A method, apparatus and computer readable storage medium for defending against concatenated malicious code

By acquiring the session request history chain and running it in an isolated sandbox, combined with behavioral results and risk assessment, the problem of difficulty in identifying and defending against spliced ​​malicious code in existing technologies is solved. It achieves efficient defense against single-session, multi-session, and client-side spliced ​​malicious code, reducing the risk of data leakage and system intrusion.

CN122093191BActive Publication Date: 2026-07-03ZHIWEI XINGYI (SHANGHAI) INTELLIGENT TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ZHIWEI XINGYI (SHANGHAI) INTELLIGENT TECH CO LTD
Filing Date
2026-04-23
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing technologies struggle to effectively identify and defend against piecemeal malicious code, especially single-session, multi-session, and client-side batch-construction malicious code, leading to a high risk of data leakage and system intrusion.

Method used

By acquiring the historical chain of session requests, requests with splicing intent are filtered out and run in an isolation sandbox. Malicious code is determined by combining behavioral results and risk assessment, including defense methods for single-session, multi-session, and client splicing.

Benefits of technology

It improves the accuracy and efficiency of identifying and intercepting spliced ​​malicious code, reduces the risk of data leakage and system intrusion, and supports the identification and defense against unknown malicious code.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122093191B_ABST
    Figure CN122093191B_ABST
Patent Text Reader

Abstract

This application relates to the field of network security technology, and provides a method, apparatus, and computer-readable storage medium for defending against spliced ​​malicious code. The method includes: selecting a session request in the request history chain whose splicing pattern is server-side splicing as the first session request to be inspected; accumulating a preset score value triggered by scoring keywords in the first session request to obtain a single-session splicing intent; when the single-session splicing intent score is greater than or equal to a preset score threshold, performing a risk assessment based on risk elements triggered during the execution of the first session request in an isolation sandbox and the read skill modules to obtain a single-session risk assessment value; and when the single-session risk assessment value is greater than or equal to a preset risk threshold, the server intercepts the first session request to be inspected. This application reduces the computational load of risk assessment by filtering the first session request to be inspected through splicing intent scoring, and improves the efficiency and accuracy of identifying and intercepting single-session server-side spliced ​​malicious code.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of cybersecurity technology, and in particular to a method, apparatus, and computer-readable storage medium for defending against spliced ​​malicious code. Background Technology

[0002] With the deepening of digital transformation, web applications have become the core carrier of enterprise business operations, carrying key functions such as user data storage, business logic execution, and cross-platform interaction. They have also become a primary target of cyberattacks. Among these, splicing malware attacks, a highly covert variant of injection attacks, rely on legitimate user session credentials. By splicing, splitting, and transmitting malicious payloads in batches, they bypass security protection devices, impersonate legitimate users, and perform malicious acts such as unauthorized access, data theft, and system intrusion, causing serious economic losses and data leakage risks to enterprises and users.

[0003] Types of concatenated malicious code include single-session server-side concatenation, multi-session server-side concatenation, and multi-session client-side concatenation. Existing technologies typically employ web application firewalls (WAFs) and sandbox dynamic detection techniques. WAFs identify and determine malicious code in single-session requests based on preset malicious keywords. This method is ineffective at identifying unknown malicious code and does not support cross-session request identification, nor does it support the identification and interception of multi-session server-side or multi-session client-side concatenated malicious code. Sandbox dynamic detection technology runs session requests directly in a virtual sandbox and determines whether they contain malicious code based on the behavior results. This method supports the identification of unknown malicious code, but the sandbox requires significant computation, resulting in decreased overall operating efficiency.

[0004] Therefore, there is an urgent need for a new defense method that can provide comprehensive protection against single-session splicing, multi-session splicing, and client-side batch splicing malicious code attacks, thereby reducing the risk of data leakage and system intrusion. Summary of the Invention

[0005] This application provides a method, apparatus, and computer-readable storage medium for defending against splicing malicious code. After filtering out single-session requests with splicing intent, the system performs sandbox operation, determines and intercepts malicious code based on the behavior results, thereby improving the accuracy and efficiency of identifying splicing malicious code in single-session requests.

[0006] This application provides a method for defending against concatenated malicious code, the method comprising the following steps:

[0007] Step 10: Obtain session requests from the same request history chain; wherein, the request history chain includes at least one session request from the same user, each session request includes a splicing mode, operation instruction, skill module name, and coordinate positioning of the specified instruction in the skill module, the splicing mode includes server-side splicing and client-side splicing, the skill module library includes multiple skill modules with different risk levels, and each skill module corresponds to a unique skill module name;

[0008] Step 20: Select a session request in the request history chain whose concatenation pattern is server-side concatenation as the first session request to be inspected.

[0009] Step 21: Accumulate the preset score values ​​triggered by the scoring keywords in the first session request to be inspected to obtain a single session splicing intent score; wherein, the scoring keywords include "splicing", "execution", coordinate positioning and skill module name;

[0010] Step 22: When the single session splicing intent score is greater than or equal to the preset score threshold, the first code fragment of the corresponding skill module is read from the skill module library in the isolation sandbox according to the skill module name and coordinates in the first session request to be inspected, and the first code fragment is spliced ​​and then run.

[0011] Step 23: Based on the risk factors triggered during the execution of the first code fragment assembled in the isolation sandbox and the skill modules read, and combined with the operational risk score corresponding to each risk factor and the risk level of each skill module, a risk assessment is performed to obtain the single-session risk assessment value; among which, the risk factors include network connection function and command execution function;

[0012] Step 24: When the single-session risk assessment value is greater than or equal to the preset risk threshold, the first session request to be inspected is intercepted.

[0013] Optionally, the step of accumulating the preset score value triggered by the scoring keyword in the first session request to obtain the single-session splicing intent score includes:

[0014] The scoring keywords in the first session request to be inspected include a) coordinate positioning, b) "concatenation", c) "execution", and d) different skill module names.

[0015] When d=1, the single-session splicing intent score V=a×30+b×25+c×20.

[0016] When d≥2, the single-session splicing intent score V=a×30+b×25+c×20+30;

[0017] Among them, the preset score for coordinate positioning is 30, the preset score for splicing is 25, the preset score for execution is 20, the preset evaluation score for at least two different skill module names is 30, and the preset score threshold is 100.

[0018] Optionally, the risk assessment obtained by performing a single-session risk assessment based on the risk factors triggered during the execution of the first code fragment assembled in the isolation sandbox and the read skill modules, combined with the operational risk score corresponding to each risk factor and the risk level of each skill module, includes:

[0019] When the first code snippet assembled in the isolated sandbox is run, it triggers x network connection functions and y command execution functions, and references d skill modules;

[0020] The single-session risk assessment value W = the maximum value among the module risk values ​​corresponding to the skill modules (x×40+y×40+d);

[0021] The preset risk value for each network connection function is 40, the preset risk value for each command execution function is 40, the risk level of the skill module is high risk level, medium risk level, and low risk level, the preset risk value for the low risk level skill module is 20, the preset risk value for the medium risk level is 60, the preset risk value for the high risk level is 100, and the preset risk threshold is 180.

[0022] Optionally, after step 10 is performed, the method further includes the following steps:

[0023] Step 30: Select multiple session requests in the request history chain whose splicing mode is server splicing as the second session request to be inspected; select the target feature session request and the target execution session request containing "execution" from the second session request to be inspected.

[0024] Step 31: Accumulate the preset aggregation scores triggered by the target feature session request and the target execution session request meeting the aggregation requirements to obtain a multi-session aggregation score; wherein, the aggregation requirements include: the number of window extractions within a first preset time period is greater than or equal to 2, the number of new session requests within a second preset time period is greater than or equal to 3, the number of coordinate positioning is greater than or equal to 2, the number of different skill module names is greater than or equal to 2, and the code corresponding to the coordinate positioning of the skill module name in the target feature session request and the target execution session request has a command execution entry after being concatenated;

[0025] Step 32: When the multi-session aggregation score is greater than or equal to the preset server-side aggregation threshold, in the isolation sandbox, according to the target feature session request and the target execution session request, the skill module name and the coordinate positioning are identified from the skill module library, the second code fragment of the corresponding skill module is read, the second code fragment is concatenated and then executed;

[0026] Step 33: Based on the risk factors triggered during the execution of the second code fragment assembled in the isolation sandbox and the skill modules read, and combined with the operational risk score corresponding to each risk factor and the risk level of each skill module, a risk assessment is conducted to obtain the multi-session risk assessment value.

[0027] Step 34: When the multi-session risk assessment value is greater than or equal to the preset risk threshold, the target feature session request and the target execution session request are intercepted.

[0028] Optionally, the multi-session aggregation score is obtained by accumulating the preset aggregation scores triggered when the target feature session request and the target execution session request meet the aggregation requirements, including:

[0029] The first preset duration is 24 hours. The preset aggregate score corresponding to the number of window extractions N within 24 hours is N×10, where N is an integer greater than or equal to 2.

[0030] The second preset duration is 1 hour. The preset aggregate score corresponding to the number of new session requests reaching M within 1 hour is M×10, where M is an integer greater than or equal to 3.

[0031] The preset aggregation score is 20 when the number of coordinate positioning reaches 2.

[0032] The preset aggregate score is 15 when the number of different skill module names reaches 2.

[0033] The code for locating the coordinates of the skill module name in the target feature session request and the target execution session request, after being concatenated, has a preset aggregate score of 25 corresponding to the command execution entry point;

[0034] When the target feature session request and the target execution session request satisfy the aggregation requirement, the preset aggregation score corresponding to the aggregation requirement is accumulated to obtain the aggregation score, and the preset server-side aggregation threshold is 100.

[0035] Optionally, after step 10 is performed, the method further includes the following steps:

[0036] Step 40: Select at least one session request in the request history chain whose splicing mode is client splicing as the third session request to be inspected;

[0037] Step 41: Accumulate the preset aggregation score triggered by the third pending session request meeting the aggregation requirements to obtain the client aggregation score; wherein, the aggregation requirements include the number of window extractions within a first preset time period being greater than or equal to 2, the number of new session requests within a second preset time period being greater than or equal to 2, the number of coordinate positioning being greater than or equal to 2, and the number of different skill module names being greater than or equal to 2.

[0038] Step 42: Accumulate the preset risk score triggered by the third session request to be inspected meeting the client risk requirements to obtain the client risk level; wherein, the client risk requirements include requiring output to the client and the skill module indicated by the skill module name in the third session request to be a skill module with a high risk level.

[0039] Step 43: When the sum of the client aggregate score and the client risk quantity is greater than or equal to the preset client aggregate threshold, in the isolation sandbox, according to the skill module name and coordinate location identified by the third session to be inspected, the third code fragment of the corresponding skill module is read from the skill module library, the third code fragment is concatenated and then executed.

[0040] Step 44: Based on the risk factors triggered during the execution of the third code fragment assembled in the isolation sandbox and the skill modules read, and combined with the operational risk score corresponding to each risk factor and the risk level of each skill module, a risk assessment is conducted to obtain the client risk assessment value.

[0041] Step 45: When the client risk assessment value is greater than or equal to the preset risk threshold, the third session request to be inspected is intercepted.

[0042] Optionally, the client aggregation score is obtained by accumulating the preset aggregation score triggered by the third session request meeting the aggregation requirements, including:

[0043] The first preset duration is 24h, and the preset score corresponding to the number of window extractions n within 24h is n×10. The second preset duration is 1h, and the preset aggregate score corresponding to the number of new session requests m within 1h is m×10, the preset aggregate score corresponding to the number of coordinate positioning 2 is 20, and the preset aggregate score corresponding to the number of different skill module names 2 is 15.

[0044] When the third pending session request meets the aggregation requirement, the preset aggregation score corresponding to the aggregation requirement is accumulated to obtain the client aggregation score.

[0045] Optionally, the client risk level is obtained by accumulating the preset risk scores triggered by the third session request meeting the client risk requirements, including:

[0046] The preset risk score corresponding to the j outputs to the client is required to be j×20. If the code fragments jointly indicated by the skill module name and coordinate positioning in the third pending session request come from skill modules with a high risk level, then the corresponding preset risk score is k×15, and the client risk quantity Q=j×20+k×15.

[0047] This application also provides a defense device against spliced ​​malicious code, the device comprising:

[0048] The request receiving module is used to receive session requests and user identity information from the client.

[0049] The storage module is used to store the skill module library, request history chain, preset scoring threshold, preset server aggregation threshold, preset client aggregation threshold, preset risk threshold, scoring keywords, preset scoring values ​​corresponding to the scoring keywords, and preset risk values ​​corresponding to the risk levels. The skill module library includes at least one skill module and the risk level corresponding to the skill module. Each skill module has a unique skill module name. The request history chain includes at least one session request corresponding to the user's identity information. The scoring keywords include "concatenation", "execution", coordinate positioning, and skill module name.

[0050] The associated storage module is connected to the request receiving module and the storage module, and is used to store session requests into the request history chain corresponding to the user identity information in the storage module.

[0051] The target selection module is connected to the request receiving module and the storage module. It is used to select a session request with a server-side splicing mode from the request history chain corresponding to the storage module based on the user identity information as the first session request to be inspected, select at least one session request with a server-side splicing mode as the second session request to be inspected, and select a target execution session request and a target feature session request from the second session request to be inspected based on "execution", and select at least one session request with a client-side splicing mode as the third session request to be inspected.

[0052] The single-session splicing intent judgment module is connected to the detection target selection module. It is used to accumulate the preset score value triggered by the scoring keyword in the first session request to be inspected to obtain the single-session splicing intent score. When the single-session splicing intent score is greater than or equal to the preset score threshold, the first start signal and the first session request to be inspected are sent to the isolation sandbox.

[0053] The multi-session server-side aggregation judgment module, connected to the target selection module, is used to accumulate preset aggregation scores triggered when target feature session requests and target execution session requests meet aggregation requirements, thus obtaining a multi-session aggregation score. When the multi-session aggregation score is greater than or equal to a preset server-side aggregation threshold, a second start signal, a target feature session request, and a target execution session request are sent to the isolation sandbox. The aggregation requirements in the multi-session server-side aggregation judgment module include: the number of window extractions within a first preset duration is greater than or equal to 2; the number of new session requests within a second preset duration is greater than or equal to 3; the number of coordinate locations is greater than or equal to 2; the number of different skill module names is greater than or equal to 2; and the code for coordinate location corresponding to the skill module name in the target feature session request and the target execution session request has a command execution entry point after being concatenated.

[0054] The multi-session client aggregation judgment module, connected to the detection target selection module, is used to accumulate the preset aggregation score triggered by the third pending session request meeting the aggregation requirements to obtain the client aggregation score, and accumulate the preset risk score triggered by the third pending session request meeting the client risk requirements to obtain the client risk quantity. It calculates the sum of the client aggregation score and the client risk quantity. When the sum is greater than or equal to the preset client aggregation threshold, it sends a third start signal and a third pending session request to the isolation sandbox. The aggregation requirements in the multi-session client aggregation judgment module include: the number of window extractions within a first preset time period is greater than or equal to 2, the number of new session requests within a second preset time period is greater than or equal to 2, the number of coordinate positioning is greater than or equal to 2, and the number of different skill module names is greater than or equal to 2.

[0055] An isolation sandbox, connected to a single-session concatenation intent judgment module, a multi-session server-side aggregation judgment module, a multi-session client-side aggregation judgment module, and a storage module, is used to: upon receiving a first start signal, retrieve the first code fragment of the corresponding skill module from the skill module library according to the skill module name and coordinates in the first pending session request, concatenate the first code fragment, and then run it; upon receiving a second start signal, retrieve the second code fragment of the corresponding skill module from the skill module library according to the skill module name and coordinates in the target feature session request and the target execution session request, concatenate the second code fragment, and then run it; upon receiving a third start signal, retrieve the third code fragment of the corresponding skill module from the skill module library according to the skill module name and coordinates in the third pending session request, concatenate the third code fragment, and then run it.

[0056] The single-session risk assessment and judgment module is connected to the isolation sandbox and storage module. It is used to conduct risk assessment based on the risk elements triggered during the operation of the first code segment assembled in the isolation sandbox and the skill modules read. It combines the operation risk score corresponding to each risk element and the risk level of each skill module to obtain the single-session risk assessment value. When the single-session risk assessment value is greater than or equal to the preset risk threshold, it sends the first interception start signal to the interception module.

[0057] The multi-session risk assessment and judgment module is connected to the isolation sandbox and storage module. It is used to conduct risk assessment based on the risk elements triggered during the operation of the second code segment assembled in the isolation sandbox and the skill modules read. It combines the operation risk score corresponding to each risk element and the risk level of each skill module to obtain the multi-session risk assessment value. When the multi-session risk assessment value is greater than or equal to the preset risk threshold, it sends a second interception start signal to the interception module.

[0058] The client-side risk assessment module, connected to the isolation sandbox and storage module, is used to assess the risk based on the risk factors triggered during the execution of the third code fragment assembled in the isolation sandbox and the skill modules read. It combines the operational risk score corresponding to each risk factor and the risk level of each skill module to obtain the client-side risk assessment value. When the client-side risk assessment value is greater than or equal to the preset risk threshold, it sends a third interception start signal to the interception module.

[0059] The interception module, connected to the single-session risk assessment and judgment module, the multi-session risk assessment and judgment module, and the client risk assessment and judgment module, is used to control the interception of the first session request to be inspected according to the first interception start signal, to control the interception of the target characteristic session request and the target execution session request according to the second interception start signal, and to control the interception of the third session request to be inspected according to the third interception start signal.

[0060] This application also provides a computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, performs a defense method against spliced ​​malicious code as described in any of the above claims.

[0061] This application includes at least one of the following beneficial technical effects:

[0062] 1. The server stores all session requests from the same user in the request history chain. In this way, even if the user creates a new session on the client and clears the context, the server can still associate the user's request history chain based on the user's identity information, thus preventing the context of session requests from being disordered during splicing malicious code.

[0063] 2. Regarding the identification and defense against malicious code splicing on the single-session server, this application's server first calculates the single-session splicing intent score of the first session request to be inspected using scoring keywords. Based on the comparison between the single-session splicing intent score and a preset scoring threshold, requests with splicing intent are selected. These first session requests with splicing intent are then placed in an isolation sandbox for execution. Based on the risk factors triggered during execution and the skill modules involved, a single-session risk prediction is calculated. Then, based on the single-session risk prediction, it is determined whether the current first session request to be inspected contains splicing malicious code, and if so, the formal execution of the first session request is blocked. First, splicing intent is screened to reduce the computational load of the isolation sandbox. Then, the execution is carried out in the isolation sandbox, and the result of the behavior is used to determine whether it contains malicious code, supporting the identification of unknown malicious code.

[0064] 3. To identify and defend against malicious code splicing on multi-session servers, this application extracts target characteristic session requests and target execution session requests from the request history chain. First, it determines whether the two are intended to be aggregated and spliced ​​together. Then, it splices and runs them in an isolated sandbox. Based on the risk factors triggered during the run and the skill modules involved, a multi-session risk estimate is calculated to determine whether splicing malicious code exists. If it is determined to exist, the formal execution of the target characteristic session request and the target execution session request is intercepted. By calculating a multi-session aggregation score, a set of target characteristic session requests and target execution session requests with aggregation and splicing tendencies is filtered out to reduce subsequent computational load. Then, by splicing and running them in an isolated sandbox, it identifies situations where malicious code attacks through multi-session splitting, and also supports the identification of unknown malicious code.

[0065] 4. To identify and defend against malicious code splicing by multiple client sessions, this application selects client-spliced ​​session requests from the request history chain as third-party session requests to be inspected. First, it calculates the client aggregation score and client risk level of the third-party session requests to be inspected. Based on the sum of the client aggregation score and client risk level, it determines that the third-party session requests to be inspected have a tendency to aggregate and splice. Then, these third-party session requests with aggregation and splicing tendencies are spliced ​​and run in an isolation box. Risk factors triggered during the run and skill modules read are assessed for risk. Finally, if the assessment still indicates a high risk, these third-party session requests are blocked. By filtering out a group of third-party session requests with a tendency to combine requests through the sum of the client aggregation score and client risk level to reduce subsequent computation, and then splicing and running them in an isolation sandbox, this application identifies situations where malicious code attacks by splicing requests in batches through the client, and also supports malicious code identification. Attached Figure Description

[0066] Figure 1 This is a flowchart of a method for defending against spliced ​​malicious code disclosed in an embodiment of this application;

[0067] Figure 2 yes Figure 1 Flowchart for step 12;

[0068] Figure 3 yes Figure 1 Flowchart for step 13;

[0069] Figure 4 yes Figure 1 Flowchart for step 14;

[0070] Figure 5 This is a block diagram of a splicing malicious code defense device disclosed in an embodiment of this application. Detailed Implementation

[0071] In the following description, numerous specific details are set forth for purposes of explanation in order to provide a thorough understanding of the inventive concept. As part of this specification, some of the accompanying drawings of this disclosure are block diagrams illustrating structures and devices to avoid complicating the disclosed principles. For clarity, not all features of the actual embodiment need to be described. Unless expressly defined, the terms “a,” “an,” and “the” are not intended to refer to a singular entity, but rather to include general categories whose specific examples may be used for illustration. Therefore, the use of the terms “a” or “an” can mean any number of at least one, including “a,” “one or more,” “at least one,” and “one or more.”

[0072] This application provides a method for defending against concatenated malicious code, applied on the server side. The server and client communicate via a connection. The server is configured with a storage module, which stores a skill module library, request history chains, preset scoring thresholds, preset server-side aggregation thresholds, preset client-side aggregation thresholds, preset risk thresholds, scoring keywords, preset scoring values ​​corresponding to scoring keywords, and preset risk values ​​corresponding to risk levels. The skill module library, preset scoring thresholds, preset risk thresholds, scoring keywords, preset scoring values ​​corresponding to scoring keywords, and preset risk values ​​corresponding to risk levels are all pre-set. The skill module library includes skill modules and their risk levels. If the skill module library only contains skill modules, the storage module also stores the risk levels corresponding to each skill module; if the skill module library includes skill modules and their corresponding risk levels, the storage module remains unchanged.

[0073] In one example, preparations before the server goes live include configuring the skills module library by building a skills module risk graph.

[0074] The skill module library contains 100 skill modules, categorized into three risk levels: high-risk, medium-risk, and low-risk. Each skill module is assigned a risk level based on its function. Modules that do not involve system operations or file access are classified as low-risk (e.g., document search, weather query, data statistics). Modules involving local I / O but not supporting any code execution are classified as medium-risk (e.g., file reading, image processing, format conversion). Modules capable of executing code or commands are classified as high-risk (e.g., code execution, command execution, system call). Of these 100 skill modules in the skill database, 60 are classified as low-risk, 30 as medium-risk, and 10 as high-risk. Preferably, during server-side deployment, the skill module library is updated in real-time, allowing for the addition, deletion, and modification of skill modules' risk levels.

[0075] Furthermore, to facilitate the search of skill modules in the skill module library, an index is provided. The index includes the skill module name, the starting line number of the code, the ending line number of the code, and the risk level. The index is shown in the table below:

[0076]

[0077] After the server is configured, the process of a user sending a session request to the server through the client is as follows:

[0078] After successful user authentication, the client sends user identity information and a session request to the server based on the user's input signals. After obtaining the user identity information, the client can either assume the user authentication is successful by default, or compare the obtained user identity information with its own stored set of permission identity information. If the user identity information belongs to the permission identity information set, the client determines that the user authentication is successful. The client can obtain user identity information through user input (such as username and password) or by reading it from the device (such as reading user fingerprint information). User identity information can be uniquely identifying information such as user fingerprints, usernames, and passwords. The session request includes at least one of the following: concatenation mode, operation command, skill module name, and coordinate positioning of a specified command within the skill module. There are two concatenation modes: server-side concatenation and client-side concatenation.

[0079] When the server receives the user's identity information and session request from the client, it stores the session request in the request history chain corresponding to the user's identity information (or creates a new request history chain if it doesn't exist). All session requests in the request history chain corresponding to the user's identity information originate from the same user. The session requests in the request history chain include both server-assembled session requests and client-assembled session requests. Even if the user deletes the context-related content of the session request through the client, the server will still associate the session request with the same user's request history chain based on the user's identity information, thus easily finding the context of the session request.

[0080] The following details the implementation of a method for defending against concatenated malicious code in this embodiment. The following details are provided for ease of understanding and are not essential to this implementation. The specific process of this embodiment is as follows: Figures 1-4 As shown, it includes the following steps:

[0081] Step 10: Obtain session requests from the same request history chain.

[0082] Specifically, the server stores multiple request history chains, each corresponding to a user identity information. Each request history chain includes at least one session request from the same user, and each session request includes at least one of the following: concatenation mode, operation instruction, skill module name, and coordinate location of a specified instruction within the skill module. There are two concatenation modes in the session requests: server-side concatenation and client-side concatenation. In server-side concatenation, the server retrieves the corresponding code from the skill module library based on the skill module name and coordinate location in the session request, and executes the operation instruction (such as "concatenation") in the session request. In client-side concatenation, the server retrieves the corresponding code from the skill module library based on the skill module name and coordinate location in the session request, and transmits the code to the client, which then executes the corresponding operation instruction in the session request. When no user identity information is specified, all session requests from a random request history chain on the server are directly used as the execution result of step 10. When a specified user identity information is specified, all session requests in the request history chain corresponding to the specified user identity information are read from the server and used as the execution result of step 10.

[0083] After step 10 is executed, the following steps are performed: Step 11: Identify the concatenation pattern of session requests in the request history chain. If the concatenation pattern is server-side concatenation, proceed to steps 12 and 13; if the concatenation pattern is client-side concatenation, proceed to step 14. Step 12: Identify and intercept single-session server-side concatenation malicious code for this session request (see steps 20-24). Step 13: Identify and intercept multi-session server-side concatenation malicious code (see steps 30-34). Step 14: Identify and intercept multi-session client-side concatenation malicious code for this session request (see steps 40-44).

[0084] (1) For the identification and interception of malicious code spliced ​​on the single-session server, please refer to the appendix for the process. Figure 2 As shown. After steps 10 and 11 are completed, step 12 is executed, which includes steps 20 to 24.

[0085] Step 20: Select a session request in the request history chain whose splicing mode is server-side splicing as the first session request to be inspected.

[0086] Specifically, if immediate determination is required, in step 20, the server directly selects the session request with the closest timestamp to the current time in the request history chain associated with the user's identity information, identifies the splicing pattern in the session request, and if the splicing pattern is server-side splicing, then the session request is used as the first session request to be inspected for single-session server-side splicing malicious code identification or as the second session request to be inspected for multi-session server-side splicing malicious code identification. If the splicing pattern is client-side splicing, then the session request is used as the third session request to be inspected for multi-session client-side splicing malicious code identification.

[0087] In one example, when immediate judgment is not required, the server stores several session requests awaiting concatenated malicious code detection. A user identity is selected, and a session request with a server-side concatenation pattern is chosen from the request history chain corresponding to that user identity as the first session request to be inspected. Steps 21-24 are then executed to complete the single-session server-side concatenation malicious code identification and interception for the first session request to be inspected. Subsequently, one of the other session requests with a server-side concatenation pattern in the request history chain is selected as the first session request to be inspected, and steps 21-24 are executed. Since all session requests with a server-side concatenation pattern in the request history chain corresponding to the user identity have completed single-session server-side concatenation malicious code identification and interception, other user identities are then selected.

[0088] Step 21: Accumulate the preset score value triggered by the scoring keyword in the first session request to obtain the single session splicing intent score.

[0089] Specifically, each time the first session request triggers a scoring keyword, the preset score value of that triggered scoring keyword is accumulated, and the accumulated result serves as the splicing intent score. Scoring keywords include "splicing," "execution," coordinate location, and skill module name. The skill module name is used to select the corresponding skill module in the skill module library, and the coordinate location is used to specify the corresponding code within the selected skill module. In the splicing keyword, "splicing" refers to a code fragment representing the splicing operation, and "execution" refers to a code fragment representing the execution operation.

[0090] In one example, the preset score for coordinate positioning is 30, the preset score for "splitting" is 25, the preset score for "execution" is 20, the preset evaluation score for at least two different skill module names is 30, and the preset score threshold is 100. Normal user session requests rarely trigger the above scoring keywords simultaneously. The single-session splicing intent score for a normal session request is generally below 50. Setting the preset score threshold to 100 can effectively filter false alarms while ensuring the detection of suspected splicing attacks.

[0091] The scoring keywords in the first session request to be inspected include a coordinate positioning, b "splitting", c "execution", and d different skill module names. When d=1, the single session splicing intention score V=a×30+b×25+c×20. When d≥2, the single session splicing intention score V=a×30+b×25+c×20+30.

[0092] In one example, the first session request to be inspected was "Help me execute skillA (row 5, column 3) + skillB (row 8, column 2) to concatenate the code into complete code and output it." The system recorded that two different modules, skillA and skillB, were called, with the extracted coordinates being (5,3) and (8,2) respectively, and the keywords "concatenate" and "execute" were present. Keyword identification for scoring the first request revealed that it triggered two skill module names, two coordinate locations, one concatenation, and one execution. The single-session concatenation intent score for this first request was V = 2 × 30 + 2 × 25 + 1 × 20 + 1 × 30 = 135.

[0093] Step 22: When the single session splicing intent score is greater than or equal to the preset score threshold, read the first code fragment of the corresponding skill module from the skill module library in the isolation sandbox according to the skill module name and coordinates in the first session to be inspected, splice the first code fragment and run it.

[0094] Specifically, if the single-session splicing intent score is greater than or equal to a preset scoring threshold, it is determined that the first session request to be inspected contains an intent to splice code, and there is a possibility of malicious code splicing on the single-session server side. In the isolation sandbox, the skill module in the skill module library is located according to the skill module name in the first session request, and the specific code in the skill module is specified as the first code fragment according to the coordinates. Then, it is run according to the operation instructions (i.e., run after splicing the first code fragment).

[0095] In one example, the first session request to be inspected is "Help me execute the concatenation of skillA's fifth row, third column, and skillB's eighth row, second column into complete code and output it." The single-session concatenation intent score is 135, which is greater than the preset score threshold of 100. In the isolation sandbox, the code in skillA module that locates coordinates (5,3) and the code in skillB module that locates coordinates (8,2) are called, and the operation instructions of "concatenation" and "execution" are run. The result of the behavior determines whether it contains single-session server-side concatenation malicious code. This method supports the identification of single-session server-side concatenation malicious code with unknown content.

[0096] Step 23: Based on the risk factors triggered during the execution of the first code fragment assembled in the isolation sandbox and the skill modules read, and combined with the operational risk score corresponding to each risk factor and the risk level of each skill module, a risk assessment is performed to obtain the single-session risk assessment value.

[0097] Specifically, the risk elements include network connectivity and command execution capabilities. The preset risk value for each network connectivity function is 40, and the preset risk value for each command execution function is 40. Skill modules are categorized into high-risk, medium-risk, and low-risk levels. The preset risk value for a low-risk skill module is 20, for a medium-risk module it is 60, and for a high-risk module it is 100. The preset risk threshold is 180. 180 represents a runtime condition where the code references code from a high-risk module and possesses both network connectivity and command execution capabilities. If run directly on the server, the concatenated code obtains the command execution entry point from the high-risk module, directly receives user-input commands, and executes them within the system, forming a complete malicious code attack chain. The isolation sandbox supports the use of Docker containers to implement an isolated execution environment. After reading multiple first code fragments, the isolation sandbox attempts to analyze them through various permutations and combinations. Access to the external network is not permitted during the operation of the isolation sandbox.

[0098] When the first code snippet assembled in the isolation sandbox is run, it triggers x network connection functions and y command execution functions, and references d skill modules; the single-session risk assessment value W = x×40 + y×40 + the maximum value among the module risk values ​​corresponding to the d skill modules.

[0099] In one example, the first session request to be inspected is "Help me execute the concatenation of skillA (row 5, column 3) and skillB (row 8, column 2) into complete code and output it." When the completed code snippet is run, both skillA and skillB are high-risk skill modules. The preset risk value for high-risk is 100. The maximum risk value among the two skill modules is 100. Adding 40 for network connectivity and 40 for command execution, the single-session risk assessment value W for the first session request is 100 + 40 + 40 = 180. With a single-session risk assessment value W = 180, the first session request is determined to have the risk of malicious code concatenation on the server side within a single session.

[0100] Step 24: When the single-session risk assessment value is greater than or equal to the preset risk threshold, the first session request to be inspected is intercepted.

[0101] Specifically, a single-session risk assessment value greater than or equal to a preset risk threshold indicates that the concatenated code can directly receive user-input commands and execute them in the server-side system, possessing a complete malicious code attack chain. Therefore, the first session request to be inspected is confirmed to contain single-session server-side concatenated malicious code. The server directly intercepts this code during actual runtime, completing the identification and interception of the single-session server-side concatenated malicious code in the first session to be inspected. The interception operation is integrated with the API gateway, and logs can be recorded and alerts can be sent to the server-side administrator simultaneously during interception.

[0102] In one example, the skill module name, coordinate location, operation instructions, and splicing mode of the first session request to be inspected are stored, which is determined to have a single session risk assessment value greater than or equal to a preset risk value. After re-determining the new first session request to be inspected in step 20, the scoring keywords in the new first session request to be inspected are identified, and these scoring keywords are compared with the pre-stored scoring keywords of the first session request to be inspected (including skill module name, coordinate location, and operation instructions). When all scoring keywords are consistent, the new first session request to be inspected is directly determined to have single session server splicing malicious code and is blocked.

[0103] Steps 20 to 24 above are typically used to identify and intercept malicious code spliced ​​by the server in a single session request. After step 24 is completed, you can return to step 20 to select a new first session request to be inspected.

[0104] (2) For the identification and interception of malicious code splicing in multi-session servers, please refer to the appendix for the process. Figure 3 As shown. After steps 10 and 11 are executed, step 13 is executed, which includes steps 30 to 34.

[0105] Step 30: Select multiple session requests in the request history chain whose splicing mode is server-side splicing as the second session request to be inspected. Select the target feature session request and the target execution session request containing "execution" from the second session request to be inspected.

[0106] Specifically, the request history chain is associated with user identity information. Users log in to the client using their user identity information and send user identity information and session requests through the client. When the server detects that the session request corresponds to the same user identity information, it associates the session request with the request history chain corresponding to that user identity information.

[0107] Session requests requiring multi-session server-side malicious code concatenation identification are designated as the second set of session requests to be inspected. Based on the word "execute," target characteristic session requests and target execution session requests containing "execute" are selected from the second set of session requests to be inspected. This includes: designating second session requests identified with "execute" as execution session requests, and selecting one execution session request as the target execution session request; designating the second set of session requests between the preceding execution session request and the target session request as target characteristic session requests; and when the target execution session request is the first execution session request in the request history chain, designating all second set of session requests preceding the target execution session request as target characteristic session requests. A set of session requests for multi-session server-side malicious code concatenation includes target execution session requests and target characteristic session requests. The target execution session request includes at least one session request, and the target execution session includes an "execute" operation instruction.

[0108] In one example, selecting user identity information, the server-attached session requests in the request history chain associated with that user identity information include:

[0109] Session 1: Create a new session, extract skillA from the fifth row and third column → close the session;

[0110] Session 2: Create a new session, extract skillB from the 8th row and 2nd column → close the session;

[0111] Session 3: Create a new session and request to concatenate and execute the above two segments;

[0112] Session 4: Create a new session, extract skillC from the third row and eighth column → close the session;

[0113] Session 5: Create a new session, extract the second column of the fifth row of skill, and request to concatenate and execute the aforementioned two segments.

[0114] Sessions 3 and 5, both containing the word "execute," are identified as execution session requests. Session 3 is the target execution session request. Sessions 1 and 2 are identified as target feature session requests. Sessions 1, 2, and 3 form a group of session requests for identifying and intercepting malicious code concatenated across multiple sessions. Session 5 is the target execution session request. Session 4 is a session request located between the previous target execution session (Session 3) and the target execution session request (Session 5), with a concatenation pattern of server-side concatenation. Session 4 is the target feature session request. Sessions 4 and 5 form a group of session requests for identifying and intercepting malicious code concatenated across multiple sessions.

[0115] Step 31: Accumulate the preset aggregation scores triggered by the target feature session requests and target execution session requests meeting the aggregation requirements to obtain the multi-session aggregation score.

[0116] Specifically, in a set of session requests used for multi-session server-side malicious code identification and interception, the sum of preset aggregation scores triggered by the target feature session request and the target execution session request meeting aggregation requirements is calculated to obtain the multi-session aggregation score. The aggregation requirements include: the number of window extractions within a first preset duration is greater than or equal to 2; the number of new session requests within a second preset duration is greater than or equal to 3; the number of coordinate locations is greater than or equal to 2; the number of different skill module names is greater than or equal to 2; and the code corresponding to the coordinate location of the skill module name in the target feature session request and the target execution session request has a command execution entry point after concatenation.

[0117] In one example, the first preset duration is 24 hours, and the preset aggregation score corresponding to the number of window extractions N within 24 hours is N×10, where N is an integer greater than or equal to 2; the second preset duration is 1 hour, and the preset aggregation score corresponding to the number of new session requests M within 1 hour is M×10, where M is an integer greater than or equal to 3; the preset aggregation score corresponding to the number of coordinate positioning is 20; the preset aggregation score corresponding to the number of different skill module names is 15; the preset aggregation score corresponding to the code for coordinate positioning corresponding to the skill module name in the target feature session request and the target execution session request having a command execution entry point after concatenation is 25; the preset server-side aggregation threshold is 100.

[0118] For a set of session requests including Session 1, Session 2 and Session 3, the number of window extractions within 24 hours is N=2, with a corresponding preset aggregation score of 20. The number of new sessions created within 1 hour is M=3, with a corresponding preset aggregation score of 30. The preset aggregation score for having two different skill module names (skillA and skillB) is 15. The preset aggregation score for having two different coordinate locations is 20. The preset aggregation score for having two segments whose total length can form a complete function (the concatenated code has a command execution entry point) is 25. The aggregation score of this set of session requests = 20+30+15+20+25=110. The aggregation score of this set of session requests 110 > the preset server-side aggregation threshold of 100, so proceed to step 32.

[0119] For a set of session requests including session 4 and session 5, the number of window extractions within 24 hours is N=2, with a corresponding preset aggregation score of 20. The number of new sessions created within 1 hour is M=2, with a corresponding preset aggregation score of 20. The preset aggregation score for having two different skill module names (skillC and skillD) is 15. The preset aggregation score for having two different coordinate locations is 20. The preset aggregation score for two segments whose total length can form a complete function (the concatenated code has a command execution entry point) is 25. The aggregation score of this set of session requests = 20 + 20 + 15 + 20 + 25 = 100. The aggregation score of this set of session requests 100 = the preset server-side aggregation threshold of 100. Execute step 32.

[0120] Step 32: When the multi-session aggregation score is greater than or equal to the preset server aggregation threshold, read the second code fragment of the corresponding skill module from the skill module library in the isolation sandbox according to the skill module name and coordinate location identified by the target feature session request and the target execution session request, and then execute the second code fragment.

[0121] Specifically, when the multi-session aggregate score of a group of sessions is greater than or equal to a preset server-side aggregation threshold, the group of sessions is run in an isolation sandbox. The second code fragment of the corresponding skill module is read from the skill module library based on the skill module name and coordinates, concatenated, and then executed. The behavioral results determine whether it contains malicious code concatenated from the multi-session server. This method supports the identification of malicious code concatenated from the multi-session server with unknown content. After the isolation sandbox reads multiple second code fragments, it attempts to concatenate and analyze them in various permutations and combinations. Access to the external network is not allowed during the operation of the isolation sandbox.

[0122] Step 33: Based on the risk factors triggered during the execution of the second code fragment assembled in the isolation sandbox and the skill modules read, and combined with the operational risk score corresponding to each risk factor and the risk level of each skill module, a risk assessment is performed to obtain the multi-session risk assessment value.

[0123] Specifically, during step 32 of the isolation sandbox operation, x network connection functions and y command execution functions are triggered, d skill modules are referenced, and the multi-session risk assessment value W = x×40 + y×40 + the maximum value among the module risk values ​​corresponding to the d skill modules, with a preset risk threshold of 180.

[0124] Step 34: When the multi-session risk assessment value is greater than or equal to the preset risk threshold, intercept the target feature session request and the target execution session request.

[0125] Specifically, a multi-session risk assessment value greater than or equal to a preset risk threshold indicates that during step 32, the system possesses network connectivity and command execution capabilities. The concatenated code obtains the command execution entry point from the high-risk module, directly receives user-input commands, and executes them within the system, exhibiting a complete malicious code attack chain and malicious functionality. The interception process is identical to step 24, with the interception operation integrated with the API gateway. During interception, logs are simultaneously recorded, and alerts are sent to the server-side administrator.

[0126] Steps 30-34 above are typically used to identify and intercept malicious code concatenated by the server for multiple session requests. After step 34 is completed, you can return to step 30 to select a new set of session requests (including target execution session requests and target characteristic session requests). Steps 30-34 can be executed synchronously with steps 20-24.

[0127] (3) For the identification and interception of malicious code splicing by multi-session clients, please refer to the appendix for the process. Figure 4 As shown. After steps 10 and 11 are completed, step 14 is executed, which includes steps 40 to 45.

[0128] Step 40: Select at least one session request in the request history chain whose splicing mode is client splicing as the third session request to be inspected.

[0129] Specifically, based on the user's identity information, a request history chain is specified, and a session request in the request history chain whose concatenation mode is client-side concatenation is selected as the third session request to be inspected.

[0130] In one example, the session requests in the request history chain with the client-side concatenation pattern include:

[0131] Session 6: Create a new session → Request output for skillA in the fifth row and third column → Close;

[0132] Session 7: Create a new session → Request output of skillB in the second column of the eighth row → Close.

[0133] From these session requests, sessions with adjacent timestamps are grouped together, and each group of session requests includes at least two client-attached session requests.

[0134] Step 41: Accumulate the preset aggregation score triggered by the third pending session request meeting the aggregation requirements to obtain the client aggregation score.

[0135] Specifically, the aggregation requirements include: the number of window extractions within a first preset duration is greater than or equal to 2; the number of new session requests within a second preset duration is greater than or equal to 2; the number of coordinate locations is greater than or equal to 2; and the number of different skill module names is greater than or equal to 2. The first preset duration is 24 hours, and the preset aggregation score corresponding to the number of window extractions N within 24 hours is N×10, where N is an integer greater than or equal to 2. The second preset duration is 1 hour, and the preset aggregation score corresponding to the number of new session requests reaching M within 1 hour is M×10, where M is an integer greater than or equal to 3. The preset aggregation score corresponding to at least two coordinate locations is 20; and the preset aggregation score corresponding to at least two different skill module names is 15.

[0136] In one example, for a set of client-concatenated session requests (i.e., session 6 and session 7), the preset aggregation score triggered by meeting the aggregation requirements in session 6 and session 7 is accumulated as the client aggregation score, and the client aggregation score P = N×10+15+M×10+20.

[0137] Step 42: Accumulate the preset risk score triggered by the third pending session request meeting the client risk requirements to obtain the client risk quantity.

[0138] Specifically, client-side risk requirements include ensuring that the skill module indicated by the skill module name in the third session request to be output to the client is a high-risk skill module. For multi-session client splicing malicious code identification, the aim is to utilize the client for batch splicing attacks. Attackers attempt to bypass detection by having the server output fragments and splice them locally. Therefore, additional risk is required. The score is directly linked to the output behavior and module risk. Each session request requiring direct output of fragments to the client adds 20 points, and each fragment extracted based on the skill module name and coordinates originating from a high-risk skill module adds 15 points.

[0139] In one example, for a set of client-concatenated session requests (i.e., session 6 and session 7), the preset risk score corresponding to the j times to be output to the client is j×20. If the third code fragment indicated by the skill module name and coordinate location in the third session request to be inspected has k instances from skill modules with a high risk level, then the corresponding preset risk score is k×15, and the client risk quantity Q=j×20+k×15. j=2, k=2, Q=2×20+2×15=70.

[0140] Step 43: When the sum of the client aggregate score and the client risk quantity is greater than or equal to the preset client aggregate threshold, in the isolation sandbox, according to the skill module name and coordinates identified by the third session to be inspected, the third code fragment of the corresponding skill module is read from the skill module library, and the third code fragment is spliced ​​together and then run.

[0141] Specifically, the sum of the client aggregation score and the client risk level = P + Q = N×10 + 15 + M×10 + 20 + j×20 + k×15 = N×10 + M×10 + j×20 + k×15 + 35. The preset client aggregation threshold is 145. If P + Q ≥ 145, it indicates that the client's concatenated group of session requests (sessions 6 and 7) exhibits suspected batch code snippet theft attack behavior.

[0142] Step 44: Based on the risk factors triggered during the execution of the third code fragment assembled in the isolation sandbox and the skill modules read, and combining the operational risk scores corresponding to each risk factor and the risk level of each skill module, a risk assessment is conducted to obtain the client risk assessment value.

[0143] Specifically, during step 43 of the isolation sandbox operation, x network connection functions and y command execution functions are triggered, d skill modules are referenced, and the client risk assessment value W = x×40 + y×40 + the maximum value of the module risk values ​​corresponding to the d skill modules, with a preset risk threshold of 180.

[0144] Step 45: When the client's risk assessment value is greater than or equal to the preset risk threshold, intercept the third session request to be inspected.

[0145] Specifically, if the client's risk assessment value is greater than or equal to the preset risk threshold, it means that the client had network connectivity and command execution capabilities during step 43, possessing a complete malicious code attack chain and exhibiting malicious functionality. The interception process is the same as step 24, with the interception operation connected to the API gateway. During interception, logs can be recorded simultaneously, and alerts can be sent to the server-side administrator.

[0146] Steps 40 to 45 above are typically used to identify and intercept malicious code splicing between multiple session requests spliced ​​by the server. After step 44 is completed, you can return to step 30 to select a new set of session requests (including session requests spliced ​​by at least two clients in the request history chain).

[0147] The steps described above are only for clarity. In practice, they can be combined into one step or some steps can be broken down into multiple steps. As long as they involve the same logical relationship, they are all within the scope of protection of this patent. Adding insignificant modifications or introducing insignificant designs to the algorithm or process, as long as they do not change the core design of the algorithm and process, are also within the scope of protection of this patent.

[0148] This application also provides a defense device against spliced ​​malicious code, applied to server-side 100. (Reference) Figure 5 As shown, the defense device against spliced ​​malware includes:

[0149] The request receiving module 101 is communicatively connected to the request sending module 501 of the client 500, and is used to receive session requests and user identity information from the client 500. After obtaining the user identity information from the user, the client 500 performs authentication. After successful authentication, it generates a session request according to the user's command, swaps the user identity information with the session request, and sends it to the request receiving module 101 of the server 100 through the request sending module 501.

[0150] Storage module 102 stores a skill module library, request history chain, preset scoring thresholds, preset risk thresholds, scoring keywords, preset scoring values ​​corresponding to scoring keywords, preset risk values ​​corresponding to risk levels, server-side aggregation thresholds, and client-side aggregation thresholds. The skill module library includes at least one skill module and its corresponding risk level, created through a skill graph, and maintains risk tags and location indexes for all skill modules. When configuring the risk level of a skill module, risk levels that do not involve system operations or file access are set to low risk; risk levels involving local I / O but not supporting code execution are set to medium risk; and risk levels supporting the execution of specified code or commands are set to high risk. Each skill module has a unique name. The request history chain is associated with user identity information and includes at least one session request corresponding to the user's identity information. Scoring keywords include "concatenation," "execution," coordinate location, and the skill module name. The preset scoring thresholds, preset risk thresholds, preset scoring values ​​corresponding to scoring keywords, and preset risk values ​​corresponding to risk levels are all pre-set.

[0151] The association storage module 106, connected to the request receiving module 101 and the storage module 102, stores the session request in the request history chain corresponding to the user's identity information in the storage module. Preferably, the storage module also stores a set of authorized identity information. The association storage module 106 verifies the user's identity information according to the authorized identity set. If the user's identity information belongs to the authorized identity set, the verification is deemed successful. After the user's identity information is verified, the session request is stored in the request history chain corresponding to the user's identity information in the storage module. The server performs user verification to ensure the validity of the session request.

[0152] The target selection module 103, connected to the request receiving module 101 and the storage module 102, is used to select, based on user identity information, a session request with a server-side splicing pattern from the request history chain corresponding to the storage module 102 as the first session request to be inspected; select at least one session request with a server-side splicing pattern as the second session request to be inspected; select a target execution session request and a target feature session request from the second session request to be inspected based on "execution"; and select at least one session request with a client-side splicing pattern as the third session request to be inspected. It also listens to the request history chain indicating the user's request, extracts the splicing pattern from the request history chain, and thus selects the first, second, and third session requests to be inspected.

[0153] The single-session splicing intent judgment module 201 is connected to the detection target selection module 103. It accumulates the preset score value triggered by the scoring keyword in the first session to be inspected request to obtain the single-session splicing intent score. When the single-session splicing intent score is greater than or equal to the preset score threshold in the storage module 102, it sends a first start signal and a first session to be inspected request to the isolation sandbox 104.

[0154] The multi-session server-side aggregation judgment module 301, connected to the target selection module 103, accumulates preset aggregation scores triggered when target feature session requests and target execution session requests meet aggregation requirements, thus obtaining a multi-session aggregation score. When the multi-session aggregation score is greater than or equal to a preset server-side aggregation threshold, a second start signal, a target feature session request, and a target execution session request are sent to the isolation sandbox 104. The aggregation requirements in the multi-session server-side aggregation judgment module 301 include: window extraction count greater than or equal to 2 within a first preset time period; new session request count greater than or equal to 3 within a second preset time period; number of coordinate locations greater than or equal to 2; number of different skill module names greater than or equal to 2; and the code for coordinate location corresponding to the skill module name in the target feature session request and the target execution session request having a command execution entry point after concatenation.

[0155] The multi-session client aggregation judgment module 401, connected to the detection target selection module 103, accumulates the preset aggregation score triggered by the third pending session request meeting the aggregation requirements to obtain a client aggregation score, and accumulates the preset risk score triggered by the third pending session request meeting the client risk requirements to obtain a client risk quantity. It calculates the sum of the client aggregation score and the client risk quantity; when the sum is greater than or equal to a preset client aggregation threshold, it sends a third start signal and a third pending session request to the isolation sandbox 104. The aggregation requirements in the multi-session client aggregation judgment module 401 include: the number of window extractions within a first preset time period being greater than or equal to 2; the number of new session requests within a second preset time period being greater than or equal to 2; the number of coordinate locations being greater than or equal to 2; and the number of different skill module names being greater than or equal to 2.

[0156] The isolation sandbox 104 is connected to the single-session splicing intent judgment module 201, the multi-session server aggregation judgment module 301, the multi-session client aggregation judgment module 401, and the storage module 102. Upon receiving a first start signal, it reads the first code fragment of the corresponding skill module from the skill module library according to the skill module name and coordinates in the first pending session request, splices the first code fragment, and runs it. Upon receiving a second start signal, it reads the second code fragment of the corresponding skill module from the skill module library according to the skill module name and coordinates in the target feature session request and the target execution session request, splices the second code fragment, and runs it. Upon receiving a third start signal, it reads the third code fragment of the corresponding skill module from the skill module library according to the skill module name and coordinates in the third pending session request, splices the third code fragment, and runs it.

[0157] The single-session risk assessment and judgment module 202 is connected to the isolation sandbox 104 and the storage module 102. It is used to perform risk assessment based on the risk elements triggered during the operation of the first code segment assembled in the isolation sandbox 104 and the skill modules read, combined with the operation risk score corresponding to each risk element and the risk level of each skill module, to obtain a single-session risk assessment value; when the single-session risk assessment value is greater than or equal to the preset risk threshold, it sends a first interception start signal to the interception module 105.

[0158] The multi-session risk assessment and judgment module 302 is connected to the isolation sandbox 104 and the storage module 102. It is used to perform risk assessment based on the risk elements triggered during the operation of the second code segment assembled in the isolation sandbox 104 and the skill modules read, combined with the operation risk score corresponding to each risk element and the risk level of each skill module in the storage module 102, to obtain the multi-session risk assessment value. When the multi-session risk assessment value is greater than or equal to the preset risk threshold, it sends a second interception start signal to the interception module 105.

[0159] The client risk assessment and judgment module 402 is connected to the isolation sandbox 104 and the storage module 102. It is used to perform risk assessment based on the risk elements triggered during the operation of the third code segment assembled in the isolation sandbox 104 and the skill modules read, combined with the operation risk score corresponding to each risk element and the risk level of each skill module in the storage module 102, to obtain the client risk assessment value. When the client risk assessment value is greater than or equal to the preset risk threshold, it sends a third interception start signal to the interception module 105.

[0160] Interception module 105, connected to single-session risk assessment and judgment module 202, multi-session risk assessment and judgment module 302, and client risk assessment and judgment module 402, is used to control the interception of a first pending session request based on a first interception initiation signal, to control the interception of target characteristic session requests and target execution session requests based on a second interception initiation signal, and to control the interception of a third pending session request based on a third interception initiation signal. Figure 5 The two interception modules 105 can be merged into one. The single-session splicing intent judgment module 201, the multi-session server-side aggregation judgment module 301, and the multi-session client-side aggregation judgment module 401 can be merged into an intent analysis module. This module calculates splicing intent scores for single sessions and across sessions, filtering out those with splicing intent to run in the isolation sandbox 104. The isolation sandbox 104 supports using Docker containers to implement an isolated execution environment and supports automatic combined analysis. The single-session risk assessment judgment module 202, the multi-session risk assessment judgment module 302, and the client-side risk assessment judgment module 402 can be merged into a risk assessment module, integrating multi-dimensional features to calculate the overall risk score. The interception module 105 interfaces with the API gateway, supporting allowance, enhanced monitoring, output restriction, and response interception. When the interception module 105 intercepts the first pending session request, the third pending session request, the target feature session request, and the target execution session request, it generates logs and sends alarm signals to server administrators.

[0161] Other implementation details and working methods of the splicing malicious code defense device disclosed in this application are the same as or similar to the splicing malicious code defense method described above, and will not be repeated here.

[0162] This application also provides a computer-readable storage medium storing a computer program thereon, which, when executed by a processor, performs the aforementioned method for defending against spliced ​​malicious code.

[0163] The above are all preferred embodiments of this application, and are not intended to limit the scope of protection of this application. Therefore, all equivalent changes made in accordance with the structure, shape and principle of this application should be covered within the scope of protection of this application.

Claims

1. A method of piecing together a defense against malicious code, characterized by, The method includes the following steps: Step 10: Obtain session requests from the same request history chain; wherein, the request history chain includes at least one session request from the same user, each session request includes a splicing mode, an operation instruction, a skill module name, and the coordinate positioning of a specified instruction in the skill module, the splicing mode includes server-side splicing and client-side splicing, the skill module library includes skill modules with multiple different risk levels, and each skill module corresponds to a unique skill module name; Step 20: Select a session request with the server-side splicing mode in the request history chain as the first session request to be inspected; Step 21: Accumulate the preset score values triggered by the score keywords in the first session request to be inspected to obtain a single-session splicing intention score; wherein, the score keywords include "splicing", "execution", coordinate positioning, and skill module name; Step 22: When the single-session splicing intention score is greater than or equal to the preset score threshold, read the first code segment of the corresponding skill module from the skill module library according to the skill module name and coordinate positioning in the first session request to be inspected in the isolation sandbox, splice the first code segment and then run it; Step 23: According to the risk factors triggered during the running of the first code segment spliced in the isolation sandbox and the read skill modules, combine the running risk scores corresponding to each risk factor and the risk levels of each skill module to perform risk assessment to obtain a single-session risk assessment value; wherein, the risk factors include network connection function and command execution function; Step 24: When the single-session risk assessment value is greater than or equal to the preset risk threshold, intercept the first session request to be inspected.

2. The method of claim 1, wherein, The step of accumulating the preset score values triggered by the score keywords in the first session request to be inspected to obtain a single-session splicing intention score includes: There are a coordinate positionings, b "splicing", c "execution", and d different skill module names among the score keywords in the first session request to be inspected; When d = 1, the single-session splicing intention score V = a×30 + b×25 + c×20; When d ≥ 2, the single-session splicing intention score V = a×30 + b×25 + c×20 + 30; Wherein, the preset score value corresponding to the coordinate positioning is 30, the preset score value corresponding to "splicing" is 25, the preset score value corresponding to "execution" is 20, the preset evaluation score corresponding to at least two different skill module names is 30, and the preset score threshold is 100.

3. The method of claim 1, wherein, The step of performing risk assessment according to the risk factors triggered during the running of the first code segment spliced in the isolation sandbox and the read skill modules, combining the running risk scores corresponding to each risk factor and the risk levels of each skill module to obtain a single-session risk assessment value includes: When the first code segment spliced in the isolation sandbox runs, it triggers the network connection function x times and the command execution function y times, and d skill modules are referenced; The single-session risk assessment value W = the maximum value among x×40 + y×40 + the module risk values corresponding to d skill modules; The preset risk value for each network connection function is 40, the preset risk value for each command execution function is 40, the risk level of the skill module is high risk level, medium risk level, and low risk level, the preset risk value corresponding to the low risk level is 20, the preset risk value corresponding to the medium risk level is 60, the preset risk value corresponding to the high risk level is 100, and the preset risk threshold is 180.

4. The method of claim 1, wherein, After step 10 is executed, the method further includes the following steps: Step 30: Select multiple session requests in the request history chain whose splicing mode is server-side splicing as the second session request to be inspected; select the target feature session request and the target execution session request containing "execution" from the second session request to be inspected. Step 31: Accumulate the preset aggregation scores triggered by the target feature session request and the target execution session request meeting the aggregation requirements to obtain a multi-session aggregation score; wherein, the aggregation requirements include: the number of window extractions within a first preset time period is greater than or equal to 2, the number of new session requests within a second preset time period is greater than or equal to 3, the number of coordinate positioning is greater than or equal to 2, the number of different skill module names is greater than or equal to 2, and the code corresponding to the coordinate positioning of the skill module name in the target feature session request and the target execution session request has a command execution entry after being concatenated; Step 32: When the multi-session aggregation score is greater than or equal to the preset server-side aggregation threshold, in the isolation sandbox, according to the target feature session request and the target execution session request, the skill module name and the coordinate positioning are identified from the skill module library, the second code fragment of the corresponding skill module is read, the second code fragment is concatenated and then executed; Step 33: Based on the risk factors triggered during the execution of the second code fragment assembled in the isolation sandbox and the skill modules read, and combined with the operational risk score corresponding to each risk factor and the risk level of each skill module, a risk assessment is conducted to obtain the multi-session risk assessment value. Step 34: When the multi-session risk assessment value is greater than or equal to the preset risk threshold, the target feature session request and the target execution session request are intercepted.

5. The method of claim 4, wherein, The multi-session aggregation score is obtained by accumulating the preset aggregation scores triggered when the target feature session request and the target execution session request meet the aggregation requirements, including: The first preset duration is 24 hours. The preset aggregate score corresponding to the number of window extractions N within 24 hours is N×10, where N is an integer greater than or equal to 2. The second preset duration is 1 hour. The preset aggregate score corresponding to the number of new session requests reaching M within 1 hour is M×10, where M is an integer greater than or equal to 3. The preset aggregation score is 20 when the number of coordinate positioning reaches 2. The preset aggregate score is 15 when the number of different skill module names reaches 2. The code for locating the coordinates of the skill module name in the target feature session request and the target execution session request, after being concatenated, has a preset aggregate score of 25 corresponding to the command execution entry point; When the target feature session request and the target execution session request satisfy the aggregation requirement, the preset aggregation score corresponding to the aggregation requirement is accumulated to obtain the aggregation score, and the preset server-side aggregation threshold is 100.

6. The method of claim 1, wherein, After step 10 is executed, the method further includes the following steps: Step 40: Select at least one session request in the request history chain whose splicing mode is client splicing as the third session request to be inspected; Step 41: Accumulate the preset aggregation score triggered by the third pending session request meeting the aggregation requirements to obtain the client aggregation score; wherein, the aggregation requirements include the number of window extractions within a first preset time period being greater than or equal to 2, the number of new session requests within a second preset time period being greater than or equal to 2, the number of coordinate positioning being greater than or equal to 2, and the number of different skill module names being greater than or equal to 2. Step 42: Accumulate the preset risk score triggered by the third session request to be inspected meeting the client risk requirements to obtain the client risk level; wherein, the client risk requirements include requiring output to the client and the skill module indicated by the skill module name in the third session request to be a skill module with a high risk level. Step 43: When the sum of the client aggregate score and the client risk quantity is greater than or equal to the preset client aggregate threshold, in the isolation sandbox, according to the skill module name and coordinate location identified by the third session to be inspected, the third code fragment of the corresponding skill module is read from the skill module library, the third code fragment is concatenated and then executed. Step 44: Based on the risk factors triggered during the execution of the third code fragment assembled in the isolation sandbox and the skill modules read, and combined with the operational risk score corresponding to each risk factor and the risk level of each skill module, a risk assessment is conducted to obtain the client risk assessment value. Step 45: When the client risk assessment value is greater than or equal to the preset risk threshold, the third session request to be inspected is intercepted.

7. The method of claim 6, wherein, The preset aggregation score triggered by the cumulative aggregation requirements of the third pending session request is used to obtain the client aggregation score, including: The first preset duration is 24h, and the preset score corresponding to the number of window extractions n within 24h is n×10. The second preset duration is 1h, and the preset aggregate score corresponding to the number of new session requests m within 1h is m×10, the preset aggregate score corresponding to the number of coordinate positioning 2 is 20, and the preset aggregate score corresponding to the number of different skill module names 2 is 15. When the third pending session request meets the aggregation requirement, the preset aggregation score corresponding to the aggregation requirement is accumulated to obtain the client aggregation score.

8. The method of claim 6, wherein, The preset risk score triggered by the cumulative third pending session request meeting the client risk requirements is used to obtain the client risk quantity, including: The preset risk score corresponding to the j outputs to the client is required to be j×20. If the code fragments jointly indicated by the skill module name and coordinate positioning in the third pending session request come from skill modules with a high risk level, then the corresponding preset risk score is k×15, and the client risk quantity Q=j×20+k×15.

9. A defense device for spliced ​​malicious code, characterized in that, The device includes: The request receiving module is used to receive session requests and user identity information from the client. The storage module is used to store a skill module library, a request history chain, a preset scoring threshold, a preset risk threshold, scoring keywords, preset scoring values ​​corresponding to the scoring keywords, and preset risk values ​​corresponding to the risk levels. The skill module library includes at least one skill module and a risk level corresponding to the skill module. Each skill module has a unique skill module name. The request history chain includes at least one session request corresponding to the user's identity information. The scoring keywords include "concatenation", "execution", coordinate positioning, and skill module name. An association storage module is connected to the request receiving module and the storage module, and is used to store the session request into the request history chain corresponding to the user identity information in the storage module; The target selection module is connected to the request receiving module and the storage module, and is used to select a session request with a splicing mode of server splicing from the request history chain corresponding to the storage module as the first session request to be inspected based on the user identity information. The single-session splicing intent judgment module is connected to the detection target selection module. It is used to accumulate the preset score value triggered by the scoring keyword in the first session request to be inspected to obtain the single-session splicing intent score. When the single-session splicing intent score is greater than or equal to the preset score threshold, it sends a first start signal and the first session request to be inspected to the isolation sandbox. The isolation sandbox is connected to the single session splicing intent judgment module and the storage module. When the first start signal is received, it is used to read the first code fragment of the corresponding skill module from the skill module library according to the skill module name and coordinate location in the first session to be inspected, splice the first code fragment and run it. The single-session risk assessment and judgment module is connected to the isolation sandbox and the storage module. It is used to perform risk assessment based on the risk elements triggered during the operation of the first code segment assembled in the isolation sandbox and the skill modules read, combined with the operation risk score corresponding to each risk element and the risk level of each skill module, to obtain a single-session risk assessment value. When the single-session risk assessment value is greater than or equal to a preset risk threshold, it sends a first interception start signal to the interception module. The interception module is connected to the single-session risk assessment and judgment module and is used to control the interception of the first session request to be inspected according to the first interception start signal.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, The computer program is executed by the processor to perform a method for defending against spliced ​​malicious code as described in any one of claims 1-8.