processor 701, an input interface 702, an output interface 703, and a computer storage medium 704. The processor 701, input interface 702, output interface 703, and computer storage medium 704 within the computer device can be connected via a bus or other means.
[0151] The computer storage medium 704 can be stored in the memory of a computer device. The computer storage medium 704 is used to store computer programs, the computer programs including program instructions, and the processor 701 is used to execute the program instructions stored in the computer storage medium 704. The processor 701 (or CPU (Central Processing Unit)) is the computing and control core of a computer device, suitable for implementing one or more instructions, specifically suitable for loading and executing one or more instructions to implement corresponding method flows or corresponding functions. In one embodiment, the processor 701 described in this application can be used to perform a series of data detections, specifically including: acquiring a target data packet to be detected, and determining one or more detection strategies and data block types corresponding to each detection strategy, wherein each determined data block type is programmed with corresponding decoding instruction information; segmenting the target data packet according to the data block segmentation strategy corresponding to each data block type to obtain data blocks under each data block type; decoding the corresponding data blocks based on the decoding instruction information programmed for each data block type to obtain the decoding result of the data blocks under each data block type; performing security detection on the decoding result of the data blocks under the corresponding data block type according to the detection strategy corresponding to each data block type, etc.
[0152] This application embodiment also provides a computer storage medium (memory), which is a memory device in a computer device used to store programs and data. It is understood that the computer storage medium here can include both the built-in storage medium in the computer device and extended storage media supported by the computer device. The computer storage medium provides storage space that stores the operating system of the computer device. Furthermore, this storage space also stores one or more instructions suitable for loading and execution by a processor. These instructions can be one or more computer programs (including program code). It should be noted that the computer storage medium here can be high-speed RAM or non-volatile memory, such as at least one disk storage device; optionally, it can also be at least one computer storage medium located remotely from the aforementioned processor. In one embodiment, the processor can load and execute one or more instructions stored in the computer storage medium to implement the above-mentioned... Figure 2 or Figure 4 The various method steps in the embodiments of the data detection method shown.
[0153] In this embodiment, after obtaining the target data packet to be detected, one or more detection strategies and the corresponding data block types for each detection strategy can be determined. Each determined data block type is programmed with corresponding decoding instruction information, meaning that corresponding decoding instruction information can be flexibly programmed for each data block type. Then, according to the data block segmentation strategy corresponding to each data block type, the target data packet can be segmented to obtain data blocks under each data block type. Based on the decoding instruction information programmed for each data block type, the corresponding data blocks are decoded to obtain the decoding result of the data blocks under each data block type. This satisfies the corresponding decoding requirements of each detection strategy for data blocks under different data block types, that is, it satisfies the requirement for refined decoding of data blocks under each data block type, thereby improving the accuracy of the decoding result. Based on this, security detection can be performed on the decoding result of the data blocks under the corresponding data block type according to the detection strategy corresponding to each data block type, which can effectively improve the detection effect, that is, effectively improve the accuracy of data security detection.
[0154] It should be noted that, according to one aspect of this application, a computer program product or computer program is also provided, which includes computer instructions stored in a computer storage medium. The processor of a computer device reads the computer instructions from the computer storage medium, executes the computer instructions, and causes the computer device to perform the aforementioned actions. Figure 2 or Figure 4 The methods provided in various alternative embodiments of the data detection method shown are examples of methods.
[0155] Furthermore, it should be understood that the above-disclosed embodiments are merely preferred embodiments of this application and should not be construed as limiting the scope of this application. Therefore, any equivalent variations made in accordance with the claims of this application are still within the scope of this application.
Claims
1. A data detection method, characterized in that, include: The target data packet to be detected is acquired, and one or more detection strategies and the data block types corresponding to each detection strategy are determined. Each determined data block type is arranged with corresponding decoding indication information. According to the data block segmentation strategy corresponding to each data block type, the target data packet is segmented to obtain data blocks under each data block type; Based on the decoding instruction information arranged for each data block type, the corresponding data block is decoded to obtain the decoding result of the data block under each data block type; According to the detection strategy corresponding to each data block type, the decoding results of the data blocks under the corresponding data block type are subjected to security detection.
2. The method according to claim 1, characterized in that, The target data packet includes multiple data structures, and each data structure includes one or more data; any data block segmentation strategy includes at least one structure identifier. The step of segmenting the target data packet according to the data block segmentation strategy corresponding to each data block type to obtain data blocks under each data block type includes: For any data block type, based on the structure identifiers in the data block segmentation strategy corresponding to that data block type, one or more target data structures are located in the target data packet, and the arrangement position of each target data structure in the target data packet is determined. According to the arrangement position, the position of the first data in the first target data structure located at the top is recorded as the start position of the data block in the target data packet, and the position of the last data in the last target data structure located at the bottom is recorded as the end position of the data block in the target data packet. The data located between the start and end positions of the data block in the target data packet is taken as the data block under any data block type.
3. The method according to claim 1 or 2, characterized in that, Any decoding indication is used to indicate multiple sequentially arranged decoding methods. The number of determined data block types is N, and the nth data block type is arranged with K decoding indications. N and K are both positive integers, and n∈[1,N]. The decoding process, based on the decoding indication information arranged for each data block type, decodes the corresponding data blocks to obtain the decoding result of the data blocks under each data block type, including: Each decoding method indicated by the k-th decoding indication information arranged for the n-th data block type shall be taken as the target decoding method, k∈[1,K]; According to the order of the target decoding methods, the target decoding methods are used sequentially to recursively decode the data block under the nth data block type to obtain the kth decoding result of the data block under the nth data block type; In the process of recursively decoding the data blocks under the nth data block type, the first target decoding method adopted is to decode the data blocks under the nth data block type, and the target decoding methods not adopted are to decode the decoding results corresponding to the previous target decoding method.
4. The method according to claim 3, characterized in that, When K is greater than 1, the K decoding indication messages are used in a specific order to decode data blocks of the nth data block type; wherein, when k is greater than 1, the method further includes: Determine the M decoding methods indicated by the k-th decoding indication information, where M is an integer greater than 1; Based on the M decoding methods, the target decoding indication information is searched among the first k-1 decoding indication information determined based on the usage order; the multiple decoding methods indicated by the target decoding indication information are the same as the first m decoding methods among the M decoding methods, where m∈[1,M]; If the target decoding indication information is not found, the step of taking each decoding method indicated by the k-th decoding indication information arranged for the nth data block type as the target decoding method is triggered. If the target decoding indication information is found, the decoding result obtained based on the target decoding indication information is reused, and each decoding method after the m decoding methods in the M decoding methods is used in turn to recursively decode the reused decoding result to obtain the k-th decoding result of the data block under the n-th data block type.
5. The method according to claim 3, characterized in that, The step of recursively decoding the data block of the nth data block type by sequentially employing each target decoding method according to their arrangement order, to obtain the kth decoding result of the data block of the nth data block type, includes: Obtain the parsing result obtained by parsing the data block under the nth data block type; the parsing result includes: the original position of the value of each keyword in the corresponding data block, where the original position of the value of any keyword refers to the storage location of the value of any keyword before any decoding processing is performed on the value of any keyword; According to the order of the target decoding methods, the target decoding method at the beginning and the original position in the parsing result are used to decode the values of each keyword in the data block under the nth data block type, so as to obtain the decoding result corresponding to the target decoding method at the beginning. The obtained decoding result includes the values of each keyword obtained by the decoding process. The remaining target decoding methods are used sequentially to recursively decode the values of each keyword in the decoding result corresponding to the first target decoding method, thereby obtaining the k-th decoding result of the data block under the n-th data block type.
6. The method according to claim 5, characterized in that, The data block under the nth data block type includes H keywords, where H is a positive integer; the kth decoding result of the data block under the nth data block type includes the values of the H keywords obtained through the last target decoding method; the method further includes: For the h-th keyword in the data block under the n-th data block type, determine the original value of the h-th keyword; the original value refers to the value of the h-th keyword before any decoding processing is performed, where h∈[1,H]; If the original value is the same as the value of the h-th keyword in the k-th decoding result, then record the original position of the h-th keyword value; If the original value is different from the value of the h-th keyword in the k-th decoding result, then the storage location of the value of the h-th keyword in the k-th decoding result is recorded.
7. The method according to claim 6, characterized in that, Before recording the storage location of the value of the h-th keyword in the k-th decoding result, the method further includes: Search in the target storage space for a value that matches the value of the h-th keyword in the k-th decoding result; If found, the storage location of the found value will be used as the storage location of the value of the h-th keyword in the k-th decoding result; If not found, the value of the h-th keyword in the k-th decoding result is saved in the target storage space, thus obtaining the storage location of the h-th keyword value in the k-th decoding result.
8. A data detection device, characterized in that, include: The acquisition unit is used to acquire the target data packet to be detected, and to determine one or more detection strategies and the data block type corresponding to each detection strategy. Each determined data block type is arranged with corresponding decoding indication information. The processing unit is used to perform segmentation processing on the target data packet according to the data block segmentation strategy corresponding to each data block type, so as to obtain data blocks under each data block type; The processing unit is further configured to perform decoding processing on the corresponding data block based on the decoding indication information arranged for each data block type, so as to obtain the decoding result of the data block under each data block type; The processing unit is further configured to perform security checks on the decoding results of data blocks under the corresponding data block type according to the detection strategy corresponding to each data block type.
9. A computer device, characterized in that, It includes a processor and a memory, wherein the memory is used to store a computer program that, when executed by the processor, implements the method as described in any one of claims 1-7.
10. A computer storage medium, characterized in that, The computer storage medium stores a computer program, which, when executed by a processor, implements the method as described in any one of claims 1-7.
11. A computer program product, characterized in that, Includes a computer program that, when executed by a processor, implements the method as described in any one of claims 1-7.