CN105190637A - Software security detection method, apparatus and device - Google Patents

Abstract

A software security detection method, device, and device, the method comprising: the network management device obtains original abstract information from the network element device, and the original abstract information is the summary information generated by the network element device for the software code loaded in the memory; the network management device receives the network The verification summary information sent by the element device. The verification summary information is the summary information generated by the network element device during the software code operation; the network management device compares whether the verification summary information is consistent with the original summary information. If not, it determines that the software code is not safe. If it is , it is determined that the software code is safe. Applying the embodiment of the present invention, since the network element device can send the summary information of the software running process to the network management device, it can detect whether the software is maliciously attacked during the running process, so that the software during the running process on the network element device can be The security of the system is protected, which improves the dynamic security of the software.

Description

Software security monitoring method, device and equipment

technical field

[01] The present invention relates to the technical field of information security, in particular to a software security detection method, device and equipment. Background technique

[02] Malicious software can modify and replace the software on some network element devices, invade the system of the network element devices, and destroy the system, or steal information on the network element devices. In the prior art, digital signatures are usually used to verify the integrity of the software on the network element device, that is, the network management device can generate a digital signature of the software when releasing the software or performing a software upgrade, and package the digital signature in the software and then send it to the network element device. Before loading the software, the network element device verifies the security of the software according to the digital signature, and loads the software after passing the verification.

[03] The inventor found in the research process of the prior art that when protecting the integrity and credibility of the software on the network element device, it is usually only verified before the software is loaded. This verification method is a A static verification method, when the software is maliciously attacked during the running process after the loading is completed, it is difficult to verify the software, thus reducing the dynamic security of the software running process on the network element device. Contents of the invention

[04] Embodiments of the present invention provide a software security detection method, device, and equipment to solve the problem that it is difficult for network element equipment in the prior art to protect dynamic security during software operation.

[05] In order to solve the above technical problems, the embodiment of the present invention discloses the following technical solutions: [06] In the first aspect, a software security detection method is provided, the method includes: [07] The network management device obtains from the network element device original summary information, where the original summary information is summary information generated by the network element device for the software code loaded in the memory;

[08] The network management device receives the verification summary information sent by the network element device, and the verification summary information is summary information generated by the network element device during the operation of the software code; [09] The network management device compares whether the verification summary information is consistent with the original summary information, and if not, determines that the software code is not safe, and if so, determines that the software code is safe.

[10] With reference to the first aspect, in a first possible implementation manner of the first aspect, the network management device obtains original summary information from the network element device, including: [11] The network management device sends the network element device sending a request message for original summary information, and receiving the original summary information returned by the network element device according to the request message for original summary information; or,

[12] The network management device receives the original summary information reported to the network management device when the network element device finishes loading the software code in memory.

[13] With reference to the first aspect, or the first possible implementation of the first aspect, in the second possible implementation of the first aspect, the network management device receives the verification summary information sent by the network element device , include:

[14] The network management device receives the verification summary information reported by the network element device according to the set time period; or,

[15] The network management device sends a report request message of verification summary information to the network element device, and receives the verification summary information returned by the network element device according to the report request message of the verification summary information. [16] In the second aspect, a software security detection method is provided, the method comprising:

[17] The network element device sends the original summary information to the network management device, and the original summary information is the summary information generated by the network element device for the software code loaded in the memory;

[18] The network element device sends the verification summary information of the software code to the network management device during the operation of the software code, so that the network management device compares the verification summary information with the original summary information It is determined whether the software code is secure.

[19] With reference to the second aspect, in a first possible implementation manner of the second aspect, the network element device sends the original summary information to the network management device, including:

[20] The network element device receives the request message of the original summary information sent by the network management device, generates the original summary information for the software code loaded in the memory according to the request message of the original summary information, and sends the sending the original summary information to the network management device; or, [21] When the network element device finishes loading the software code in the memory, generate the original summary information for the software code, and report the original summary information to the network management device.

[22] With reference to the second aspect, or the first possible implementation manner of the second aspect, in the second possible implementation manner of the second aspect, the network element device sends The network management device sends the verification summary information of the software code, including:

[23] During the running process of the software code, the network element device generates verification summary information of the software code according to a set time period, and sends the verification summary information to the network management device; or,

[24] The network element device receives the report request message of the verification summary information sent by the network management device during the operation of the software code, and generates the verification summary information of the software code according to the report request message of the verification summary information , and send the verification summary information to the network management device.

[25] In the third aspect, a software security detection device is provided, and the device includes:

[26] An obtaining unit, configured to obtain original summary information from the network element device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory;

[27] a receiving unit, configured to receive the verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code;

[28] A detection unit, configured to compare whether the verification summary information received by the receiving unit is consistent with the original summary information obtained by the obtaining unit, if not, determine that the software code is not safe, and if so, then The software code is determined to be secure.

[29] With reference to the third aspect, in a first possible implementation manner of the third aspect, [30] the obtaining unit includes: a request message sending subunit and a first original abstract receiving subunit;

[31] The request message sending subunit is configured to send a request message of original summary information to the network element device;

[32] The first original summary receiving subunit is configured to receive the original summary information returned by the network element device according to the request message of the original summary information sent by the request message sending subunit;

[33] Alternatively, the obtaining unit includes: a second original abstract receiving subunit; [34] The second original summary receiving subunit is configured to receive the original summary information reported by the network element device after loading the software code in memory.

[35] In combination with the third aspect, or the first possible implementation manner of the third aspect, in the second possible implementation manner of the third aspect, [36] the receiving unit includes: a first verification digest receiving unit unit;

[37] The first verification summary receiving subunit is configured to receive the verification summary information reported by the network element device according to a set time period;

[38] Alternatively, the receiving unit includes: a report request sending subunit and a second verification summary receiving subunit;

[39] The report request sending subunit is configured to send a report request message of verification summary information to the network element device;

[40] The second verification summary receiving subunit is configured to receive the verification summary information returned by the network element device according to the report request message of the verification summary information sent by the report request sending subunit.

[41] In the fourth aspect, a software security detection device is provided, and the device includes:

[42] a first sending unit, configured to send the original summary information to the network management device, where the original summary information is summary information generated for the software code loaded in the memory;

[43] The second sending unit is configured to send the verification summary information of the software code to the network management device during the running of the software code, so that the network management device can compare the verification information sent by the second sending unit. The summary information and the original summary information sent by the first sending unit determine whether the software code is safe.

[44] With reference to the fourth aspect, in the first possible implementation manner of the fourth aspect, [45] the first sending unit includes: a request message receiving subunit, a first original digest generating subunit and a first original Summary sending subunit;

[46] The request message receiving subunit is configured to receive the request message of the original summary information sent by the network management device;

[47] The first original digest generating subunit is configured to receive the original digest received by the request message receiving subunit A request message for summary information generates said original summary information for software code loaded in memory;

[48] The first original digest sending subunit is configured to send the original digest information generated by the first original digest generating subunit to the network management device;

[49] Alternatively, the first sending unit includes: a second original digest generating subunit and a second original digest sending subunit;

[50] The second original abstract generating subunit is configured to generate the original abstract information for the software code when the software code is loaded in the memory;

[51] The second original digest sending subunit is configured to report the original digest information generated by the second original digest generating subunit to the network management device.

[52] In combination with the fourth aspect, or the first possible implementation of the fourth aspect, in the second possible implementation of the fourth aspect,

[53] The second sending unit includes: a first verification digest generation unit and a first verification digest sending subunit;

[54] The first verification summary generating unit is configured to generate verification summary information of the software code according to a set time period during the running of the software code;

[55] The first verification summary sending subunit is configured to send the verification summary information generated by the first verification summary generation unit to the network management device;

[56] Alternatively, the second sending unit includes: a report request receiving subunit, a second verification summary generation subunit, and a second verification summary sending subunit;

[57] The report request receiving subunit is configured to receive a report request message of verification summary information sent by the network management device during the operation of the software code;

[58] The second verification summary generating subunit is configured to generate the verification summary information of the software code according to the report request message of the verification summary information received by the report request receiving subunit;

[59] The second verification summary sending subunit is configured to send the verification summary information generated by the second verification summary generation subunit to the network management device. [60] In the fifth aspect, a network management device is provided, and the network management device includes: a network interface and a processor, wherein,

[61] The network interface is configured to obtain original summary information from the network element device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory, and receive the network element device The verification summary information sent, the verification summary information is the summary information generated by the network element device during the operation of the software code;

[62] The processor is configured to compare whether the verification summary information is consistent with the original summary information, if not, determine that the software code is not safe, and if so, determine that the software code is safe.

[63] With reference to the fifth aspect, in a first possible implementation manner of the fifth aspect, the network interface is specifically configured to send a request message of original summary information to the network element device, and receive the network element The original summary information returned by the device according to the request message of the original summary information; or, receiving the original summary information reported to the network management device when the network element device finishes loading the software code in the memory.

[64] With reference to the fifth aspect, or the first possible implementation manner of the fifth aspect, in the second possible implementation manner of the fifth aspect, the network interface is specifically configured to receive the network element device according to The verification summary information reported at a set time period; or, sending a report request message of verification summary information to the network element device, and receiving the report request message returned by the network element device according to the verification summary information report request message Verify summary information.

[65] In a sixth aspect, a network element device is provided, and the network element device includes: a network interface and a processor, wherein,

[66] The processor is configured to send original summary information to the network management device through the network interface, where the original summary information is summary information generated by the network element device for the software code loaded in the memory, and, During the running process of the software code, the verification summary information of the software code is sent to the network management device through the network interface, so that the network management device determines the Whether the software code is secure.

[67] With reference to the sixth aspect, in a first possible implementation manner of the sixth aspect, the processor is specifically configured to, after the network interface receives the original summary information request message sent by the network management device, Generate the original summary information for the software code loaded in the memory according to the request message of the original summary information, and send the original summary information to the network management device through the network interface; or, after loading in the memory, When the software code is used, the original summary information is generated for the software code and sent to the network management through the network interface The device reports the original summary information.

[68] With reference to the sixth aspect, or the first possible implementation manner of the sixth aspect, in the second possible implementation manner of the sixth aspect, the processor is specifically configured to: , generating the verification summary information of the software code according to the set time period, and sending the verification summary information to the network management device through the network interface; or, when the software code is running, when the network interface After receiving the report request message of the verification summary information sent by the network management device, generating the verification summary information of the software code according to the report request message of the verification summary information, and sending the verification summary information to The network management device.

[69] In the embodiment of the present invention, the network management device obtains the original summary information from the network element device. The original summary information is the summary information generated by the network element device for the software code loaded in the memory. The verification summary information is generated, and the network management device receives the verification summary information sent by the network element device, and compares whether the verification summary information is consistent with the original summary information. If not, it is determined that the software code is not safe, and if so, it is determined that the software code is safe. By applying the embodiment of the present invention, since the network element device can send the summary information of the software running process to the network management device, it can detect whether the software is maliciously attacked during the running process, so that the software during the running process on the network element device can be The security of the system is protected, which improves the dynamic security of the software. Description of drawings

[70] In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the following descriptions The drawings are only some embodiments of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any creative effort.

[71] Figure 1A is a flowchart of an embodiment of the software security detection method of the present invention;

[72] Figure 1B is a flowchart of another embodiment of the software security detection method of the present invention;

[73] Figure 2 is a flow chart of another embodiment of the software security detection method of the present invention;

[74] FIG. 3 is a flowchart of another embodiment of the software security detection method of the present invention; [75] FIG. 4 is a flowchart of another embodiment of the software security detection method of the present invention;

[76] Figure 5 is a flowchart of another embodiment of the software security detection method of the present invention; [77] Figure 6 is a block diagram of an embodiment of the software security detection device of the present invention;

[78] FIG. 7 is a block diagram of another embodiment of the software security detection device of the present invention;

[79] FIG. 8 is a block diagram of an embodiment of the network management device of the present invention; [80] FIG. 9 is a block diagram of an embodiment of the network element device of the present invention. Detailed ways

[81] In order to enable those skilled in the art to better understand the technical solutions in the embodiments of the present invention, and to make the above-mentioned purposes, features and advantages of the embodiments of the present invention more obvious and understandable, the following describes the embodiments of the present invention in conjunction with the accompanying drawings The technical scheme in the middle is described in further detail.

[82] Referring to Figure 1A, it is a flow chart of an embodiment of the software security detection method of the present invention. This embodiment describes the security detection process during software operation from the side of the network management device:

[83] Step 101: The network management device obtains the original summary information from the network element device, and the original summary information is the summary information generated by the network element device for the software code loaded in the memory.

[84] Optionally, the network management device can send a request message for the original summary information to the network element device, and receive the original summary information returned by the network element device according to the original summary information request message; or, the network management device can also receive the network element device The original summary information reported to the network management device when the software code is loaded in the memory.

[85] Step 102: The network management device receives the verification summary information sent by the network element device. The verification summary information is the summary information generated by the network element device during the running of the software code.

[86] Optionally, the network management device can receive the verification summary information reported by the network element device according to the set time period; or, the network management device can also send a report request message of the verification summary information to the network element device, and receive the network element device according The verification summary information returned by the report request message of the verification summary information.

[87] Step 103: The network management device compares and verifies whether the summary information is consistent with the original summary information. If not, it is determined that the software code is not safe, and if so, it is determined that the software code is safe.

[88] It can be seen from the above embodiments that since the network element device can send the summary information of the software running process to the network management device, it can detect whether the software is maliciously attacked during the running process, so that the running process on the network element device can be analyzed The security of the software in the system is protected, and the dynamic security of the software is improved. [89] Referring to FIG. 1B, it is a flow chart of another embodiment of the software security detection method of the present invention. This embodiment describes the security detection process during software operation from the network element device side:

[90] Step 111: The network element device sends the original summary information to the network management device, and the original summary information is the summary information generated by the network element device for the software code loaded in the memory. [91] Optionally, the network element device can receive the request message of the original summary information sent by the network management device, generate the original summary information for the software code loaded in the memory according to the request message of the original summary information, and send the original summary information to A network management device; or, the network element device may also generate original summary information for the software code when the software code is loaded in the memory, and report the original summary information to the network management device.

[92] Step 112: The network element device sends the verification summary information of the software code to the network management device during the software code operation, so that the network management device determines whether the software code is safe by comparing the verification summary information with the original summary information.

[93] Optionally, the network element device can generate the verification summary information of the software code according to the set time period during the running of the software code, and send the verification summary information to the network management device; or, the network element device can also be in the software code During operation, the network management device receives the report request message of the verification summary information, generates the verification summary information of the software code according to the report request message of the verification summary information, and sends the verification summary information to the network management device.

[94] It can be seen from the above embodiments that since the network element device can send the summary information of the software running process to the network management device, it can detect whether the software is maliciously attacked during the running process, so that the running process on the network element device can be analyzed. The security of the software in the system is protected, and the dynamic security of the software is improved.

[95] Referring to FIG. 2, it is a flowchart of another embodiment of the software security detection method of the present invention: [96] Step 201: The network element device loads the software into the memory.

[97] In the embodiment of the present invention, the network element device may specifically be a single board, etc., and the network element device may be provided with a system on chip (System on Chip, SoC) security chip and memory connected through a bus, wherein the SoC security chip Can further include a central processing unit (Central Processing Unit, CPU), a field programmable gate array (Field—Programmable Gate Array, FPGA), a digital signal processor (Digital Signal Processor, DSP), a complex programmable logic device (Complex Programmable Logic Device, CPU)) etc. The memory can include random access memory (Random Access Memory, RAM), flash memory (Flash) and so on. [98] When the network management device releases new software or upgrades existing software, it will generate digital signatures for these software, that is, the network management device calculates the summary information of the software, and encrypts the summary information with a private key to generate a digital signature. Signature, package the digital signature in the software, and send the software package to the network element device. In the prior art, after the network element device receives the software package, it obtains the digital signature, and decrypts the digital signature with the public key to obtain the first One summary information, and at the same time calculate the second summary information of the software in a manner consistent with that of the network management device side. If the first summary information is consistent with the second summary information, it means that the software to be loaded is safe. If the first summary information is consistent with the second summary information If the summary information is inconsistent, it indicates that the software to be loaded is not safe, so as to ensure the static security of the software to be loaded.

[99] When the network element device determines that the software to be loaded is safe by verifying the digital signature, the software is loaded into the memory. The loading process may include decompression and initialization of the software. After the loading is completed, the software is usually in the form of software code Running in memory, that is, the software to be loaded is not in the same form as the software code loaded into memory.

[100] Step 202: the network management device sends a request message for original summary information to the network element device.

[101] In this embodiment, the network management device may specifically be an operation and maintenance center (Operation and Maintenance Center, OMC) device, etc., and each network management device may implement communication with multiple network element devices. [102] In this embodiment, the network management device may actively send a request message for the original summary information to the network element device, and the network management device may send the request message after a preset time after sending the software package to the network element device. Time is enough to ensure that the network element device can complete loading the software code in the memory.

[103] Step 203: the network element device generates the original summary information for the software code loaded in the memory according to the request message of the original summary information. [104] In this embodiment, after receiving the original summary information request message, the network element device calculates the summary information of the software code loaded in the memory, and uses the summary information as the original summary information. Among them, the digest information can also be called a message digest (Message Digest), or a digital digest (Digital Digest), which is a fixed-length value uniquely corresponding to the software code, and it can be encrypted by a one-way hash (Hash) encryption function. If the software code itself changes, the calculated summary information will also change, so the security and integrity of the software code can be verified through the summary information.

[105] Step 204: The network element device sends the original summary information to the network management device.

[106] Step 205: the network management device saves the original summary information. [107] Step 206: During the software code running process, the network element device generates the verification summary information of the software code according to the set time period.

[108] In this embodiment, in order to verify the security of the software code during running, the network element device can calculate the summary information of the software code according to the set time period during the running of the software code, and use the summary information as the verification summary information For example, the network element device may set a timer, and when the timing period of the timer arrives, the network element device is triggered to calculate the verification summary information for the timing period. In this step, the calculation method and process of verifying the summary information are consistent with the original summary information, and will not be repeated here.

[109] Step 207: The network element device reports the verification summary information to the network management device.

[110] Step 208: The network management device compares whether the verification summary information is consistent with the original summary information. When the verification summary information is inconsistent with the original summary information, it is determined that the software code is not safe. When the verification summary information is consistent with the original summary information, it is determined that the software code Safety.

[111] When the network management device receives the verification summary information, it can obtain the saved original summary information, and then compare whether the verification summary information is consistent with the original summary information. If they are consistent, it can be determined that the software code has not been tampered with during operation, and the software code is safe. , if they are inconsistent, it can be determined that the software code has been tampered with during operation, so the software code is not safe. At this time, the network management device can trigger an alarm, or the administrator can perform manual intervention.

[112] It can be seen from the above embodiments that since the network element device can send the summary information of the software running process to the network management device, it can detect whether the software is maliciously attacked during the running process, so that the running process on the network element device can be analyzed. The security of the software in the system is protected, and the dynamic security of the software is improved.

[113] Referring to FIG. 3, it is a flowchart of another embodiment of the software security detection method of the present invention: [114] Step 301: The network element device loads the software into the memory.

[115] In the embodiment of the present invention, the network element device may specifically be a single board, etc., and the network element device may be provided with a SoC security chip and memory, etc., wherein the SoC security chip may further include CPU, FPGA, DSP, CPLD, etc. , the memory may include RAM, Flash and the like.

[116] When the network management device releases new software or upgrades the existing software, it will generate digital signatures for these software, package the digital signatures in the software, and send the software package to the network element device. Now In the existing technology, after the network element device receives the software package, it obtains the digital signature therein, and determines the software package by verifying the digital signature Whether it is safe, so as to ensure the static safety of the software to be loaded. The specific process for the network element device to verify the received software is consistent with the description in the foregoing step 201, and will not be repeated here.

[117] When the network element device determines that the software to be loaded is safe by verifying the digital signature, the software is loaded into the memory. The loading process may include decompression and initialization of the software. After the loading is completed, the software is usually in the form of software code Running in memory, that is, the software to be loaded is not in the same form as the software code loaded into memory.

[118] Step 302: the network management device sends a request message for original summary information to the network element device.

[119] In this embodiment, the network management device may specifically be an OMC device, etc., and each network management device may implement communication with multiple network element devices. [120] In this embodiment, the network management device may actively send a request message for the original summary information to the network element device, and the network management device may send the request message after a preset time after sending the software package to the network element device. Time is enough to ensure that the network element device can complete loading the software code in the memory.

[121] Step 303: The network element device generates the original summary information for the software code loaded in the memory according to the request message of the original summary information. [122] In this embodiment, after receiving the original summary information request message, the network element device calculates the summary information of the software code loaded in the memory, and uses the summary information as the original summary information. Among them, the summary information can be generated by a one-way Hash encryption function on the software code. If the software code itself changes, the calculated summary information will also change, so the security and security of the software code can be verified through the summary information. integrity. [123] Step 304: The network element device sends the original summary information to the network management device. [124] Step 305: the network management device saves the original summary information.

[125] Step 306: The network element device receives the report request message of the verification summary information sent by the network management device during the operation of the software code.

[126] The difference from the embodiment shown in FIG. 2 is that in this embodiment, during the running of the software code on the network element device, the network management device can send a report request message for verification summary information in real time according to the administrator's requirements. [127] Step 307: The network element device generates the verification summary information of the software code according to the report request message of the verification summary information.

[128] After the network element device receives the report request message of the verification summary information, it calculates the summary information of the software code running in the current memory, and uses the summary information as the verification summary information. The calculation method and process of the verification summary information are consistent with the original summary information , which will not be repeated here.

[129] Step 308: The network element device sends the verification summary information to the network management device.

[130] Step 309: The network management device compares whether the verification summary information is consistent with the original summary information. When the verification summary information is inconsistent with the original summary information, it is determined that the software code is not safe. When the verification summary information is consistent with the original summary information, it is determined that the software code Safety. [131] When the network management device receives the verification summary information, it can obtain the saved original summary information, and then compare whether the verification summary information is consistent with the original summary information. If they are consistent, it can be determined that the software code has not been tampered with during operation, and the software code is safe. , if they are inconsistent, it can be determined that the software code has been tampered with during operation, so the software code is not safe. At this time, the network management device can trigger an alarm, or the administrator can perform manual intervention.

[132] It can be seen from the above embodiments that since the network element device can send the summary information of the software running process to the network management device, it can detect whether the software is maliciously attacked during the running process, so that the running process on the network element device The security of the software in the system is protected, and the dynamic security of the software is improved.

[133] Referring to Fig. 4, it is a flow chart of another embodiment of the software security detection method of the present invention:

[134] Step 401: the network element device loads the software into the memory.

[135] In the embodiment of the present invention, the network element device may specifically be a single board, etc., and the network element device may be provided with a SoC security chip and a memory, etc., wherein the SoC security chip may further include CPU, FPGA, DSP, CPLD, etc. , the memory may include RAM, Flash and the like.

[136] When the network management device releases new software or upgrades existing software, it will generate digital signatures for these software, package the digital signatures in the software, and send the software package to the network element device. Now In the prior art, after the network element device receives the software package, it obtains the digital signature therein, and determines whether the software is safe by verifying the digital signature, so as to ensure the static security of the software to be loaded. The specific process for the network element device to verify the received software is consistent with the description in the foregoing step 201, and will not be repeated here. [137] Step 402: When the network element device finishes loading the software code in the memory, generate original summary information for the software code.

[138] Different from the aforementioned embodiments shown in FIG. 2 and FIG. 3, the network element device in this embodiment can generate summary information of the software code in real time after the software code is loaded, and use the summary information as the original summary information. Among them, the summary information can be generated by a one-way Hash encryption function on the software code. If the software code itself changes, the calculated summary information will also change. Therefore, the security and security of the software code can be verified through the summary information. integrity.

[139] Step 403: The network element device reports the original summary information to the network management device. [140] Step 404: the network management device saves the original summary information.

[141] Step 405: During the software code running process, the network element device generates the verification summary information of the software code according to the set time period.

[142] In this embodiment, in order to verify the security during the running of the software code, the network element device can calculate the summary information of the software code according to the set time period during the running of the software code, and use the summary information as the verification summary information For example, the network element device may set a timer, and when the timing period of the timer arrives, the network element device is triggered to calculate the verification summary information for the timing period. In this step, the calculation method and process of verifying the summary information are consistent with the original summary information, and will not be repeated here.

[143] Step 406: The network element device reports the verification summary information to the network management device.

[144] Step 407: The network management device compares whether the verification summary information is consistent with the original summary information. When the verification summary information is inconsistent with the original summary information, it is determined that the software code is not safe. When the verification summary information is consistent with the original summary information, it is determined that the software code Safety. [145] When the network management device receives the verification summary information, it can obtain the saved original summary information, and then compare whether the verification summary information is consistent with the original summary information. If they are consistent, it can be determined that the software code has not been tampered with during operation, and the software code is safe. , if they are inconsistent, it can be determined that the software code has been tampered with during operation, so the software code is not safe. At this time, the network management device can trigger an alarm, or the administrator can perform manual intervention.

[146] It can be seen from the above embodiments that since the network element device can send the summary information of the software running process to the network management device, it can detect whether the software is maliciously attacked during the running process, so that the running process on the network element device The security of the software in the system is protected, and the dynamic security of the software is improved. [147] Referring to FIG. 5, it is a flowchart of another embodiment of the software security detection method of the present invention: [148] Step 501: The network element device loads the software into the memory.

[149] In the embodiment of the present invention, the network element device may specifically be a single board, etc., and the network element device may be provided with a SoC security chip and memory, etc., wherein the SoC security chip may further include CPU, FPGA, DSP, CPLD, etc. , the memory may include RAM, Flash and the like.

[150] When the network management device releases new software or upgrades existing software, it will generate a digital signature for these software, package the digital signature in the software, and send the software package to the network element device. Now In the prior art, after the network element device receives the software package, it obtains the digital signature therein, and determines whether the software is safe by verifying the digital signature, so as to ensure the static security of the software to be loaded. The specific process for the network element device to verify the received software is consistent with the description in the foregoing step 201, and will not be repeated here.

[151] Step 502: When the network element device finishes loading the software code in the memory, generate original summary information for the software code. Step 503: the network element device reports the original summary information to the network management device.

[152] Step 504: the network management device saves the original summary information.

[153] Different from the aforementioned embodiments shown in FIG. 2 and FIG. 3, the network element device in this embodiment can generate summary information of the software code in real time after loading the software code, and use the summary information as the original summary information. Among them, the summary information can be generated by a one-way Hash encryption function on the software code. If the software code itself changes, the calculated summary information will also change. Therefore, the security and security of the software code can be verified through the summary information. integrity.

[154] Step 505: The network element device receives the report request message of the verification summary information sent by the network management device during the operation of the software code.

[155] The difference from the embodiments shown in FIG. 2 and FIG. 4 is that in this embodiment, during the running of the software code on the network element device, the network management device can send a report request message for verifying summary information in real time according to the requirements of the administrator.

[156] Step 506: The network element device generates the verification summary information of the software code according to the report request message of the verification summary information. [157] After the network element device receives the report request message of the verification summary information, it calculates the summary information of the software code running in the current memory, and uses the summary information as the verification summary information. The calculation method and process of the verification summary information are the same as The original summary information is consistent and will not be repeated here.

[158] Step 507: The network element device sends the verification summary information to the network management device.

[159] Step 508: The network management device compares whether the verification summary information is consistent with the original summary information. When the verification summary information is inconsistent with the original summary information, it is determined that the software code is not safe. When the verification summary information is consistent with the original summary information, it is determined that the software code Safety.

[160] After the network management device receives the verification summary information, it can obtain the saved original summary information, and then compare whether the verification summary information is consistent with the original summary information. If they are consistent, it can be determined that the software code has not been tampered with during operation, and the software code is safe. , if they are inconsistent, it can be determined that the software code has been tampered with during operation, so the software code is not safe. At this time, the network management device can trigger an alarm, or the administrator can perform manual intervention. [161] It can be seen from the above embodiments that since the network element device can send the summary information of the software running process to the network management device, it can detect whether the software is maliciously attacked during the running process, so that the running process on the network element device can be analyzed. The security of the software in the system is protected, and the dynamic security of the software is improved.

[162] Corresponding to the embodiments of the software security detection method of the present invention, the present invention also provides embodiments of a software security detection device, a network management device, and a network element device. [163] Referring to Figure 6, it is a block diagram of an embodiment of the software security detection device of the present invention, which can be set on the side of the network management device:

[164] The device includes: an obtaining unit 610, a receiving unit 620 and a detecting unit 630.

[165] Wherein, the obtaining unit 610 is configured to obtain original summary information from the network element device, and the original summary information is the summary information generated by the network element device for the software code loaded in the memory; [166] The receiving unit 620 , for receiving verification summary information sent by the network element device, where the verification summary information is summary information generated by the network element device during the running of the software code;

[167] A detection unit 630, configured to compare whether the verification summary information received by the receiving unit 610 is consistent with the original summary information obtained by the obtaining unit 620, if not, determine that the software code is not safe, If yes, it is determined that the software code is safe. [168] Optionally, the obtaining unit 610 may include (not shown in FIG. 6): [169] A request message sending subunit, configured to send a request message of original summary information to the network element device;

[170] The first original summary receiving subunit is configured to receive the original summary information returned by the network element device according to the original summary information request message sent by the request message sending subunit.

[171] Optionally, the obtaining unit 610 may also include (not shown in FIG. 6 ): [172] A second original abstract receiving subunit, configured to receive the The original summary information reported by the software code.

[173] Optionally, the receiving unit 620 may include (not shown in FIG. 6):

[174] The first verification summary receiving subunit is configured to receive the verification summary information reported by the network element device according to the set time period; [175] Optionally, the receiving unit 620 may also include (Figure 6 not shown):

[176] A report request sending subunit, configured to send a report request message for verifying summary information to the network element device;

[177] The second verification summary receiving subunit is configured to receive the verification summary information returned by the network element device according to the report request message of the verification summary information sent by the report request sending subunit.

[178] Referring to Figure 7, it is a block diagram of another embodiment of the software security detection device of the present invention, which can be set on the network element device side:

[179] The device includes: a first sending unit 710 and a second sending unit 720.

[180] Wherein, the first sending unit 710 is configured to send the original summary information to the network management device, where the original summary information is summary information generated for the software code loaded in the memory;

[181] The second sending unit 720 is configured to send the verification summary information of the software code to the network management device during the running of the software code, so that the network management device compares the information sent by the second sending unit Verifying the summary information and the original summary information sent by the first sending unit to determine whether the software code is safe.

[182] Optionally, the first sending unit 710 may include (not shown in FIG. 7):

[183] A request message receiving subunit, configured to receive a request message of the original summary information sent by the network management device; [184] The first original summary generating subunit is configured to generate the original summary information for the software code loaded in the memory according to the request message of the original summary information received by the request message receiving subunit;

[185] The first original abstract sending subunit is configured to send the original abstract information generated by the first original abstract generating subunit to the network management device.

[186] Optionally, the first sending unit 710 may also include (not shown in FIG. 7):

[187] A second original abstract generating subunit, configured to generate the original abstract information for the software code when the software code is loaded in the memory;

[188] The second original digest sending subunit is configured to report the original digest information generated by the second original digest generating subunit to the network management device.

[189] Optionally, the second sending unit 720 may include (not shown in FIG. 7):

[190] A first verification summary generating unit, configured to generate verification summary information of the software code according to a set time period during the running of the software code;

[191] A first verification summary sending subunit, configured to send the verification summary information generated by the first verification summary generation unit to the network management device.

[192] Optionally, the second sending unit 720 may also include (not shown in FIG. 7):

[193] A report request receiving subunit, configured to receive a report request message of the verification summary information sent by the network management device during the operation of the software code;

[194] The second verification summary generating subunit is configured to generate the verification summary information of the software code according to the report request message of the verification summary information received by the report request receiving subunit;

[195] A second verification summary sending subunit, configured to send the verification summary information generated by the second verification summary generation subunit to the network management device.

[196] Referring to Figure 8, it is a block diagram of an embodiment of the network management device of the present invention:

[197] The network management device includes: a network interface 810 and a processor 820. [198] Wherein, the network interface 810 is configured to obtain original summary information from the network element device, where the original summary information is summary information generated by the network element device for the software code loaded in the memory, and receive the The verification summary information sent by the network element device, the verification summary information is the summary information generated by the network element device during the running of the software code; [199] The processor 820 is configured to compare the verification summary information Whether it is consistent with the original summary information, if not, it is determined that the software code is not safe, and if so, it is determined that the software code is safe.

[200] Optionally, the network interface 810 may be specifically configured to send a request message of original summary information to the network element device, and receive the request message returned by the network element device according to the request message of the original summary information. the original summary information; or, receiving the original summary information reported to the network management device when the network element device finishes loading the software code in the memory.

[201] Optionally, the network interface 810 may be specifically configured to receive the verification summary information reported by the network element device according to a set time period; or, send a report of the verification summary information to the network element device request message, and receive the verification summary information returned by the network element device according to the report request message of the verification summary information. [202] Referring to FIG. 9, it is a block diagram of an embodiment of the network element device of the present invention:

[203] The network element device includes: a network interface 910 and a processor 920.

[204] Wherein, the processor 920 is configured to send the original summary information to the network management device through the network interface 910, the original summary information is a summary generated by the network element device for the software code loaded in the memory information, and, during the running process of the software code, send the verification summary information of the software code to the network management device through the network interface 910, so that the network management device compares the verification summary information with the original The summary information determines whether the software code in question is safe or not.

[205] Optionally, the processor 920 may be specifically configured to, after the network interface receives the request message of the original summary information sent by the network management device, load the request message into the memory according to the request message of the original summary information The software code in the memory generates the original summary information, and sends the original summary information to the network management device through the network interface; or, when the software code is loaded in the memory, the software code generates the the original summary information, and report the original summary information to the network management device through the network interface.

[206] Optionally, the processor 920 may be specifically configured to, during the execution of the software code, according to the set Generate the verification summary information of the software code within a time period, and send the verification summary information to the network management device through the network interface; or, when the network interface receives the network management device during the operation of the software code After the device sends the report request message of the verification summary information, generate the verification summary information of the software code according to the report request message of the verification summary information, and send the verification summary information to the network management device through the network interface .

[207] It can be seen from the above embodiments that the network management device obtains the original abstract information from the network element device. The original abstract information is the abstract information generated by the network element device for the software code loaded in the memory. The verification summary information is generated, and the network management device receives the verification summary information sent by the network element device, and compares whether the verification summary information is consistent with the original summary information. If not, it is determined that the software code is not safe, and if so, it is determined that the software code is safe. By applying the embodiment of the present invention, since the network element device can send the summary information of the software running process to the network management device, it can detect whether the software is maliciously attacked during the running process, so that the software during the running process on the network element device can be The security of the system is protected, which improves the dynamic security of the software.

[208] Those skilled in the art can clearly understand that the technology in the embodiment of the present invention can be realized by means of software plus necessary general-purpose hardware platform. Based on this understanding, the technical solution in the embodiment of the present invention is essentially or the part that contributes to the prior art can be embodied in the form of a software product, and the computer software product can be stored in a storage medium, such as ROM/RAM , magnetic disk, optical disk, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments of the present invention.

[209] Each embodiment in this specification is described in a progressive manner, the same and similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for the related parts, refer to the part of the description of the method embodiment.

[210] The embodiments of the present invention described above do not limit the protection scope of the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (12)

1. Claim

   1st, a kind of software security detection method, it is characterised in that methods described includes：

   Network Management Equipment obtains original digest information from network element device, and the original digest information is the summary info that the network element device is the software code generation being carried in internal memory；

   The Network Management Equipment receives the checking summary info that the network element device is sent, and the checking summary info is the summary info that the network element device is generated in the software code running；

   Whether the Network Management Equipment checking summary info is consistent with the original digest information, if not, it is determined that the software code is dangerous, if, it is determined that the software code safety.2nd, according to the method described in claim 1, it is characterised in that the Network Management Equipment obtains original digest information from network element device, including：

   The Network Management Equipment sends the request message of original digest information to the network element device, and receives the original digest information that the network element device is returned according to the request message of the original digest information；Or, when the Network Management Equipment reception network element device has loaded the software code in internal memory, the original digest information reported to the Network Management Equipment.

   3rd, method according to claim 1 or 2, it is characterised in that the Network Management Equipment receives the checking summary info that the network element device is sent, including：

   The Network Management Equipment receives the checking summary info that the network element device is reported according to the time cycle of setting；Or,

   The Network Management Equipment sends the request message that reports for verifying summary info to the network element device, and receives the checking summary info that reports request message return of the network element device according to the checking summary info.

   4th, a kind of software security detection method, it is characterised in that methods described includes：

   Original digest information is sent to Network Management Equipment by network element device, and the original digest information is the summary info that the network element device is the software code generation being carried in internal memory；

   The network element device sends the checking summary info of the software code in the software code running to the Network Management Equipment, so that the Network Management Equipment determines whether the software code is safe by relatively more described checking summary info and the original digest information.

   5th, method according to claim 4, it is characterised in that the network element device original is plucked described Information is wanted to be sent to Network Management Equipment, including：

   The network element device receives the request message for the original digest information that the Network Management Equipment is sent, it is that the software code being carried in internal memory generates the original digest information according to the request message of the original digest information, and the original digest information is sent to the Network Management Equipment；Or,

   It is that the software code generates the original digest information, and the original digest information is reported to the Network Management Equipment when network element device has loaded the software code in internal memory.

   6th, the method according to claim 4 or 5, it is characterised in that the network element device sends the checking summary info of the software code in the software code running to the Network Management Equipment, including：The network element device generates the checking summary info of the software code in the software code running, according to the time cycle of setting, and sends the checking summary info to the Network Management Equipment；Or, what the network element device received the checking summary info that the Network Management Equipment is sent in the software code running reports request message, the checking summary info of the software code is generated according to the request message that reports of the checking summary info, and the checking summary info is sent to the Network Management Equipment.

   7th, a kind of software security detection means, it is characterised in that described device includes：

   Obtaining unit, for obtaining original digest information from network element device, the original digest information is the summary info that the network element device is the software code generation being carried in internal memory；

   Receiving unit, for receiving the checking summary info that the network element device is sent, the checking summary info is the summary info that the network element device is generated in the software code running；

   Whether detection unit, the original digest information for comparing the checking summary info of the receiving unit reception with the obtaining unit is obtained is consistent, if not, it is determined that the software code is dangerous, if, it is determined that the software code safety.8th, the device according to the claim 7, it is characterised in that

   The obtaining unit includes：Request message transmission sub-unit and the first original digest receiving subelement；The request message transmission sub-unit, the request message for sending original digest information to the network element device；

   The first original digest receiving subelement, for receiving the original digest information that the request message for the original digest information that the network element device is sent according to the request message transmission sub-unit is returned；

   Or, the obtaining unit includes：Second original digest receiving subelement；

   The second original digest receiving subelement, for receive the network element device loaded in internal memory it is described The original digest information reported during software code.

   9th, the device according to claim 7 or 8, it is characterised in that

   The receiving unit includes：First checking summary receiving subelement；

   The first checking summary receiving subelement, for receiving the checking summary info that the network element device is reported according to the time cycle of setting；

   Or, the receiving unit includes：Report request transmission sub-unit and the second checking summary receiving subelement;It is described to report request transmission sub-unit, for reporting request message to network element device transmission checking summary info；

   The second checking summary receiving subelement, the checking summary info for reporting request message to return for receiving the checking summary info that the network element device reports request transmission sub-unit to send according to.

   10th, a kind of software security detection means, it is characterised in that described device includes：

   First transmitting element, for original digest information to be sent into Network Management Equipment, the original digest information is the summary info of the software code generation to be carried in internal memory；

   Second transmitting element, checking summary info for sending the software code to the Network Management Equipment in the software code running, so that the original digest information that the checking summary info that the Network Management Equipment is sent by relatively more described second transmitting element is sent with first transmitting element determines whether the software code is safe.

   11st, device according to claim 10, it is characterised in that

   First transmitting element includes：Request message receiving subelement, the first original digest generation subelement and the first original digest transmission sub-unit；

   The request message receiving subelement, the request message for receiving the original digest information that the Network Management Equipment is sent；

   First original digest generates subelement, and the request message of the original digest information for being received according to the request message receiving subelement is that the software code being carried in internal memory generates the original digest information；The first original digest transmission sub-unit, the original digest information for first original digest to be generated to subelement generation is sent to the Network Management Equipment；

   Or, first transmitting element includes：Second original digest generates subelement and the second original digest transmission sub-unit；

   Second original digest generates subelement, is institute during for having loaded the software code in internal memory State software code and generate the original digest information；

   The second original digest transmission sub-unit, the original digest information for reporting the second original digest generation subelement generation to the Network Management Equipment.12nd, the device according to claim 10 or 11, it is characterised in that

   Second transmitting element includes：First checking summarization generation unit and the first checking summary transmission sub-unit；

   The first checking summarization generation unit, in the software code running, the checking summary info of the software code to be generated according to the time cycle of setting；

   The first checking summary transmission sub-unit, the checking summary info for sending the first checking summarization generation unit generation to the Network Management Equipment；

   Or, second transmitting element includes：Report request receiving subelement, the second checking summarization generation subelement and the second checking summary transmission sub-unit；

   It is described to report request receiving subelement, report request message for receive the checking summary info that the Network Management Equipment is sent in the software code running；

   The second checking summarization generation subelement, the checking summary info for reporting request message to generate the software code of the checking summary info for reporting request receiving subelement reception according to；

   The second checking summary transmission sub-unit, for the checking summary info of the described second checking summarization generation subelement generation to be sent into the Network Management Equipment.

   13rd, a kind of Network Management Equipment, it is characterised in that the Network Management Equipment includes：Network interface and processor, wherein,

   The network interface, for obtaining original digest information from network element device, the original digest information is the summary info that the network element device is the software code generation being carried in internal memory, and the checking summary info that the network element device is sent is received, the checking summary info is the summary info that the network element device is generated in the software code running；

   The processor, it is whether consistent with the original digest information for comparing the checking summary info, if not, it is determined that the software code is dangerous, if, it is determined that the software code safety.14th, Network Management Equipment according to claim 13, it is characterised in that

   The network interface, specifically for sending the request message of original digest information to the network element device, and receives the original digest information that the network element device is returned according to the request message of the original digest information； Or, when the reception network element device has loaded the software code in internal memory, the original digest information reported to the Network Management Equipment.

   15th, the Network Management Equipment according to claim 13 or 14, it is characterised in that

   The network interface, specifically for receiving the checking summary info that the network element device is reported according to the time cycle of setting；Or, the request message that reports for verifying summary info is sent to the network element device, and receive the checking summary info that reports request message return of the network element device according to the checking summary info.16th, a kind of network element device, it is characterised in that the network element device includes：Network interface and processor, wherein,

   The processor, for original digest information to be sent into Network Management Equipment by the network interface, the original digest information is the summary info that the network element device is the software code generation being carried in internal memory, and, the checking summary info of the software code is sent to the Network Management Equipment by the network interface in the software code running, so that the Network Management Equipment determines whether the software code is safe by relatively more described checking summary info and the original digest information.

   17th, network element device according to claim 16, it is characterised in that

   The processor, after request message specifically for receiving the original digest information that the Network Management Equipment is sent when the network interface, it is that the software code being carried in internal memory generates the original digest information according to the request message of the original digest information, and the original digest information is sent to by the Network Management Equipment by the network interface；Or, it is that the software code generates the original digest information, and the original digest information is reported to the Network Management Equipment by the network interface when having loaded the software code in internal memory.18th, the network element device according to claim 16 or 17, it is characterised in that

   The processor, specifically in the software code running, generating the checking summary info of the software code according to the time cycle of setting, and the checking summary info is sent to the Network Management Equipment by the network interface；Or, when the network interface receives after the reporting request message of summary info of checking that the Network Management Equipment is sent in the software code running, the checking summary info of the software code is generated according to the request message that reports of the checking summary info, and the checking summary info is sent to by the Network Management Equipment by the network interface.