Embedded flash memory defense method, device, equipment and medium
By uploading process characteristics from embedded flash memory to the cloud, dynamically adjusting thresholds, and combining them with a global threat model to identify malicious write operations, the problem of dynamically identifying malicious write operations in embedded flash memory is solved, achieving precise defense and lifespan management.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SHENZHEN GUANGTONG YILIAN TECH CO LTD
- Filing Date
- 2026-03-04
- Publication Date
- 2026-06-05
AI Technical Summary
Existing technologies struggle to dynamically identify and intercept high-frequency malicious write/erase actions in embedded flash memory, resulting in shortened device lifespan and a lack of proactive defense capabilities.
By uploading the process characteristics of local flash memory to the cloud, the threshold for abnormal events is dynamically adjusted. Combined with the sliding window algorithm and the global threat model, malicious write and erase operations are identified and blocked in real time, and precise defense is achieved by leveraging cloud analysis capabilities.
It achieves accurate dynamic identification and proactive defense of embedded flash memory, avoids misjudgment, reduces the risk of malicious write attacks, and extends the service life of the device.
Smart Images

Figure CN122153986A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of data storage and data security technology, and in particular to embedded flash memory defense methods, devices, equipment, and media. Background Technology
[0002] In the fields of data storage and data security, software encryption mechanisms prevent unauthorized copying by verifying the unique ID of the Flash memory against the encrypted data, but this is easily bypassed by reverse engineering. Hardware write protection protects specific areas, such as the bootloader, by setting registers, but it can only defend against accidental tampering and cannot deal with malicious write attacks. Operation monitoring records Flash operation commands (erase, write) and timestamps for problem localization, but lacks proactive defense capabilities. Lifetime prediction is based on the number of write cycles (Program / Erase Cycle, P / E cycle) or the Bit Error Rate (BER) to predict Flash lifespan. It is evident that relying on static rules (such as fixed area protection) makes it difficult to dynamically identify and intercept high-frequency malicious write operations. Operation logs are only used for post-incident investigation and cannot be combined with historical data and device context for real-time risk assessment. During lifetime prediction, high-frequency write operations may accelerate Flash damage but are not identified as a threat.
[0003] In summary, how to accurately and dynamically identify abnormal erase / write operations in embedded flash memory environments with limited resources in order to defend against attacks on embedded flash memory is a problem that needs to be solved in this field. Summary of the Invention
[0004] In view of this, the purpose of this invention is to provide an embedded flash memory defense method, apparatus, device, and medium, which accurately and dynamically identifies abnormal erase / write operations in embedded flash memory resource-constrained environments to defend against attacks on embedded flash memory. The specific solution is as follows: In a first aspect, this application discloses an embedded flash memory defense method, applied to a target embedded device, wherein the target embedded device is any one of a plurality of embedded devices, comprising: The process characteristics of the current process performing erase and write operations on the local flash memory are uploaded to the cloud so that the cloud can dynamically adjust the baseline abnormal event threshold according to the process characteristics of each embedded device to obtain the current abnormal event threshold. Collect the erase / write operation characteristics of the flash memory, and determine whether the erase / write operation of the current process triggers the target abnormal event based on the erase / write operation characteristics and the current abnormal event threshold; If a target abnormal event is triggered, the associated information of the target abnormal event is uploaded to the cloud so that the cloud can analyze whether the current process is a malicious process based on the associated information of the target abnormal event. If the current process is a malicious process, a preset defense command is sent to the target embedded device. Based on the preset defense command, the current process's write / erase operation on the flash memory is intercepted.
[0005] Optionally, uploading the process characteristics of the current process performing erase / write operations on the local flash memory to the cloud includes: If a current process is detected performing erase / write operations on the local flash memory, then the process ID and target physical address of the current process are collected. A process legitimacy identifier is generated based on whether the process identifier is included in the preset whitelist; The process permission level of the current process is determined based on the process legitimacy identifier; The process identifier, the target physical address, the process legitimacy identifier, and the permission level of the process are uploaded to the cloud as the process characteristics of the current process.
[0006] Optionally, before uploading the process characteristics of the current process performing erase / write operations on the local flash memory to the cloud, the method further includes: The association information of historical abnormal events of each embedded device is obtained through the cloud, and a baseline abnormal event threshold is generated based on the association information of the historical abnormal events.
[0007] Optionally, the benchmark abnormal event threshold includes a first benchmark threshold corresponding to a preset long-term window size and a second benchmark threshold corresponding to a preset short-term window size; the cloud dynamically adjusts the benchmark abnormal event threshold according to the process characteristics of each embedded device to obtain the current abnormal event threshold, including: The cloud dynamically adjusts the first benchmark threshold and the second benchmark threshold according to the process characteristics of each embedded device to obtain the current first abnormal event threshold and the current second abnormal event threshold.
[0008] Optionally, the step of collecting the erase / write operation characteristics of the flash memory and determining whether the erase / write operation of the current process triggers a target abnormal event based on the erase / write operation characteristics and the current abnormal event threshold includes: The sliding window algorithm is used to collect the first erase / write operation features of the flash memory within the preset long time window size and the second erase / write operation features within the preset short time window size; wherein, the first erase / write operation features include the number of erase / write operations and the erase / write frequency of each physical address in the flash memory, and the second erase / write operation features include the number of erase / write operations and the erase / write frequency of the current process on the target physical address in the flash memory; If the first erase / write operation feature is greater than the current first abnormal event threshold and / or the second erase / write operation feature is greater than the current second abnormal event threshold, then it is determined that the erase / write operation of the current process triggers a target abnormal event. If the first erase / write operation feature is not greater than the current first abnormal event threshold and the second erase / write operation feature is not greater than the current second abnormal event threshold, then it is determined that the erase / write operation of the current process has not triggered the target abnormal event.
[0009] Optionally, the associated information of the target abnormal event includes the process characteristics of the current process, the erase / write operation characteristics and health status of the flash memory, and the basic device information of the target embedded device, including the device model, firmware version, device identifier, and historical logs; the cloud analyzes whether the current process is a malicious process based on the associated information of the target abnormal event, including: The cloud-based system uses a global threat model to analyze the correlation information of the target's abnormal events in order to determine whether the current process is a malicious process.
[0010] Optionally, after intercepting the current process's write / erase operation on the flash memory based on the preset defense command, the method further includes: Generate a target instruction to indicate that the current process has succeeded, and return the target instruction to the current process; The cloud-based target lifetime prediction model is used to process the associated information of the target abnormal event to assess the current remaining lifetime of the flash memory and the risk level of the target abnormal event. The warning threshold of the flash memory is updated based on the current remaining lifetime and the risk level. If the P / E cycle number of the flash memory is not less than the updated warning threshold, lifetime warning information is generated.
[0011] Secondly, this application discloses an embedded flash memory defense device, applied to a target embedded device, wherein the target embedded device is any one of a plurality of embedded devices, comprising: The threshold dynamic adjustment module is used to upload the process characteristics of the current process that performs erase and write operations on the local flash memory to the cloud, so that the cloud can dynamically adjust the baseline abnormal event threshold according to the process characteristics of each embedded device to obtain the current abnormal event threshold. An abnormal event detection module is used to collect the erase and write operation characteristics of the flash memory, and determine whether the erase and write operation of the current process triggers a target abnormal event based on the erase and write operation characteristics and the current abnormal event threshold. The defense command issuing module is used to upload the association information of the target abnormal event to the cloud if the target abnormal event is triggered, so that the cloud can analyze whether the current process is a malicious process based on the association information of the target abnormal event. If the current process is a malicious process, a preset defense command is issued to the target embedded device. The erase / write operation interception module is used to intercept the current process's erase / write operations on the flash memory based on the preset defense instructions.
[0012] Thirdly, this application discloses an electronic device, including: Memory, used to store computer programs; A processor for executing the computer program to implement the steps of the aforementioned disclosed embedded flash memory defense method.
[0013] Fourthly, this application discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, it implements the steps of the aforementioned disclosed embedded flash memory defense method.
[0014] The beneficial effects of this application are as follows: This application is applied to a target embedded device, which is any one of multiple embedded devices, and includes: uploading the process characteristics of the current process performing erase / write operations on the local flash memory to the cloud, so that the cloud can dynamically adjust the baseline abnormal event threshold according to the process characteristics of each embedded device to obtain the current abnormal event threshold; collecting the erase / write operation characteristics of the flash memory, and determining whether the erase / write operation of the current process triggers a target abnormal event based on the erase / write operation characteristics and the current abnormal event threshold; if a target abnormal event is triggered, uploading the association information of the target abnormal event to the cloud, so that the cloud can analyze whether the current process is a malicious process based on the association information of the target abnormal event, and if the current process is a malicious process, issuing a preset defense command to the target embedded device; and intercepting the erase / write operation of the current process on the flash memory based on the preset defense command. Therefore, this application can improve the accuracy of abnormal erase / write operation identification by uploading the process characteristics of the current local process to the cloud, allowing the cloud to dynamically adjust the current abnormal event threshold based on the process characteristics of each embedded device, thus avoiding misjudgments caused by fixed thresholds. By collecting the erase / write operation characteristics of flash memory and comparing them with the current abnormal event threshold, it can determine in real time whether an abnormal event has been triggered, achieving dynamic identification of abnormal erase / write behavior. After an abnormal event is triggered, the associated information is uploaded to the cloud, and the cloud's global data processing capabilities are used to accurately analyze whether the current process is a malicious process, making up for the deficiencies of local analysis capabilities and achieving cloud-based collaborative decision-making defense. Based on the preset defense commands issued by the cloud, the application can intercept the erase / write operations of malicious processes, proactively blocking malicious erase / write attacks in real time and reducing the risk of firmware tampering. The entire process only requires lightweight feature collection and judgment operations to be performed locally, while the cloud undertakes the computationally intensive threshold adjustment and malicious process analysis work, minimizing the dependence on the hardware resources of the target embedded device, and is suitable for embedded resource-constrained environments. Attached Figure Description
[0015] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort.
[0016] Figure 1 This is a flowchart of an embedded flash memory defense method disclosed in this application; Figure 2 This is a flowchart of a specific embedded flash memory defense method disclosed in this application; Figure 3 This is a schematic diagram of an embedded flash memory defense device disclosed in this application; Figure 4 This is a structural diagram of an electronic device disclosed in this application. Detailed Implementation
[0017] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of the present invention.
[0018] In the fields of data storage and data security, software encryption mechanisms prevent unauthorized copying by verifying the unique ID of the Flash memory against the encrypted data, but this is easily bypassed by reverse engineering. Hardware write protection protects specific areas, such as the bootloader, by setting registers, but it can only defend against accidental tampering and cannot deal with malicious write attacks. Operation monitoring records Flash operation commands (erase, write) and time points for problem localization, but it lacks proactive defense capabilities. Lifetime prediction is based on the number of write cycles (Program / Erase Cycle, P / E cycle) or the bit error rate to predict the Flash lifetime. It is evident that relying on static rules (such as fixed area protection) makes it difficult to dynamically identify and intercept high-frequency malicious write behavior. Operation logs are only used for post-event investigation and cannot be combined with historical data and device context for real-time risk assessment. During lifetime prediction, high-frequency writes may accelerate Flash damage but are not identified as a threat.
[0019] Therefore, this application provides an embedded flash memory defense solution that accurately and dynamically identifies abnormal erase / write operations in embedded flash memory resource-constrained environments to defend against attacks on embedded flash memory.
[0020] See Figure 1 As shown in the figure, this application discloses an embedded flash memory defense method, applied to a target embedded device, wherein the target embedded device is any one of a plurality of embedded devices, including: Step S11: Upload the process characteristics of the current process performing erase / write operations on the local flash memory to the cloud, so that the cloud can dynamically adjust the baseline abnormal event threshold according to the process characteristics of each embedded device to obtain the current abnormal event threshold.
[0021] In this embodiment, uploading the process characteristics of the current process performing erase / write operations on the local flash memory to the cloud includes: if a current process performing erase / write operations on the local flash memory is detected, then collecting the process identifier and target physical address of the current process; generating a process legitimacy identifier based on whether the process identifier is included in a preset whitelist; determining the process permission level of the current process based on the process legitimacy identifier; and uploading the process identifier, the target physical address, the process legitimacy identifier, and the process permission level as the process characteristics of the current process to the cloud.
[0022] When the local monitoring layer detects a process performing erase / write operations on the local flash memory, the embedded agent module immediately initiates a process feature collection process to accurately capture the unique process ID (PID) of the current process and the target physical address corresponding to the erase / write operation. The system then retrieves a preset process whitelist for comparison. If the process ID exists in the whitelist (e.g., a legitimate firmware upgrade process or a system preset maintenance process), a "legitimate" process legitimacy identifier is generated; otherwise, an "illegitimate" process legitimacy identifier is generated. Based on the generated process legitimacy identifier, the current process's permission level is further determined. Legitimate processes within the whitelist correspond to the highest system privileges or preset trusted permission levels. Illegitimate processes outside the whitelist are categorized into ordinary risk permission levels or high-risk permission levels based on the sensitivity of the target physical address they attempt to access (e.g., whether it involves the Bootloader partition, system core data partition, etc.). Finally, the collected process ID, target physical address, generated process legitimacy identifier, and process permission level are uniformly encapsulated into a complete process feature of the current process, encrypted, and uploaded to the cloud analysis layer, providing core data support for multi-dimensional risk assessment in the cloud. In this way, the accurate and comprehensive collection and secure uploading of process characteristics can be achieved, providing reliable data for the cloud to distinguish between normal operations and malicious attacks, ensuring the accuracy of subsequent cloud-based collaborative decisions, while also taking into account the efficient utilization of embedded device resources, and helping to achieve integrated management of proactive defense and Flash lifespan.
[0023] In this embodiment, before uploading the process characteristics of the current process that performs erase and write operations on the local flash memory to the cloud, the method further includes: obtaining the association information of historical abnormal events of each of the embedded devices through the cloud, and generating a baseline abnormal event threshold based on the association information of the historical abnormal events.
[0024] Before uploading the process characteristics of the current process performing erase / write operations on the local flash memory to the cloud, the system first collects historical abnormal event association information reported by all embedded devices deploying the monitoring and defense system through the cloud data interaction channel. This association information covers the process identifier, target physical address distribution, erase / write frequency per unit time, device firmware version, Flash model, corresponding P / E cycle wear data, and the final judgment result of the event (normal operation false alarm, software anomaly, malicious attack, etc.) when abnormal erase / write operations occur on each device in the past. The cloud analysis layer performs data cleaning and feature extraction on the massive amount of historical abnormal event association information collected. After filtering out effective samples, it combines the operating rules of similar device clusters, the normal flash memory usage frequency range under different application scenarios, and the characteristic parameters of known attack behaviors in the threat intelligence database. It then uses a machine learning model for training and iterative optimization to generate a baseline abnormal event threshold that is adapted to different device models and application scenarios. This baseline threshold is not a fixed value, but includes multi-dimensional thresholds under various scenarios, and will be continuously updated and iterated based on newly added historical abnormal event association information to ensure the accuracy and adaptability of the threshold.
[0025] In this embodiment, the benchmark abnormal event threshold includes a first benchmark threshold corresponding to a preset long time window size and a second benchmark threshold corresponding to a preset short time window size; the cloud dynamically adjusts the benchmark abnormal event threshold according to the process characteristics of each embedded device to obtain the current abnormal event threshold, including: the cloud dynamically adjusts the first benchmark threshold and the second benchmark threshold according to the process characteristics of each embedded device to obtain the current first abnormal event threshold and the current second abnormal event threshold.
[0026] The baseline abnormal event thresholds include a corresponding first baseline threshold and a second baseline threshold corresponding to a preset short-term window size. The preset long-term window size is, for example, 3. The time window is adapted to the normal operating cycle of the device, such as 24 hours. The preset short time window size is adapted to the time window for instantaneous operation detection, such as 10ms. The first benchmark threshold is used to monitor low-frequency but continuous abnormal erase and write behavior, such as the cumulative erase and write count threshold. The second benchmark threshold is used to capture high-frequency sudden abnormal erase and write behavior, such as the erase and write count threshold of the same address per unit time. After receiving process characteristics (including process identifier, target physical address, process legitimacy identifier, permission level, etc.) uploaded by various embedded devices, the cloud uses a machine learning model to dynamically adjust the first and second baseline thresholds. For the first baseline threshold, it distinguishes between legitimate processes (such as firmware upgrade processes) and illegitimate processes based on the process legitimacy identifier, and adjusts the cumulative erase / write count threshold within a long time window to avoid misjudging legitimate upgrade processes as abnormal. For the second baseline threshold, it adjusts the instantaneous erase / write count or frequency threshold within a short time window based on the process permission level, the sensitivity of the target physical address, and the erase / write frequency characteristics per unit time. For example, it appropriately relaxes the threshold for high-privilege legitimate processes and tightens the threshold for low-privilege illegitimate processes, ultimately obtaining the current first and second abnormal event thresholds that are adapted to the current device operating status and actual application scenarios.
[0027] Step S12: Collect the erase / write operation characteristics of the flash memory, and determine whether the erase / write operation of the current process triggers the target abnormal event based on the erase / write operation characteristics and the current abnormal event threshold.
[0028] In this embodiment, the step of collecting the erase / write operation characteristics of the flash memory and determining whether the erase / write operation of the current process triggers a target abnormal event based on the erase / write operation characteristics and the current abnormal event threshold includes: using a sliding window algorithm to collect the first erase / write operation characteristics of the flash memory within a preset long-term window size and the second erase / write operation characteristics within a preset short-term window size; wherein, the first erase / write operation characteristics include the number of erase / write operations and the erase / write frequency of each physical address in the flash memory, and the second erase / write operation characteristics include the number of erase / write operations and the erase / write frequency of the target physical address in the flash memory by the current process; if the first erase / write operation characteristics are greater than the current first abnormal event threshold and / or the second erase / write operation characteristics are greater than the current second abnormal event threshold, then it is determined that the erase / write operation of the current process triggers a target abnormal event; if the first erase / write operation characteristics are not greater than the current first abnormal event threshold and the second erase / write operation characteristics are not greater than the current second abnormal event threshold, then it is determined that the erase / write operation of the current process does not trigger a target abnormal event.
[0029] A sliding window algorithm is used to accurately collect the erase / write operation characteristics of flash memory. For a preset long-term window, the algorithm collects the first erase / write operation characteristics, such as the cumulative number of erase / write operations to each physical address in the flash memory and the erase / write frequency per unit time. Simultaneously, for a preset short-term window, the algorithm collects the second erase / write operation characteristics, such as the cumulative number of erase / write operations to the target physical address in the flash memory by the current process and the erase / write frequency per unit time. Then, the collected first erase / write operation characteristics are compared with the dynamically adjusted current first abnormal event threshold in the cloud, and the second erase / write operation characteristics are compared with the current second abnormal event threshold. If the first erase / write operation characteristic is greater than the current first abnormal event threshold (e.g., the cumulative number of erase / write operations on a physical address within a long time window exceeds the threshold of the adapted device's Flash lifespan and normal usage scenario), or the second erase / write operation characteristic is greater than the current second abnormal event threshold (e.g., the current process erases / writes the target physical address ≥ 3 times within a short time window), or both conditions are met, then the erase / write operation of the current process is determined to have triggered the target abnormal event; if the first erase / write operation characteristic is not greater than the current first abnormal event threshold, and the second erase / write operation characteristic is not greater than the current second abnormal event threshold, then the erase / write operation of the current process is determined not to have triggered the target abnormal event.
[0030] By employing a sliding window algorithm, comprehensive data collection of erase and write operation characteristics across different time dimensions is achieved. Combined with dual threshold comparison logic, low-frequency continuous anomalies and high-frequency sudden anomalies in erase and write behavior are accurately identified, significantly improving the comprehensiveness and accuracy of anomaly detection. This provides a reliable basis for subsequent cloud-based collaborative decision-making and local proactive defense, while also adapting to the resource-constrained characteristics of embedded devices to ensure monitoring efficiency.
[0031] Step S13: If a target abnormal event is triggered, the associated information of the target abnormal event is uploaded to the cloud so that the cloud can analyze whether the current process is a malicious process based on the associated information of the target abnormal event. If the current process is a malicious process, a preset defense command is sent to the target embedded device.
[0032] In this embodiment, the associated information of the target abnormal event includes the process characteristics of the current process, the erase / write operation characteristics and health status of the flash memory, and the basic device information of the target embedded device. The basic device information includes the device model, firmware version, device identifier, and historical logs. The cloud analyzes whether the current process is a malicious process based on the associated information of the target abnormal event, including: the cloud uses a target global threat model to analyze the associated information of the target abnormal event to analyze whether the current process is a malicious process.
[0033] If the erase / write operation of the current process is determined to trigger a target abnormal event through a dual-time-window threshold comparison, the local monitoring layer will immediately integrate, encapsulate, and encrypt the associated information of the target abnormal event and upload it to the cloud analysis layer. The associated information of the target abnormal event includes the complete process characteristics of the current process (including process ID, target physical address, process legality ID, and permission level), behavioral characteristics, flash memory erase / write operation characteristics (including the number of erase / write operations and erase / write frequency of each physical address within a long time window, and the number of erase / write operations and erase / write frequency of the target physical address by the current process within a short time window), real-time flash memory health status (such as current P / E cycle wear, bad block distribution, bit error rate, etc.), and basic device information of the target embedded device. This basic device information specifically includes the device model (such as FG370 series), firmware version, device unique identifier (Unique ID, i.e., UID), and device historical operation logs (including past erase / write operation records, historical abnormal event records, etc.).
[0034] After receiving the associated information of the target's abnormal events in the cloud, it calls the target global threat model, which has been pre-trained and optimized by combining massive amounts of data from similar device clusters, historical threat event data, and the latest threat intelligence database, to conduct multi-dimensional in-depth analysis of the associated information and comprehensively determine whether the current process is a malicious process.
[0035] For example, the local monitoring layer of the target embedded device detects that process PID: 1234 (not in the whitelist, low privileges) performs four write operations on the system core partition (address range 0x00010000-0x00020000) within 10ms, exceeding the current second abnormal threshold of three times, and thus triggering an abnormal event. The process characteristics, the operation characteristics of short-term high-frequency write operations, the current P / E cycle wear of the Flash, and the device model (FG370-01), firmware version (V2.1.0), historical logs, and other information are uploaded to the cloud. The cloud calls the target's global threat model and compares it with data from similar devices. It finds that under normal circumstances, the short-term write frequency of the core partition does not exceed 100 times / second, and the threat intelligence database knows that ransomware has the characteristic of "low-privilege process frequently writing to the system partition". Combined with the fact that there are no relevant legitimate operation records in the device's historical logs, the process is determined to be a malicious process. Subsequently, a defense command to intercept and terminate the process is issued. The defense command may be "skip subsequent writes", "terminate target process", or "add to process blacklist".
[0036] It comprehensively integrates multi-dimensional information related to abnormal events, providing complete analytical basis for the cloud. It uses a global threat model to accurately identify malicious processes, avoiding misjudgments caused by single feature judgments. It provides reliable support for the generation of subsequent targeted defense commands, ensuring the storage security and hardware lifespan of embedded Flash.
[0037] Step S14: Based on the preset defense command, intercept the current process's write / erase operation on the flash memory.
[0038] After the cloud determines that the current process is malicious and issues an encrypted preset defense command, the local defense layer receives and parses the encrypted preset defense command through the Flash driver layer of the embedded device. It extracts the interception rules from the decrypted preset defense command and then starts a targeted interception mechanism according to the interception rules. When the current malicious process initiates an erase / write operation on the flash memory again, the driver layer will intercept the erase / write request in real time and intercept the erase / write operation based on the preset defense command. Specifically, it checks whether the process ID corresponding to the request matches the process blacklist issued by the cloud and whether the target physical address to be erased / written is a critical system partition (such as the Bootloader partition or core data partition). If a match is confirmed, the erase / write operation is directly intercepted without performing the actual flash memory erase or write operation. By accurately intercepting the erase / write operation of the malicious process through the driver layer, the destructive attack on the flash memory is blocked in real time, effectively protecting the critical system data and firmware security, while avoiding P / E cycle loss caused by invalid erase / write and extending the life of the flash memory.
[0039] In this embodiment, after intercepting the current process's write / erase operation on the flash memory based on the preset defense instruction, the method further includes: generating a target instruction to characterize that the current process has succeeded, and returning the target instruction to the current process; processing the associated information of the target abnormal event through the cloud using a target lifetime prediction model to assess the current remaining lifetime of the flash memory and the risk level of the target abnormal event, and updating the warning threshold of the flash memory according to the current remaining lifetime and the risk level; if the P / E cycle number of the flash memory is not less than the updated warning threshold, then generating lifetime warning information.
[0040] After successfully intercepting the current process's write operation to the flash memory based on the preset defense instructions at the driver layer, the local defense layer immediately generates a target instruction to indicate that the write operation has been successfully executed. This target instruction simulates the response format of a normal write operation, preventing the current process from triggering a retry mechanism or generating other abnormal behaviors due to the detection of operation failure. Subsequently, the target instruction is returned to the current process. It should be noted that this target instruction indicates that the write operation has been successfully executed, but in reality, the write operation has not been successfully executed. That is, the target instruction is generated in response to the write operation to the flash memory intercepted by the preset defense instructions, rather than indicating that the current process has successfully executed the write operation to the flash memory.
[0041] The local system will synchronously report the associated information of the target abnormal event (including the process characteristics of the current process, the flash memory erase / write operation characteristics and health status, basic device information, etc.) to the cloud. The cloud will then call upon the pre-combined Flash memory... The target lifetime prediction model, trained and optimized using P / E cycle wear patterns, the impact weight of abnormal behavior, and historical health data of the device, performs in-depth processing of related information. By analyzing data such as the erase / write frequency of the target abnormal event, the number of used P / E cycles of the involved Flash blocks, bad block distribution, and changes in bit error rate, the current remaining lifetime of the flash memory is accurately assessed. At the same time, combined with the attack type of the abnormal event (such as malicious erase / write, software abnormality), the importance of the involved Flash partition (such as system core partition, ordinary data partition), and the degree of wear on the flash memory lifetime, the risk level (high, medium, low) of the target abnormal event is determined. The warning threshold of the flash memory is dynamically updated based on the assessed current remaining lifetime and risk level. For example, under the high risk level, the warning threshold is adjusted from 80% of MAX_PE_CYCLES to 70%. Subsequently, the local monitoring layer monitors the number of P / E cycles of the flash memory in real time. If the number of P / E cycles of the flash memory is detected to be not less than the updated warning threshold, a lifetime warning information is immediately generated, synchronously pushed to the device management terminal, and uploaded to the cloud for record.
[0042] By returning false success commands, malicious processes are prevented from causing secondary failures, ensuring stable device operation. Combined with a cloud-based lifespan prediction model, the remaining lifespan and abnormal risks of flash memory are accurately assessed. Dynamically updated warning thresholds can avoid hardware damage risks in advance, achieving the integration of defense and lifespan management. This not only ensures the security of flash memory storage but also maximizes its lifespan, adapting to the application needs of embedded devices.
[0043] Furthermore, this embodiment also performs bad block management (BBM) on the flash memory. First, it detects faulty blocks in the flash memory and then isolates these faulty blocks.
[0044] During device startup and initialization, the system reads the factory bad block table of the flash memory to identify inherently faulty blocks marked during the manufacturing process. During device operation, this process is performed in real-time. The local monitoring layer captures response data after each erase / write operation of the flash memory, compares the written and read data for consistency, and identifies dynamically faulty blocks in the flash memory based on the comparison results. After detection, the local bad block table is immediately updated, and the physical address of the faulty block is uploaded to the cloud for record-keeping. Faulty block isolation is achieved through a dual mechanism of address mapping and access interception. After updating the bad block table, the local defense layer initiates a remapping of logical and physical addresses, removing the physical address of the faulty block from the available address space. Subsequent read / write requests are then redirected to a spare healthy block in the flash memory. Simultaneously, access interception rules are set at the Flash driver layer. If a process attempts to access the physical address of a faulty block recorded in the bad block table, the driver layer directly rejects the access request and returns a compliant response, preventing invalid operations from consuming system resources.
[0045] The beneficial effects of this application are as follows: This application is applied to a target embedded device, which is any one of multiple embedded devices, and includes: uploading the process characteristics of the current process performing erase / write operations on the local flash memory to the cloud, so that the cloud can dynamically adjust the baseline abnormal event threshold according to the process characteristics of each embedded device to obtain the current abnormal event threshold; collecting the erase / write operation characteristics of the flash memory, and determining whether the erase / write operation of the current process triggers a target abnormal event based on the erase / write operation characteristics and the current abnormal event threshold; if a target abnormal event is triggered, uploading the association information of the target abnormal event to the cloud, so that the cloud can analyze whether the current process is a malicious process based on the association information of the target abnormal event, and if the current process is a malicious process, issuing a preset defense command to the target embedded device; and intercepting the erase / write operation of the current process on the flash memory based on the preset defense command. Therefore, this application can improve the accuracy of abnormal erase / write operation identification by uploading the process characteristics of the current local process to the cloud, allowing the cloud to dynamically adjust the current abnormal event threshold based on the process characteristics of each embedded device, thus avoiding misjudgments caused by fixed thresholds. By collecting the erase / write operation characteristics of flash memory and comparing them with the current abnormal event threshold, it can determine in real time whether an abnormal event has been triggered, achieving dynamic identification of abnormal erase / write behavior. After an abnormal event is triggered, the associated information is uploaded to the cloud, and the cloud's global data processing capabilities are used to accurately analyze whether the current process is a malicious process, making up for the deficiencies of local analysis capabilities and achieving cloud-based collaborative decision-making defense. Based on the preset defense commands issued by the cloud, the application can intercept the erase / write operations of malicious processes, proactively blocking malicious erase / write attacks in real time and reducing the risk of firmware tampering. The entire process only requires lightweight feature collection and judgment operations to be performed locally, while the cloud undertakes the computationally intensive threshold adjustment and malicious process analysis work, minimizing the dependence on the hardware resources of the target embedded device, and is suitable for embedded resource-constrained environments.
[0046] The following is based on Figure 2 The following example illustrates this application. The embedded flash memory defense process begins with local monitoring of the target embedded device. If the local monitoring module detects a process performing erase / write operations on the local flash memory, the process characteristics of that process are uploaded to the cloud. In other words, the cloud can receive process characteristics transmitted from each embedded device and dynamically adjust the baseline abnormal event threshold based on these characteristics to obtain the current abnormal event threshold. The target embedded device receives the current abnormal event threshold from the cloud. The local monitoring module collects flash memory erase / write operation data in real time and then sends this data to the threshold detection stage, comparing it with the current abnormal event threshold generated by the cloud. If an erase / write operation exceeds the threshold, triggering an over-threshold event, the process characteristics of the current process, flash memory erase / write operation characteristics, and basic device information are uploaded to the cloud.
[0047] After receiving data such as the process characteristics of the current process, flash memory erase / write operation characteristics, and basic device information, the cloud calls the target global threat model and combines it with historical abnormal event correlation information for analysis. If it is determined to be a normal operation, the result is fed back to the local machine, and the erase / write operation is allowed locally; if it is determined to be abnormal, a defense command is issued to the target embedded device.
[0048] The target embedded device's local defense layer intercepts abnormal erase / write operations of the current process according to instructions. After interception, the local system records a detailed log of the event and sends the interception results back to the cloud. The cloud uses a target lifetime prediction model to process the correlation information of the abnormal event to assess the current remaining lifetime of the flash memory and the risk level of the target abnormal event. Based on the current remaining lifetime and risk level, the flash memory's warning threshold is updated. If the flash memory's P / E cycle count is not less than the updated warning threshold, lifetime warning information is generated, which not only ensures the security of the flash memory but also helps improve the accuracy of subsequent anomaly detection.
[0049] See Figure 3 As shown in the figure, this application discloses an embedded flash memory defense device, applied to a target embedded device, wherein the target embedded device is any one of a plurality of embedded devices, comprising: The threshold dynamic adjustment module 11 is used to upload the process characteristics of the current process that performs erase and write operations on the local flash memory to the cloud, so that the cloud can dynamically adjust the baseline abnormal event threshold according to the process characteristics of each embedded device to obtain the current abnormal event threshold. The abnormal event detection module 12 is used to collect the erase and write operation characteristics of the flash memory, and determine whether the erase and write operation of the current process triggers the target abnormal event based on the erase and write operation characteristics and the current abnormal event threshold. The defense instruction issuing module 13 is used to upload the association information of the target abnormal event to the cloud if the target abnormal event is triggered, so that the cloud can analyze whether the current process is a malicious process based on the association information of the target abnormal event. If the current process is a malicious process, a preset defense instruction is issued to the target embedded device. The erase / write operation interception module 14 is used to intercept the current process's erase / write operation on the flash memory based on the preset defense command.
[0050] Furthermore, embodiments of this application also provide an electronic device. Figure 4 This is a structural diagram of an electronic device 20 according to an exemplary embodiment. The content of the diagram should not be construed as limiting the scope of this application.
[0051] Figure 4This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Specifically, it may include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input / output interface 25, and a communication bus 26. The memory 22 stores a computer program, which is loaded and executed by the processor 21 to implement the relevant steps in the embedded flash memory defense method executed by the electronic device disclosed in any of the foregoing embodiments.
[0052] In this embodiment, the power supply 23 is used to provide operating voltage for various hardware devices on the electronic device; the communication interface 24 can create a data transmission channel between the electronic device and external devices, and the communication protocol it follows can be any communication protocol applicable to the technical solution of this application, and is not specifically limited here; the input / output interface 25 is used to acquire external input data or output data to the outside world, and its specific interface type can be selected according to specific application needs, and is not specifically limited here.
[0053] The processor 21 may include one or more processing cores, such as a quad-core processor or an octa-core processor. The processor 21 may be implemented using at least one hardware form selected from DSP (Digital Signal Processing), FPGA (Field-Programmable Gate Array), and PLA (Programmable Logic Array). The processor 21 may also include a main processor and a coprocessor. The main processor, also known as a CPU (Central Processing Unit), is used to process data in the wake-up state; the coprocessor is a low-power processor used to process data in the standby state. In some embodiments, the processor 21 may integrate a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content to be displayed on the screen. In some embodiments, the processor 21 may also include an AI (Artificial Intelligence) processor, which is used to handle computational operations related to machine learning.
[0054] In addition, the memory 22, as a carrier for resource storage, can be a read-only memory, random access memory, disk or optical disk, etc. The resources stored on it include operating system 221, computer program 222 and data 223, etc., and the storage method can be temporary storage or permanent storage.
[0055] The operating system 221 manages and controls the various hardware devices and computer programs 222 on the electronic device to enable the processor 21 to perform calculations and processing on the massive amounts of data 223 in the memory 22. The operating system can be Windows, Unix, Linux, etc. The computer program 222, in addition to including a computer program capable of performing the embedded flash memory defense method executed by the electronic device as disclosed in any of the foregoing embodiments, may further include computer programs capable of performing other specific tasks. The data 223 may include data received by the electronic device from external devices, as well as data collected by its own input / output interface 25.
[0056] Furthermore, this application also discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, it implements the aforementioned disclosed embedded flash memory defense method. Specific steps of this method can be found in the corresponding content disclosed in the foregoing embodiments, and will not be repeated here.
[0057] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the apparatus disclosed in the embodiments, since it corresponds to the method disclosed in the embodiments, the description is relatively simple; relevant parts can be referred to in the method section.
[0058] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application. The steps of the methods or algorithms described in conjunction with the embodiments disclosed herein can be implemented directly in hardware, software modules executed by a processor, or a combination of both. The software module may be located in random access memory (RAM), memory, read-only memory (ROM), electrically programmable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), register, hard disk, removable disk, CD-ROM (Compact Disc Read-Only Memory), or any other form of storage medium known in the art.
[0059] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0060] The above provides a detailed description of the embedded flash memory defense method, apparatus, device, and medium provided by the present invention. Specific examples have been used to illustrate the principles and implementation methods of the present invention. The descriptions of the above embodiments are only intended to help understand the method and core ideas of the present invention. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of the present invention. Therefore, the content of this specification should not be construed as a limitation of the present invention.
Claims
1. An embedded flash memory defense method, characterized in that, Applied to a target embedded device, wherein the target embedded device is any one of a plurality of embedded devices, including: The process characteristics of the current process performing erase and write operations on the local flash memory are uploaded to the cloud so that the cloud can dynamically adjust the baseline abnormal event threshold according to the process characteristics of each embedded device to obtain the current abnormal event threshold. Collect the erase / write operation characteristics of the flash memory, and determine whether the erase / write operation of the current process triggers the target abnormal event based on the erase / write operation characteristics and the current abnormal event threshold; If a target abnormal event is triggered, the associated information of the target abnormal event is uploaded to the cloud so that the cloud can analyze whether the current process is a malicious process based on the associated information of the target abnormal event. If the current process is a malicious process, a preset defense command is sent to the target embedded device. Based on the preset defense command, the current process's write / erase operation on the flash memory is intercepted.
2. The embedded flash memory defense method according to claim 1, characterized in that, Uploading the process characteristics of the current process performing erase / write operations on the local flash memory to the cloud includes: If a current process is detected performing erase / write operations on the local flash memory, then the process ID and target physical address of the current process are collected. A process legitimacy identifier is generated based on whether the process identifier is included in the preset whitelist; The process permission level of the current process is determined based on the process legitimacy identifier; The process identifier, the target physical address, the process legitimacy identifier, and the permission level of the process are uploaded to the cloud as the process characteristics of the current process.
3. The embedded flash memory defense method according to claim 1, characterized in that, Before uploading the process characteristics of the current process performing erase / write operations on the local flash memory to the cloud, the method further includes: The association information of historical abnormal events of each embedded device is obtained through the cloud, and a baseline abnormal event threshold is generated based on the association information of the historical abnormal events.
4. The embedded flash memory defense method according to claim 1, characterized in that, The benchmark abnormal event thresholds include a first benchmark threshold corresponding to a preset long time window size and a second benchmark threshold corresponding to a preset short time window size. The cloud dynamically adjusts the baseline abnormal event threshold based on the process characteristics of each embedded device to obtain the current abnormal event threshold, including: The cloud dynamically adjusts the first benchmark threshold and the second benchmark threshold according to the process characteristics of each embedded device to obtain the current first abnormal event threshold and the current second abnormal event threshold.
5. The embedded flash memory defense method according to claim 4, characterized in that, The step of collecting the erase / write operation characteristics of the flash memory and determining whether the erase / write operation of the current process triggers a target abnormal event based on the erase / write operation characteristics and the current abnormal event threshold includes: The sliding window algorithm is used to collect the first erase / write operation features of the flash memory within the preset long time window size and the second erase / write operation features within the preset short time window size; wherein, the first erase / write operation features include the number of erase / write operations and the erase / write frequency of each physical address in the flash memory, and the second erase / write operation features include the number of erase / write operations and the erase / write frequency of the current process on the target physical address in the flash memory; If the first erase / write operation feature is greater than the current first abnormal event threshold and / or the second erase / write operation feature is greater than the current second abnormal event threshold, then it is determined that the erase / write operation of the current process triggers a target abnormal event. If the first erase / write operation feature is not greater than the current first abnormal event threshold and the second erase / write operation feature is not greater than the current second abnormal event threshold, then it is determined that the erase / write operation of the current process has not triggered the target abnormal event.
6. The embedded flash memory defense method according to claim 1, characterized in that, The associated information of the target abnormal event includes the process characteristics of the current process, the erase / write operation characteristics and health status of the flash memory, and the basic device information of the target embedded device, including the device model, firmware version, device identifier, and historical logs; the cloud analyzes whether the current process is a malicious process based on the associated information of the target abnormal event, including: The cloud-based system uses a global threat model to analyze the correlation information of the target's abnormal events in order to determine whether the current process is a malicious process.
7. The embedded flash memory defense method according to any one of claims 1 to 6, characterized in that, After intercepting the current process's write / erase operation on the flash memory based on the preset defense command, the method further includes: Generate a target instruction to indicate that the current process has succeeded, and return the target instruction to the current process; The cloud-based target lifetime prediction model is used to process the associated information of the target abnormal event to assess the current remaining lifetime of the flash memory and the risk level of the target abnormal event. The warning threshold of the flash memory is updated based on the current remaining lifetime and the risk level. If the P / E cycle number of the flash memory is not less than the updated warning threshold, lifetime warning information is generated.
8. An embedded flash memory defense device, characterized in that, Applied to a target embedded device, wherein the target embedded device is any one of a plurality of embedded devices, including: The threshold dynamic adjustment module is used to upload the process characteristics of the current process that performs erase and write operations on the local flash memory to the cloud, so that the cloud can dynamically adjust the baseline abnormal event threshold according to the process characteristics of each embedded device to obtain the current abnormal event threshold. An abnormal event detection module is used to collect the erase and write operation characteristics of the flash memory, and determine whether the erase and write operation of the current process triggers a target abnormal event based on the erase and write operation characteristics and the current abnormal event threshold. The defense command issuing module is used to upload the association information of the target abnormal event to the cloud if the target abnormal event is triggered, so that the cloud can analyze whether the current process is a malicious process based on the association information of the target abnormal event. If the current process is a malicious process, a preset defense command is issued to the target embedded device. The erase / write operation interception module is used to intercept the current process's erase / write operations on the flash memory based on the preset defense instructions.
9. An electronic device, characterized in that, include: Memory, used to store computer programs; A processor for executing the computer program to implement the steps of the embedded flash memory defense method as claimed in any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that, Used to store a computer program; wherein, when the computer program is executed by a processor, it implements the steps of the embedded flash memory defense method as described in any one of claims 1 to 7.