Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In order to facilitate understanding of the technical scheme of the present application, some technical terms related to the present application are described below.
Client side: also called a user terminal, refers to a program corresponding to a server terminal for providing application services for users. It may be installed on the user's terminal device, for example in the form of an Application installation package (Application) on a smart phone, or running a web page in the form of a browser client.
Application server side: may be deployed on an application server. Application services are implemented using code that provides business logic for an application program. It provides an access mechanism for the client to use, thereby meeting the user's needs in cooperation with the client.
Request message: the client initiated access request includes an HTTP (Hyper Text Transfer Protocol ) request or HTTPS (Hyper Text Transfer Protocol over SecureSocket Layer) request. The request message is a message sent by the access request. For example, the HTTP message content may include a request Header (Header) and an entity (Body), where the request Header (Header) includes a start line and a Header field, and the entity is a message Body. The client is the initiator of the access request, and the application server is the responder of the access request.
Request processing function: and the application server is used for processing the access request, analyzing the request message and returning a function of response information. The function consists of at least one piece of business code written according to a programming language, such as C, C ++, go, java, or python, etc.
Code: the computer language instructions written in accordance with the programming language may be executed by a computer.
The defense server side: for interacting with the application server, for example, receiving a blocked network address, or sending a network address, detecting rules, etc. And manages defensive services of one or more application servers. The application server side realizes the defending function by executing the codes such as the content acquisition code, the attack judging code, the attack defending code and the like.
Byte code instrumentation: for example, inserting one piece of code into another piece of code through some policy (e.g., java agent, javassist, etc.), or replacing another piece of code, to achieve bytecode enhancement. Unlike instrumentation or binary instrumentation at the client, the bytecode instrumentation of the embodiments of the present disclosure implements code instrumentation at the application server.
With the development of network security, how to quickly discover and block attack is an important problem in the field of security protection. The general application defense method can utilize devices such as a firewall, an IPS (Intrusion Prevention System ) and the like to detect at a network layer, and find that the attack behavior is blocked on the firewall or the IPS, so that the method cannot realize the detection of encrypted traffic. The detection can also be performed at the application level by using equipment such as an application firewall. However, the devices such as application firewalls are prone to access performance problems, resulting in protection failures. In addition, as cloud computing evolves, many applications are deployed in a cloud environment, and deployment of protective equipment becomes more difficult.
Embodiments of the present disclosure provide an application defense method, apparatus, device, medium, and program product for an application server. Compared with a mode of defending against attacks by using special protection equipment, the embodiment of the disclosure can utilize a byte code instrumentation technology to insert attack defending codes into a request processing function, and if the attack content in the request message is detected based on the first detection rule, the attack defending codes are operated to seal and disable network addresses in the request message, so that the application has a defending function, does not depend on the special protection equipment any more, and the problem of access performance possibly existing in the protection of external safety equipment is avoided.
The embodiment of the disclosure also provides an application defense method, an application defense device, application defense equipment, application defense media and application program products for the defense server. And the defending server is in communication connection with at least one application server, so that defending conditions of one or more application servers can be managed, and the overall defending capability of the application servers is improved.
Fig. 1 schematically illustrates an application scenario diagram of an application defense method according to an embodiment of the present disclosure.
As shown in fig. 1, the application scenario 100 according to this embodiment may include N first servers (e.g., servers 111 to 11N), the second server 120, networks 131 and 132, and terminal devices 141, 142, and 143. Network 131 serves as a medium for providing communication links between terminal devices 141, 142, and 143 and any one of the first servers. The network 132 is used to provide a medium for a communication link between the second server 120 and any one of the first servers. Networks 131 and 132 may include various connection types such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with any one of the first servers through network 131 using terminal devices 141, 142, and 143 to receive or send messages, etc. Various client applications may be installed on terminal devices 141, 142, and 143, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, and the like (just examples). In some embodiments, the user may interact with second server 120 via networks 131, 132 using terminal devices 141, 142, and 143, which are not described in detail herein.
Terminal devices 141, 142, and 143 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The first server or the second server 120 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by the user using the terminal devices 141, 142, and 143. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
According to embodiments of the present disclosure, an application server may be deployed in any one of the first servers. The N first servers may be servers for providing services for one application system based on a distributed architecture, or may be servers for deploying different application systems. The second server 120 may deploy a defensive server.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The application defense method of the embodiment of the present disclosure will be described in detail below by way of fig. 2 to 7 based on the scenario described in fig. 1.
Fig. 2 schematically illustrates a flowchart of an application defense method for an application server according to an embodiment of the disclosure.
As shown in fig. 2, the application defense method of this embodiment includes operations S210 to S240.
In operation S210, a request message for accessing an application server is received, where the request message includes a first network address of a client that initiates access.
For example, an application server may receive access from multiple clients. The first network address is the IP address of the client accessed at the time (Internet Protocol Address).
In operation S220, attack content in the request message is detected based on the first detection rule, where the attack content includes content that generates an attack behavior for the application server.
Illustratively, the request Header (Header) and entity (Body) of the request message include fields, such as a request method field, a URL field, a version field, etc., or computer-executable instructions composed of one or more fields. A plurality of fields in the request message are detected to determine whether there is attack content.
In some embodiments, the acquisition of the content of the request message may be performed by other services or devices, and the first detection rule may be performed by other services or devices. For example, a request interception service is set before an application server, and after the content is acquired and delivered to the application server for detection, whether the content is attacked is determined.
In some embodiments, after receiving the access request, the application server may first send the access request to the defending server, and after the defending server performs detection, perform attack behavior processing according to the detection result.
In operation S230, in the case that the request message includes attack content, the attack defense code in the running request processing function seals the first network address, where the attack defense code is inserted into the request processing function by way of bytecode instrumentation.
Illustratively, the attack defense code is composed of at least one piece of code that has a function of processing the attack behavior. For example, blocking the first network address may be intercepting access traffic for the address, preventing the IP from initiating further scanning of the client, protecting safe running of the application. Further, it may be that the processing of the request message is interrupted, and the status code (service unavailable) is returned 404 directly, preventing further processing of the request. The first network address may also be added to the blacklist.
The request processing functions may be user-defined, for example, or may use functions provided in a canonical code library. In some embodiments, it may be inserted into a function provided by a canonical code base. The function provided by the code library is unified in function name and structure, so that the pile inserting success rate is improved conveniently.
Compared with the application defense by using the additional protection equipment, the embodiment of the disclosure can utilize the byte code instrumentation technology to insert the attack defense code into the request processing function, and if the attack content in the request message is detected based on the first detection rule, the attack defense code is operated to seal the network address in the request message, so that the application has the defense function, does not depend on the special protection equipment any more, and the possible access performance problem depending on the external protection equipment is avoided.
Fig. 3 schematically illustrates a schematic diagram of a bytecode instrumentation according to an embodiment of the present disclosure. Fig. 4 schematically illustrates a flow chart of retrieving message content according to an embodiment of the present disclosure.
As shown in fig. 4, the acquiring the message content in this embodiment includes operations S410 to S420.
In operation S410, a content acquisition code is inserted into a request processing function by way of byte code instrumentation.
Before the first network address is blocked in operation S230, operation S420 may be performed, and the running content acquiring code acquires the first network address and/or attack content.
Referring to fig. 3, the content acquisition code may include an HTTP request information acquisition code and a client IP acquisition code. The HTTP request information acquiring code may acquire fields (including information such as URL of the request, HTTP request header, HTTP request body, etc.) other than the IP address in the request packet, so that the fields may be operated to detect that attack content is acquired.
In some embodiments, the client IP acquisition code may acquire the first network address. For example, the client IP acquisition code first determines whether there is specific header information in the request, and typically, the request will add a specific header to attach a real IP address after being forwarded by the proxy software, and of course, if the IP passes through the multi-level reverse proxy, the IP may be a set of values, and the first IP is taken to be the real IP. If the IP header information does not exist, the IP address is acquired through getRemoteAddr () method.
According to the embodiment of the disclosure, the content acquisition codes are inserted in a byte code instrumentation mode, so that access information of each time can be effectively obtained, attack behaviors can be conveniently and rapidly positioned, and response efficiency is improved. Even under the condition of high concurrency, the content of the request message is acquired based on the server resource running code of the server, and the blocking problem caused by insufficient performance of protective equipment can be avoided.
Fig. 5 schematically illustrates a flow chart of detecting attack content according to an embodiment of the present disclosure.
As shown in fig. 5, the attack detection content of this embodiment includes operations S510 to S520.
In operation S510, an attack determination code is inserted into the request processing function by way of bytecode instrumentation.
Referring to fig. 3, the attack determination code may be inserted into a code in an existing application, such as an HTTP request processing function of a server side. The attack defense code in operation S230 may include an IP blocking code, which is also a code inserted into an existing application by way of bytecode instrumentation.
Detecting attack content in the request message based on the first detection rule in operation S220 may include operation S520. In operation S520, an attack determination code is run to detect attack content, wherein the attack determination code is used to execute a first detection rule.
Illustratively, the attack-judging code is also composed of at least one code. The execution logic of the codes comprises logic of a first detection rule. In some embodiments, the attack determination code executes a first detection rule to perform attack behavior comparison according to the url and body information of the extracted HTTP request.
In some embodiments, the attack-judging code may invoke a simulation environment, execute the first detection rule including simulating the processing request message, and judge whether there is a bad factor on the processed result. The simulation environment may be the same execution logic as the application server.
In other embodiments, performing the first detection rule includes a differential analysis. Specifically, the content in the request message is compared with a preset message template, and whether the difference exists or not is judged. If the message template is an attack-free template, detecting a difference part or directly sealing and forbidden if the difference exists. If the message template is an attack template, directly sealing and forbidden if no difference exists.
In other embodiments, the attack-judging code may invoke a pre-trained neural network model, and executing the first detection rule includes inputting the content of the request message into the neural network model, so as to obtain a classification result of the request message by the model, such as an attack message or a non-attack message.
According to the embodiment of the disclosure, byte code enhancement can be realized by using the instrumentation technology, and the comprehensive application of the content acquisition code, the attack judgment code and the attack defense code can be combined, so that the attack behavior can be rapidly positioned, and meanwhile, the attack IP can be blocked in real time, and the response efficiency is improved. On the one hand, the limitation of traditional network layer detection can be broken through, and the attack detection on the encrypted traffic (HTTPS) is realized by detecting the access request of the application layer, so that the detection accuracy is higher. On the other hand, the attack detection and malicious IP blocking function can be injected by the application without external safety protection tools, so that the real-time performance and integration of content acquisition, detection and blocking are realized.
According to an embodiment of the present disclosure, running attack determination code detects attack content including: and matching the first network address with a blacklist address in a blacklist, wherein the blacklist comprises at least one blacklist address.
For example, the first detection rule may include a black name list comparison rule. If the client IP address of the current request hits the blacklist, the status code is returned 404 directly, preventing further processing of the request.
In some embodiments, executing the first detection rule includes implementing attack detection based on analysis of the input structure and grammar. The relevant fields may also be associated with a regular expression (which includes detection logic). For example, a regular comparison mode is used to match the message field in the request message with a preset attack field.
Exemplary attack actions include file traversal (e.g., occurrence of a request.+ -. Per.//./ -), sql injection (e.g., occurrence of a request of 1'or'1 '=' 1), file uploading (e.g., request header Type of Content-Type: multi-part/form-data and request body of common Trojan features), or XSS attack (e.g., occurrence of malicious javascript code in the request), etc. attack features, if the request matches a successfully preset attack field, it is determined as an attack request, the client IP of the current request is recorded, and blocking is performed.
Fig. 6 schematically illustrates a flowchart of an application defense method for a defense server according to an embodiment of the disclosure.
As shown in fig. 6, the application defense method of this embodiment includes operations S610 to S640. The defending server side is used for carrying out communication connection with the N application server sides, and the communication connection means that information interaction can be achieved between the defending server side and the N application server sides by utilizing a network.
In operation S610, attack processing information sent by a first application server is received, where the first application server is any one of the N application servers, and the attack processing information includes a first network address blocked by the first application server. The first application server may execute the application defense method of any of the embodiments described in fig. 2 to 5 to seal the first network address, which is not described herein.
In some embodiments, the defending server can display attack processing information, so that relevant personnel can intuitively know attack behaviors encountered by each application server.
The attack handling information may also include, for example, operation information of an application server where the first application server is located, for example, the first application server maintains a heartbeat connection with the defending server. The heartbeat connection is responsible for sending the real-time information of the application server and the real-time IP blocking information to the defense server at a certain frequency. The existence of the heartbeat information represents that the application and the pile inserting code are in a survival state, the problems of downtime and the like do not occur, and the real-time running information and the IP real-time blocking information of the application server in the heartbeat can reflect the load condition and the attack interception condition of the application server.
Illustratively, the defending server is responsible for managing heartbeat information and real-time IP blocking information sent by each application server. Information uploaded by a plurality of application servers is uniformly managed by the defense server. On the defending server side, the user can see the running state of the server where each application server side is located, the attack IP address, malicious request flow sent by the attack IP, IP blocking time and other information, and the real-time running information and the defending execution state of the application can be intuitively displayed.
According to the embodiment of the disclosure, at least one application server is connected by utilizing the defense server for communication, so that the defense condition of one or more application servers can be managed, and the overall defense capacity of the application servers is improved.
In operation S620, the first network address is sent to a second application server, where the second application server is configured to add the first network address to the blacklist, and the second application server is any one of the N application servers except the first application server.
According to the embodiment of the disclosure, the attack address found by a certain application server is shared, and if other application servers receive a request from the address, the other application servers can be directly blocked after being matched with the blacklist, so that an attack judgment code is not required to be run, the computing resource is saved, and the overall defensive capacity is improved.
In operation S630, a second network address is sent to the N application servers, where the N application servers are configured to add the second network address to the blacklist, and the second network address includes an address directly added at the defending server.
In some embodiments, the second network address may also be added directly to the defensive server. The defending server may send the second network address to the N application servers, so that each application server receives the second network address sent by the defending server, and updates the second network address to the blacklist. The method has the advantages that each application server is not limited to the attack judgment capability, for example, attack addresses found on a network can be received in time, and quick defense is realized.
In operation S640, the second detection rule is transmitted to the N application servers, where the N application servers are configured to update the first detection rule based on the second detection rule.
In some embodiments, the first detection rule may be one or more, and the corresponding second detection rule may be one or more. The updating of the first detection rule may be to use the second detection rule as the newly added first detection rule, or may be to replace part or all of the original first detection rules.
According to the embodiment of the disclosure, the detection rules can be updated uniformly by using the defense server, so that the situations that the rules are not uniform and the defense capability is inconsistent due to the fact that each application server manages the detection rules respectively or the situation that a plurality of application servers are easily missed due to maintenance of related personnel are avoided.
Although operations S610 to S640 are described in this order, the present disclosure is not limited to the order of the respective operations. The operations may be performed simultaneously or may be performed separately and sequentially.
Fig. 7 schematically illustrates a flow chart of a multi-party interactive executive application defense method in accordance with another embodiment of the disclosure.
As shown in fig. 1, the application defense method of this embodiment may be interactively performed by a client, a first application server, a defense server, and a second application server, and may include operations S701 to S712.
In operation S701, the client initiates an access request to a first application server.
In operation S702, instrumentation code is loaded at a first application server. The instrumentation code may include a content acquisition code, an attack determination code, and an attack defense code.
In operation S703, the content acquisition code acquisition request message content is run.
In operation S704, the run content acquisition code acquires the client IP address.
In operation S705, it is determined whether there is attack content in the request message. If not, operation S706 is performed, and if yes, operation S707 is performed.
In operation S706, the request message is processed and response information is returned.
In operation S707, the client IP address is blacklisted and returned to 404 the status code, and sent to the defending server.
In operation S708, the defense server sends the IP address of the client to the second application server, so that the second application server adds the IP address to the blacklist.
In operation S709, the defense server sends the locally added IP address to the second application server, so that the second application server adds the IP address to the blacklist.
In operation S710, the defense server sends the locally added IP address to the first application server, so that the first application server adds the IP address to the blacklist.
In operation S711, the defending server sends the locally added attack detection rule to the second application server, so that the second application server updates.
In operation S712, the defending server sends the locally added attack detection rule to the first application server, so that the first application server updates.
According to the embodiment of the disclosure, malicious attacks encountered by an application system can be monitored, and the IP for launching the attacks can be blocked in real time. Specifically, each piece of request information received by the application is detected by utilizing a byte code instrumentation mode, when the request information is judged to contain attack features, an IP blocking function is started, the IP of the client corresponding to the request is listed in a blacklist, and IP traffic in the blacklist is prevented from continuously accessing the protected application. And meanwhile, the intercepted IP address, attack request information, blocking time and other information are sent to the defending server. The defending server is responsible for managing a plurality of application servers, and real-time sorting, warehousing and displaying the interception information to the user.
Although operations S701 to S712 are described in this order, the present disclosure is not limited to the order of the respective operations. The operations may be performed simultaneously or may be performed separately and sequentially.
Based on the application defense method, the disclosure also provides an application defense device. The device will be described in detail below in connection with fig. 8 and 9.
Fig. 8 schematically illustrates a block diagram of an application defense device for an application server according to an embodiment of the present disclosure.
As shown in fig. 8, the application defense apparatus 800 of this embodiment may include a request receiving module 810, an attack detecting module 820, and an address blocking module 830.
The request receiving module 810 may perform operation S210, configured to receive a request packet for accessing an application server, where the request packet includes a first network address of a client that initiates access.
The attack detection module 820 may perform operation S220, configured to detect attack content in the request packet based on the first detection rule, where the attack content includes content that generates an attack behavior to the application server.
The address blocking module 830 may perform operation S230, configured to execute, when the request message includes attack content, an attack defending code in the request processing function to block the first network address, where the attack defending code is inserted into the request processing function by way of bytecode instrumentation.
According to an embodiment of the present disclosure, the application defense apparatus 800 may further include a bytecode instrumentation module for inserting at least one of the attack judgment code, the content acquisition code, and the attack defense code into the request processing function by way of the bytecode instrumentation.
According to an embodiment of the present disclosure, the application defense device 800 may further include an information collection module, configured to collect real-time running information of the application server, such as information of CPU usage rate, memory usage condition, and the like. And the first network address and/or attack content can be acquired by running the content acquisition code.
According to an embodiment of the present disclosure, the application defense device 800 may further include a heartbeat maintenance module, configured to send the collected real-time information of the application server and the real-time IP blocking information to the defense server at a certain frequency.
According to an embodiment of the present disclosure, the application defense device 800 may further include an address receiving module, configured to receive the second network address sent by the defense server. The second network address is updated to the blacklist.
According to an embodiment of the present disclosure, the application defense apparatus 800 may further include a rule receiving module, configured to receive a second detection rule sent by the defense server. The first detection rule is updated based on the second detection rule.
Fig. 9 schematically illustrates a block diagram of an application defense device for a defense server according to an embodiment of the present disclosure.
As shown in fig. 9, the application defense device 900 of this embodiment may include an information receiving module 910.
The information receiving module 910 may perform operation S610, configured to receive attack handling information sent by a first application server, where the first application server is any one of the N application servers, and the attack handling information includes a first network address blocked by the first application server. The first application server may perform operations S210 to S230.
According to an embodiment of the present disclosure, the application defense device 900 may further include a sending module, where the sending module is configured to send the first network address to the second application server, send the second network address to the N application servers, or send the second detection rule to the N application servers.
It should be noted that, in the embodiment of the apparatus portion, the implementation manner, the solved technical problem, the realized function, and the achieved technical effect of each module/unit/subunit and the like are the same as or similar to the implementation manner, the solved technical problem, the realized function, and the achieved technical effect of each corresponding step in the embodiment of the method portion, and are not described herein again.
According to embodiments of the present disclosure, any of the plurality of modules in the application defense apparatus 800 or the application defense apparatus 900 may be combined in one module to be implemented, or any of the plurality of modules may be split into a plurality of modules. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules.
According to embodiments of the present disclosure, at least one module of application defense device 800 or application defense device 900 may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Or at least one of the application defense device 800 or the application defense device 900 may be at least partially implemented as a computer program module which, when executed, performs the corresponding functions.
Fig. 10 schematically illustrates a block diagram of an electronic device adapted to implement an application defense method according to an embodiment of the disclosure.
As shown in fig. 10, an electronic device 1000 according to an embodiment of the present disclosure includes a processor 1001 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1002 or a program loaded from a storage section 1008 into a Random Access Memory (RAM) 1003. The processor 1001 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 1001 may also include on-board memory for caching purposes. The processor 1001 may include a single processing unit or multiple processing units for performing different actions of the method flows according to embodiments of the present disclosure.
In the RAM 1003, various programs and data necessary for the operation of the electronic apparatus 1000 are stored. The processor 1001, the ROM 1002, and the RAM 1003 are connected to each other by a bus 1004. The processor 1001 performs various operations of the method flow according to the embodiment of the present disclosure by executing programs in the ROM 1002 and/or the RAM 1003. Note that the program may be stored in one or more memories other than the ROM 1002 and the RAM 1003. The processor 1001 may also perform various operations of the method flow according to the embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the disclosure, the electronic device 1000 may also include an input/output (I/O) interface 1005, the input/output (I/O) interface 1005 also being connected to the bus 1004. The electronic device 1000 may also include one or more of the following components connected to the I/O interface 1005: an input section 1006 including a keyboard, a mouse, and the like; an output portion 1007 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), etc., and a speaker, etc.; a storage portion 1008 including a hard disk or the like; and a communication section 1009 including a network interface card such as a LAN card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the internet. The drive 1010 is also connected to the I/O interface 1005 as needed. A removable medium 1011, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like, is installed as needed in the drive 1010, so that a computer program read out therefrom is installed as needed in the storage section 1008.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 1002 and/or RAM 1003 and/or one or more memories other than ROM 1002 and RAM 1003 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to perform the methods provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1001. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of signals on a network medium, distributed, and downloaded and installed via the communication section 1009, and/or installed from the removable medium 1011. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 1009, and/or installed from the removable medium 1011. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1001. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.