CN114386028A - Malicious behavior detection and alarm method, device, equipment and storage medium - Google Patents

Malicious behavior detection and alarm method, device, equipment and storage medium Download PDF

Info

Publication number
CN114386028A
CN114386028A CN202210010093.0A CN202210010093A CN114386028A CN 114386028 A CN114386028 A CN 114386028A CN 202210010093 A CN202210010093 A CN 202210010093A CN 114386028 A CN114386028 A CN 114386028A
Authority
CN
China
Prior art keywords
malicious behavior
data
detection
information
alarm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210010093.0A
Other languages
Chinese (zh)
Inventor
田炳霖
于新
李秋月
霍振兴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202210010093.0A priority Critical patent/CN114386028A/en
Publication of CN114386028A publication Critical patent/CN114386028A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention discloses a malicious behavior detection method, which comprises the following steps: acquiring detection data sent by a client; analyzing the detection data according to a pre-trained malicious behavior detection model; and when the analysis result shows that the malicious behavior exists, sending alarm information to the information pushing end so as to enable the information pushing end to alarm the malicious behavior. According to the malicious behavior detection method provided by the embodiment of the invention, the early warning of the malicious behavior initiated by the client can be realized by acquiring the detection data and analyzing the detection data by using the trained malicious behavior detection model, so that the safety of information is ensured.

Description

Malicious behavior detection and alarm method, device, equipment and storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a malicious behavior detection and alarm method, device, apparatus, and storage medium.
Background
With the continuous development of smart phones and mobile development technologies, mobile applications develop rapidly, market competition is intensified day by day, user information processed by the mobile applications is more sensitive compared with desktop applications, and once the information is illegally leaked and tampered, the user is greatly harmed.
Generally, based on client-initiated malicious behavior, common defense approaches are as follows:
1. the client monitors the self behavior;
2. the server side analyzes the request of the client side, and directly discards the request which is judged to have the malicious behavior without responding.
The above measures belong to passive defense measures, and cannot prejudge and stop the attack behavior initiated based on the client.
Disclosure of Invention
The embodiment of the invention provides a malicious behavior detection and alarm method, device, equipment and storage medium, which realize early warning and remote control of malicious behaviors.
In a first aspect, an embodiment of the present invention provides a malicious behavior detection method, including:
acquiring detection data sent by a client;
analyzing the detection data according to a pre-trained malicious behavior detection model;
and when the analysis result shows that the malicious behavior exists, sending alarm information to an information pushing end so as to enable the information pushing end to alarm the malicious behavior.
Further, the step of training the malicious behavior detection model comprises:
acquiring training data, wherein the training data comprises application running data and user behavior data;
and adjusting parameters of the malicious behavior detection model according to the training data until the output of the malicious behavior detection model meets the set precision.
Further, analyzing the detection data according to a pre-trained malicious behavior detection model, including:
determining a characteristic value corresponding to the detection data according to the malicious behavior detection model;
and if the characteristic value is larger than a set threshold value, the corresponding analysis result is that the malicious behavior exists.
Further, the alarm information includes device information, alarm type and severity.
In a second aspect, an embodiment of the present invention further provides a malicious behavior warning method, including:
the method comprises the steps that running data corresponding to application services on a client and behavior data generated by user operation are collected regularly, detection data are generated and sent to a malicious behavior detection server side;
receiving alarm information sent by an information pushing end, wherein the alarm information is determined by the method of any one of claims 1-4;
and analyzing the alarm information, and executing corresponding alarm operation according to the analysis result.
Further, the alarm operation comprises text prompting, audio playing and forced closing of the application.
In a third aspect, an embodiment of the present invention further provides a malicious behavior detection apparatus, including:
the detection data acquisition module is used for acquiring detection data sent by the client;
the detection data analysis module is used for analyzing the detection data according to a pre-trained malicious behavior detection model;
and the warning information sending module is used for sending warning information to the information pushing end when the analysis result shows that the malicious behavior exists, so that the information pushing end carries out malicious behavior warning.
Optionally, the detection data analysis module is further configured to:
determining a characteristic value corresponding to the detection data according to the malicious behavior detection model;
and if the characteristic value is larger than a set threshold value, the corresponding analysis result is that the malicious behavior exists.
In a fourth aspect, an embodiment of the present invention further provides a malicious behavior warning apparatus, including:
the detection data sending module is used for regularly collecting operation data corresponding to the application service on the client and behavior data generated by user operation, generating detection data and sending the detection data to the malicious behavior detection server;
the alarm information receiving module is used for receiving alarm information sent by an information pushing end, and the alarm information is determined by the method of any one of claims 1 to 4;
and the alarm operation execution module is used for analyzing the alarm information and executing corresponding alarm operation according to the analysis result.
In a fifth aspect, an embodiment of the present invention further provides a computer device for detecting and/or warning malicious behavior, where the computer device includes:
a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a malicious behavior detection and/or alert method according to any of the embodiments of the present invention when executing the program.
In a sixth aspect, an embodiment of the present invention further provides a storage medium for malicious behavior detection and/or warning, where the storage medium stores a computer program, and the computer program, when executed by a processing apparatus, implements the malicious behavior detection and/or warning method according to any one of the embodiments of the present invention.
The embodiment of the invention firstly obtains the detection data sent by the client, then analyzes the detection data according to the pre-trained malicious behavior detection model, and sends the warning information to the information pushing end when the analysis result shows that the malicious behavior exists, so that the information pushing end carries out the malicious behavior warning. According to the malicious behavior detection method provided by the embodiment of the invention, the early warning of the malicious behavior initiated by the client can be realized by acquiring the detection data and analyzing the detection data by using the trained malicious behavior detection model, so that the safety of information is ensured.
Drawings
Fig. 1 is a flowchart of a malicious behavior detection method according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of a communication process in a first embodiment of the present invention;
fig. 3 is a flowchart of a malicious behavior warning method according to a second embodiment of the present invention;
FIG. 4 is a functional diagram of a client according to a second embodiment of the present invention;
fig. 5 is a schematic structural diagram of a malicious behavior detection apparatus according to a third embodiment of the present invention;
fig. 6 is a schematic structural diagram of a malicious behavior warning apparatus in a fourth embodiment of the present invention;
fig. 7 is a schematic structural diagram of a computer device in the fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a malicious behavior detection method according to an embodiment of the present invention, where the method is applicable to detecting and warning malicious behaviors according to detection data sent by a client, and the method may be executed by a malicious behavior detection apparatus, where the apparatus may be composed of hardware and/or software, and may generally be integrated in a device having a malicious behavior detection function, where the device may be an electronic device such as a server or a server cluster. As shown in fig. 1, the method specifically comprises the following steps:
and step 110, acquiring detection data sent by the client.
The client may be a program installed on a device such as a mobile phone and a computer to provide local services for a user, and preferably, the client in this embodiment may be installed on a mobile terminal such as a mobile phone to provide malicious behavior detection and alarm services for the user. The detection data may be data for detecting malicious behaviors, and preferably, may include running information related to the client application program, behavior data generated by user operation, and the like.
In this embodiment, the malicious behavior detection server may obtain detection data sent by the client, and then perform analysis according to the detection data to determine whether the client has a malicious behavior. The malicious behavior comprises the actions of obtaining the highest authority of a client system, analyzing and debugging self source codes, tampering code execution results and the like, and the malicious behavior detection server can be a server for providing malicious behavior detection service and is in communication connection with the client.
Optionally, the malicious behavior detection server may receive the detection data periodically.
And step 120, analyzing the detection data according to a pre-trained malicious behavior detection model.
The malicious behavior detection model can be pre-established and trained and is arranged at the malicious behavior detection server side. By utilizing the model, the detection data can be analyzed, and whether the client has malicious behaviors or not is judged.
Optionally, the step of training the malicious behavior detection model may be: acquiring training data, wherein the training data comprises application running data and user behavior data; and adjusting parameters of the malicious behavior detection model according to the training data until the output of the malicious behavior detection model meets the set precision.
Specifically, before the malicious behavior detection is performed, a malicious behavior detection model may be established at the malicious behavior detection server. The model may be trained using training data, where the training data may be collected by a client, including running data of an application and behavior data of a user. Preferably, the training data may include the running data of the application and the behavior data of the user under normal conditions, and also include the running data of the application and the behavior data of the user under the condition of existence of malicious behaviors. Further, the training data can be divided into a training set and a verification set, the training set is input into a model to be trained, the output result of the model is compared with the verification set, and if deviation exists, the model parameters are adjusted until the output result of the model meets the set precision.
Optionally, the method for analyzing the detection data according to the pre-trained malicious behavior detection model may be: determining a characteristic value corresponding to the detection data according to the malicious behavior detection model; and if the characteristic value is larger than the set threshold value, the corresponding analysis result is that the malicious behavior exists.
Specifically, the trained malicious behavior detection model can be used for judging whether malicious behaviors exist at the user side, the input of the model is detection data, and based on the detection data, the model can determine the current running environment and the network environment of the corresponding application program, the running data generated by the application, and whether behaviors such as password test and data capture exist in user operation or not through analysis. Furthermore, the model can store the running data of the application program under normal working conditions and the behavior data generated by each function in the application normally used by the user, and the data can be used as the reference data of the model. After the detection data are analyzed, the analysis result can be compared with the reference data, a corresponding characteristic value is determined, the larger the characteristic value is, the larger the deviation of the detection data from the reference data is, and when the characteristic value is larger than a set threshold value, the existence of malicious behaviors in the client side can be determined.
And step 130, when the analysis result shows that the malicious behavior exists, sending alarm information to the information pushing end so that the information pushing end carries out malicious behavior alarm.
Wherein, the information push terminal may be a server for providing an information push service. The information pushing end can be in communication connection with the malicious behavior detection server and the client, acquires alarm information sent by the malicious behavior detection server and pushes the alarm information to the client for malicious behavior alarm.
Optionally, the alarm information includes device information, alarm type and severity.
Specifically, when a malicious behavior is detected, the malicious behavior detection server may determine, according to the device in which the malicious behavior occurs, the type and the severity of the malicious behavior, device information, an alarm type and the severity included in the corresponding alarm information, so as to generate the alarm information. Further, the malicious behavior detection server side can send the alarm information to the information pushing side, and the information pushing side can push the alarm information to the corresponding client side according to the device information in the information pushing side. Preferably, the information pushing end and the client can be kept in long connection through a message tunnel, so that the alarm information can be pushed to the client quickly.
Fig. 2 is a schematic diagram of a communication process according to an embodiment of the present invention, as shown in the figure, a client acquires detection data and sends the detection data to a malicious behavior detection server, the malicious behavior detection server determines whether a malicious behavior exists in the client by using a malicious behavior detection model, and if the malicious behavior exists, sends corresponding alarm information to an information push terminal, so that the information push terminal pushes the alarm information to a corresponding client.
The embodiment of the invention firstly obtains the detection data sent by the client, then analyzes the detection data according to the pre-trained malicious behavior detection model, and sends the warning information to the information pushing end when the analysis result shows that the malicious behavior exists, so that the information pushing end carries out the malicious behavior warning. According to the malicious behavior detection method provided by the embodiment of the invention, the early warning of the malicious behavior initiated by the client can be realized by acquiring the detection data and analyzing the detection data by using the trained malicious behavior detection model, so that the safety of information is ensured.
Example two
Fig. 3 is a flowchart of a malicious behavior warning method according to a second embodiment of the present invention, where the present embodiment is applicable to warning and controlling malicious behaviors on a client in response to warning information, and the method may be executed by a malicious behavior warning device, where the device may be composed of hardware and/or software, and may generally be integrated in a device with a malicious behavior warning function, where the device may be an electronic device such as a server or a server cluster. As shown in fig. 3, the method specifically includes the following steps:
step 210, collecting running data corresponding to the application service on the client and behavior data generated by user operation at regular time, generating detection data and sending the detection data to the malicious behavior detection server.
The operation data may be data generated by an application service, such as upload, download, and click, and the behavior data may include normal operation data generated by a user, such as click, browse, and forward, and may also include abnormal operation data generated by data capture, and password trial.
In this embodiment, the detection data includes operation data corresponding to the application service and behavior data generated by user operation, and the client may perform timing acquisition on these data. For example, data collection may be performed every 5 minutes, and collected operation data and behavior data are packaged to generate detection data and sent to the malicious behavior detection server.
And step 220, receiving the alarm information sent by the information pushing end.
Wherein, the alarm information is determined by the method of the first embodiment.
In this embodiment, the client and the information push terminal may maintain a long connection through a message tunnel, where the long connection means that multiple data packets may be continuously transmitted over one connection, and during the connection maintenance period, if no data packet is transmitted, a link detection packet needs to be transmitted by both sides. By means of long connection, the transmission rate of the alarm information can be improved, and the client can timely receive the prompt of malicious behaviors.
And step 230, analyzing the alarm information, and executing corresponding alarm operation according to the analysis result.
In this embodiment, the alarm information may include device information, an alarm type, and a severity, and after receiving the alarm information, the client may analyze the alarm information, and if the device information is consistent with the device itself, may perform a corresponding operation according to the alarm type and the severity in the alarm information.
Optionally, the alert operation includes a text prompt, an audio play, and a forced shutdown of the application.
Specifically, the alarm operation corresponds to the alarm type and severity in the alarm information. For example, if the alarm type in the alarm information is a trial password and the severity is medium, the corresponding alarm operation may be audio playing, and the playing content may be "detect a trial password behavior, please stop the operation"; if the severity in the alarm information is high, the operation of forcibly closing the application can be adopted to stop the malicious behavior. Preferably, the alarm operation after the client receives the alarm information may be adjusted according to specific requirements.
Fig. 4 is a functional diagram of a client according to an embodiment of the present invention, as shown in the figure, the client may be divided into three parts: the system comprises an application service module, a detection data collection module and an application notification processing module. An application service module is an application providing various functions on a client; the detection data collection module is used for collecting the running data of the client application and the behavior data generated by the user operation, packaging the running data and the behavior data into detection data and sending the detection data to the behavior data analysis server; after receiving the application notification, the client analyzes the alarm information in the application notification by using the application notification processing module, and executes alarm operation (including text prompt, audio play, forced application closing and the like) according to the analysis result.
The embodiment of the invention firstly collects the running data corresponding to the application service on the client and the behavior data generated by the user operation at regular time, generates the detection data and sends the detection data to the malicious behavior detection server, then receives the alarm information sent by the information pushing end, and finally analyzes the alarm information and executes the corresponding alarm operation according to the analysis result. According to the malicious behavior warning method provided by the embodiment of the invention, the detection data is provided for the malicious behavior detection server side for malicious behavior detection, and when the warning information is received, the corresponding warning operation is executed according to the content in the warning information, so that the warning of the malicious behavior is realized, the malicious behavior can be timely stopped through remote control, and the information security is ensured.
EXAMPLE III
Fig. 5 is a schematic structural diagram of a malicious behavior detection apparatus according to a third embodiment of the present invention. As shown in fig. 5, the apparatus includes: a detection data acquisition module 310, a detection data analysis module 320, and an alarm information sending module 330.
And a detection data obtaining module 310, configured to obtain detection data sent by the client.
And the detection data analysis module 320 is configured to analyze the detection data according to a pre-trained malicious behavior detection model.
Optionally, the detection data analysis module 320 is further configured to:
determining a characteristic value corresponding to the detection data according to the malicious behavior detection model; and if the characteristic value is larger than the set threshold value, the corresponding analysis result is that the malicious behavior exists.
And the alarm information sending module 330 is configured to send alarm information to the information pushing end when the analysis result indicates that a malicious behavior exists, so that the information pushing end performs a malicious behavior alarm.
The device can execute the method provided by the first embodiment of the disclosure, and has corresponding functional modules and beneficial effects for executing the method. For technical details that are not described in detail in this embodiment, reference may be made to the method provided in the first embodiment of the present disclosure.
Example four
Fig. 6 is a schematic structural diagram of a malicious behavior warning device according to a fourth embodiment of the present invention. As shown in fig. 6, the apparatus includes: a detection data sending module 410, an alarm information receiving module 420 and an alarm operation executing module 430.
And the detection data sending module 410 is configured to collect, at regular time, the running data corresponding to the application service on the client and the behavior data generated by the user operation, generate detection data, and send the detection data to the malicious behavior detection server.
An alarm information receiving module 420, configured to receive alarm information sent by the information pushing end, where the alarm information is determined by the method according to any one of claims 1 to 4.
And an alarm operation executing module 430, configured to analyze the alarm information and execute a corresponding alarm operation according to an analysis result.
The device can execute the method provided by the second embodiment of the disclosure, and has corresponding functional modules and beneficial effects for executing the method. For details of the technology not described in detail in this embodiment, reference may be made to the method provided in the second embodiment of the present disclosure.
EXAMPLE five
Fig. 7 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention. FIG. 7 illustrates a block diagram of a computer device 512 suitable for use in implementing embodiments of the present invention. The computer device 512 shown in FIG. 7 is only an example and should not bring any limitations to the functionality or scope of use of embodiments of the present invention. Device 512 is a typical malicious behavior detection and/or alert computing device.
As shown in FIG. 7, computer device 512 is in the form of a general purpose computing device. Components of computer device 512 may include, but are not limited to: one or more processors 516, a storage device 528, and a bus 518 that couples the various system components including the storage device 528 and the processors 516.
Bus 518 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an enhanced ISA bus, a Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnect (PCI) bus.
Computer device 512 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by computer device 512 and includes both volatile and nonvolatile media, removable and non-removable media.
Storage 528 may include computer system readable media in the form of volatile Memory, such as Random Access Memory (RAM) 530 and/or cache Memory 532. The computer device 512 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 534 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 7, and commonly referred to as a "hard drive"). Although not shown in FIG. 7, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a Compact disk-Read Only Memory (CD-ROM), a Digital Video disk (DVD-ROM), or other optical media) may be provided. In these cases, each drive may be connected to bus 518 through one or more data media interfaces. Storage 528 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
Program 536 having a set (at least one) of program modules 526 may be stored, for example, in storage 528, such program modules 526 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination may include an implementation of a network environment. Program modules 526 generally perform the functions and/or methodologies of the described embodiments of the invention.
Computer device 512 may also communicate with one or more external devices 514 (e.g., keyboard, pointing device, camera, display 524, etc.), with one or more devices that enable a user to interact with computer device 512, and/or with any devices (e.g., network card, modem, etc.) that enable computer device 512 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 522. Further, computer device 512 may also communicate with one or more networks (e.g., a Local Area Network (LAN), Wide Area Network (WAN), and/or a public Network, such as the internet) via Network adapter 520. As shown, the network adapter 520 communicates with the other modules of the computer device 512 via the bus 518. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the computer device 512, including but not limited to: microcode, device drivers, Redundant processing units, external disk drive Arrays, disk array (RAID) systems, tape drives, and data backup storage systems, to name a few.
The processor 516 executes programs stored in the storage device 528 to perform various functional applications and data processing, such as malicious behavior detection and/or warning methods provided by the above-described embodiments of the present invention.
EXAMPLE six
Embodiments of the present invention provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processing device, implements a malicious behavior detection and/or warning method as in embodiments of the present invention. The computer readable medium of the present invention described above may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to, when performing the malicious behavior detection method: acquiring detection data sent by a client; analyzing the detection data according to a pre-trained malicious behavior detection model; when the analysis result shows that the malicious behavior exists, sending alarm information to the information pushing end so that the information pushing end carries out malicious behavior alarm; when the malicious behavior warning method is executed: the method comprises the steps that running data corresponding to application services on a client and behavior data generated by user operation are collected regularly, detection data are generated and sent to a malicious behavior detection server side; receiving alarm information sent by an information pushing end, wherein the alarm information is determined by the method of any one of claims 1-4; and analyzing the alarm information, and executing corresponding alarm operation according to the analysis result.
Computer program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of an element does not in some cases constitute a limitation on the element itself.
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A malicious behavior detection method, comprising:
acquiring detection data sent by a client;
analyzing the detection data according to a pre-trained malicious behavior detection model;
and when the analysis result shows that the malicious behavior exists, sending alarm information to an information pushing end so as to enable the information pushing end to alarm the malicious behavior.
2. The method of claim 1, wherein the step of training the malicious behavior detection model comprises:
acquiring training data, wherein the training data comprises application running data and user behavior data;
and adjusting parameters of the malicious behavior detection model according to the training data until the output of the malicious behavior detection model meets the set precision.
3. The method of claim 1, wherein analyzing the detection data according to a pre-trained malicious behavior detection model comprises:
determining a characteristic value corresponding to the detection data according to the malicious behavior detection model;
and if the characteristic value is larger than a set threshold value, the corresponding analysis result is that the malicious behavior exists.
4. The method of claim 1, wherein the alarm information comprises device information, alarm type, and severity.
5. A malicious behavior warning method is characterized by comprising the following steps:
the method comprises the steps that running data corresponding to application services on a client and behavior data generated by user operation are collected regularly, detection data are generated and sent to a malicious behavior detection server side;
receiving alarm information sent by an information pushing end, wherein the alarm information is determined by the method of any one of claims 1-4;
and analyzing the alarm information, and executing corresponding alarm operation according to the analysis result.
6. The method of claim 5, wherein the alert operation comprises a text prompt, an audio play, and a forced shutdown application.
7. A malicious activity detection apparatus, comprising:
the detection data acquisition module is used for acquiring detection data sent by the client;
the detection data analysis module is used for analyzing the detection data according to a pre-trained malicious behavior detection model;
and the warning information sending module is used for sending warning information to the information pushing end when the analysis result shows that the malicious behavior exists, so that the information pushing end carries out malicious behavior warning.
8. A malicious behavior alert device, comprising:
the detection data sending module is used for regularly collecting operation data corresponding to the application service on the client and behavior data generated by user operation, generating detection data and sending the detection data to the malicious behavior detection server;
the alarm information receiving module is used for receiving alarm information sent by an information pushing end, and the alarm information is determined by the method of any one of claims 1 to 4;
and the alarm operation execution module is used for analyzing the alarm information and executing corresponding alarm operation according to the analysis result.
9. A computer device, comprising: memory, processor and computer program stored on the memory and executable on the processor, which when executed by the processor implements the method of any of claims 1-6.
10. A computer-readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processing means, carries out the method according to any one of claims 1-6.
CN202210010093.0A 2022-01-06 2022-01-06 Malicious behavior detection and alarm method, device, equipment and storage medium Pending CN114386028A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210010093.0A CN114386028A (en) 2022-01-06 2022-01-06 Malicious behavior detection and alarm method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210010093.0A CN114386028A (en) 2022-01-06 2022-01-06 Malicious behavior detection and alarm method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114386028A true CN114386028A (en) 2022-04-22

Family

ID=81199237

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210010093.0A Pending CN114386028A (en) 2022-01-06 2022-01-06 Malicious behavior detection and alarm method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114386028A (en)

Similar Documents

Publication Publication Date Title
CN107294808B (en) Interface test method, device and system
CN105956474B (en) Android platform software unusual checking system
US8805995B1 (en) Capturing data relating to a threat
CN111064745B (en) Self-adaptive back-climbing method and system based on abnormal behavior detection
US10958657B2 (en) Utilizing transport layer security (TLS) fingerprints to determine agents and operating systems
CN108134816B (en) Access to data on remote device
KR101496632B1 (en) System for safe contents service for youths and method therefor
CN113114680B (en) Detection method and detection device for file uploading vulnerability
CN112953971A (en) Network security traffic intrusion detection method and system
CN113225339B (en) Network security monitoring method and device, computer equipment and storage medium
CN111865987B (en) Cheating flow processing method, device, equipment and storage medium
CN116707965A (en) Threat detection method and device, storage medium and electronic equipment
CN116305290A (en) System log security detection method and device, electronic equipment and storage medium
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
KR20150064331A (en) Device for monitoring web server and analysing malicious code
US10015181B2 (en) Using natural language processing for detection of intended or unexpected application behavior
CN113132393A (en) Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN115361450B (en) Request information processing method, apparatus, electronic device, medium, and program product
CN112507265A (en) Method and device for anomaly detection based on tree structure and related products
CN112306826A (en) Method and apparatus for processing information for terminal
CN114386028A (en) Malicious behavior detection and alarm method, device, equipment and storage medium
CN114443480A (en) Test method, test system, readable medium and electronic device
CN112003833A (en) Abnormal behavior detection method and device
CN112565271B (en) Web attack detection method and device
CN111611585A (en) Terminal device monitoring method and device, electronic device and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination