CN114386028A - Malicious behavior detection and alarm method, device, equipment and storage medium - Google Patents
Malicious behavior detection and alarm method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114386028A CN114386028A CN202210010093.0A CN202210010093A CN114386028A CN 114386028 A CN114386028 A CN 114386028A CN 202210010093 A CN202210010093 A CN 202210010093A CN 114386028 A CN114386028 A CN 114386028A
- Authority
- CN
- China
- Prior art keywords
- malicious behavior
- data
- detection
- information
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention discloses a malicious behavior detection method, which comprises the following steps: acquiring detection data sent by a client; analyzing the detection data according to a pre-trained malicious behavior detection model; and when the analysis result shows that the malicious behavior exists, sending alarm information to the information pushing end so as to enable the information pushing end to alarm the malicious behavior. According to the malicious behavior detection method provided by the embodiment of the invention, the early warning of the malicious behavior initiated by the client can be realized by acquiring the detection data and analyzing the detection data by using the trained malicious behavior detection model, so that the safety of information is ensured.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a malicious behavior detection and alarm method, device, apparatus, and storage medium.
Background
With the continuous development of smart phones and mobile development technologies, mobile applications develop rapidly, market competition is intensified day by day, user information processed by the mobile applications is more sensitive compared with desktop applications, and once the information is illegally leaked and tampered, the user is greatly harmed.
Generally, based on client-initiated malicious behavior, common defense approaches are as follows:
1. the client monitors the self behavior;
2. the server side analyzes the request of the client side, and directly discards the request which is judged to have the malicious behavior without responding.
The above measures belong to passive defense measures, and cannot prejudge and stop the attack behavior initiated based on the client.
Disclosure of Invention
The embodiment of the invention provides a malicious behavior detection and alarm method, device, equipment and storage medium, which realize early warning and remote control of malicious behaviors.
In a first aspect, an embodiment of the present invention provides a malicious behavior detection method, including:
acquiring detection data sent by a client;
analyzing the detection data according to a pre-trained malicious behavior detection model;
and when the analysis result shows that the malicious behavior exists, sending alarm information to an information pushing end so as to enable the information pushing end to alarm the malicious behavior.
Further, the step of training the malicious behavior detection model comprises:
acquiring training data, wherein the training data comprises application running data and user behavior data;
and adjusting parameters of the malicious behavior detection model according to the training data until the output of the malicious behavior detection model meets the set precision.
Further, analyzing the detection data according to a pre-trained malicious behavior detection model, including:
determining a characteristic value corresponding to the detection data according to the malicious behavior detection model;
and if the characteristic value is larger than a set threshold value, the corresponding analysis result is that the malicious behavior exists.
Further, the alarm information includes device information, alarm type and severity.
In a second aspect, an embodiment of the present invention further provides a malicious behavior warning method, including:
the method comprises the steps that running data corresponding to application services on a client and behavior data generated by user operation are collected regularly, detection data are generated and sent to a malicious behavior detection server side;
receiving alarm information sent by an information pushing end, wherein the alarm information is determined by the method of any one of claims 1-4;
and analyzing the alarm information, and executing corresponding alarm operation according to the analysis result.
Further, the alarm operation comprises text prompting, audio playing and forced closing of the application.
In a third aspect, an embodiment of the present invention further provides a malicious behavior detection apparatus, including:
the detection data acquisition module is used for acquiring detection data sent by the client;
the detection data analysis module is used for analyzing the detection data according to a pre-trained malicious behavior detection model;
and the warning information sending module is used for sending warning information to the information pushing end when the analysis result shows that the malicious behavior exists, so that the information pushing end carries out malicious behavior warning.
Optionally, the detection data analysis module is further configured to:
determining a characteristic value corresponding to the detection data according to the malicious behavior detection model;
and if the characteristic value is larger than a set threshold value, the corresponding analysis result is that the malicious behavior exists.
In a fourth aspect, an embodiment of the present invention further provides a malicious behavior warning apparatus, including:
the detection data sending module is used for regularly collecting operation data corresponding to the application service on the client and behavior data generated by user operation, generating detection data and sending the detection data to the malicious behavior detection server;
the alarm information receiving module is used for receiving alarm information sent by an information pushing end, and the alarm information is determined by the method of any one of claims 1 to 4;
and the alarm operation execution module is used for analyzing the alarm information and executing corresponding alarm operation according to the analysis result.
In a fifth aspect, an embodiment of the present invention further provides a computer device for detecting and/or warning malicious behavior, where the computer device includes:
a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a malicious behavior detection and/or alert method according to any of the embodiments of the present invention when executing the program.
In a sixth aspect, an embodiment of the present invention further provides a storage medium for malicious behavior detection and/or warning, where the storage medium stores a computer program, and the computer program, when executed by a processing apparatus, implements the malicious behavior detection and/or warning method according to any one of the embodiments of the present invention.
The embodiment of the invention firstly obtains the detection data sent by the client, then analyzes the detection data according to the pre-trained malicious behavior detection model, and sends the warning information to the information pushing end when the analysis result shows that the malicious behavior exists, so that the information pushing end carries out the malicious behavior warning. According to the malicious behavior detection method provided by the embodiment of the invention, the early warning of the malicious behavior initiated by the client can be realized by acquiring the detection data and analyzing the detection data by using the trained malicious behavior detection model, so that the safety of information is ensured.
Drawings
Fig. 1 is a flowchart of a malicious behavior detection method according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of a communication process in a first embodiment of the present invention;
fig. 3 is a flowchart of a malicious behavior warning method according to a second embodiment of the present invention;
FIG. 4 is a functional diagram of a client according to a second embodiment of the present invention;
fig. 5 is a schematic structural diagram of a malicious behavior detection apparatus according to a third embodiment of the present invention;
fig. 6 is a schematic structural diagram of a malicious behavior warning apparatus in a fourth embodiment of the present invention;
fig. 7 is a schematic structural diagram of a computer device in the fifth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a malicious behavior detection method according to an embodiment of the present invention, where the method is applicable to detecting and warning malicious behaviors according to detection data sent by a client, and the method may be executed by a malicious behavior detection apparatus, where the apparatus may be composed of hardware and/or software, and may generally be integrated in a device having a malicious behavior detection function, where the device may be an electronic device such as a server or a server cluster. As shown in fig. 1, the method specifically comprises the following steps:
and step 110, acquiring detection data sent by the client.
The client may be a program installed on a device such as a mobile phone and a computer to provide local services for a user, and preferably, the client in this embodiment may be installed on a mobile terminal such as a mobile phone to provide malicious behavior detection and alarm services for the user. The detection data may be data for detecting malicious behaviors, and preferably, may include running information related to the client application program, behavior data generated by user operation, and the like.
In this embodiment, the malicious behavior detection server may obtain detection data sent by the client, and then perform analysis according to the detection data to determine whether the client has a malicious behavior. The malicious behavior comprises the actions of obtaining the highest authority of a client system, analyzing and debugging self source codes, tampering code execution results and the like, and the malicious behavior detection server can be a server for providing malicious behavior detection service and is in communication connection with the client.
Optionally, the malicious behavior detection server may receive the detection data periodically.
And step 120, analyzing the detection data according to a pre-trained malicious behavior detection model.
The malicious behavior detection model can be pre-established and trained and is arranged at the malicious behavior detection server side. By utilizing the model, the detection data can be analyzed, and whether the client has malicious behaviors or not is judged.
Optionally, the step of training the malicious behavior detection model may be: acquiring training data, wherein the training data comprises application running data and user behavior data; and adjusting parameters of the malicious behavior detection model according to the training data until the output of the malicious behavior detection model meets the set precision.
Specifically, before the malicious behavior detection is performed, a malicious behavior detection model may be established at the malicious behavior detection server. The model may be trained using training data, where the training data may be collected by a client, including running data of an application and behavior data of a user. Preferably, the training data may include the running data of the application and the behavior data of the user under normal conditions, and also include the running data of the application and the behavior data of the user under the condition of existence of malicious behaviors. Further, the training data can be divided into a training set and a verification set, the training set is input into a model to be trained, the output result of the model is compared with the verification set, and if deviation exists, the model parameters are adjusted until the output result of the model meets the set precision.
Optionally, the method for analyzing the detection data according to the pre-trained malicious behavior detection model may be: determining a characteristic value corresponding to the detection data according to the malicious behavior detection model; and if the characteristic value is larger than the set threshold value, the corresponding analysis result is that the malicious behavior exists.
Specifically, the trained malicious behavior detection model can be used for judging whether malicious behaviors exist at the user side, the input of the model is detection data, and based on the detection data, the model can determine the current running environment and the network environment of the corresponding application program, the running data generated by the application, and whether behaviors such as password test and data capture exist in user operation or not through analysis. Furthermore, the model can store the running data of the application program under normal working conditions and the behavior data generated by each function in the application normally used by the user, and the data can be used as the reference data of the model. After the detection data are analyzed, the analysis result can be compared with the reference data, a corresponding characteristic value is determined, the larger the characteristic value is, the larger the deviation of the detection data from the reference data is, and when the characteristic value is larger than a set threshold value, the existence of malicious behaviors in the client side can be determined.
And step 130, when the analysis result shows that the malicious behavior exists, sending alarm information to the information pushing end so that the information pushing end carries out malicious behavior alarm.
Wherein, the information push terminal may be a server for providing an information push service. The information pushing end can be in communication connection with the malicious behavior detection server and the client, acquires alarm information sent by the malicious behavior detection server and pushes the alarm information to the client for malicious behavior alarm.
Optionally, the alarm information includes device information, alarm type and severity.
Specifically, when a malicious behavior is detected, the malicious behavior detection server may determine, according to the device in which the malicious behavior occurs, the type and the severity of the malicious behavior, device information, an alarm type and the severity included in the corresponding alarm information, so as to generate the alarm information. Further, the malicious behavior detection server side can send the alarm information to the information pushing side, and the information pushing side can push the alarm information to the corresponding client side according to the device information in the information pushing side. Preferably, the information pushing end and the client can be kept in long connection through a message tunnel, so that the alarm information can be pushed to the client quickly.
Fig. 2 is a schematic diagram of a communication process according to an embodiment of the present invention, as shown in the figure, a client acquires detection data and sends the detection data to a malicious behavior detection server, the malicious behavior detection server determines whether a malicious behavior exists in the client by using a malicious behavior detection model, and if the malicious behavior exists, sends corresponding alarm information to an information push terminal, so that the information push terminal pushes the alarm information to a corresponding client.
The embodiment of the invention firstly obtains the detection data sent by the client, then analyzes the detection data according to the pre-trained malicious behavior detection model, and sends the warning information to the information pushing end when the analysis result shows that the malicious behavior exists, so that the information pushing end carries out the malicious behavior warning. According to the malicious behavior detection method provided by the embodiment of the invention, the early warning of the malicious behavior initiated by the client can be realized by acquiring the detection data and analyzing the detection data by using the trained malicious behavior detection model, so that the safety of information is ensured.
Example two
Fig. 3 is a flowchart of a malicious behavior warning method according to a second embodiment of the present invention, where the present embodiment is applicable to warning and controlling malicious behaviors on a client in response to warning information, and the method may be executed by a malicious behavior warning device, where the device may be composed of hardware and/or software, and may generally be integrated in a device with a malicious behavior warning function, where the device may be an electronic device such as a server or a server cluster. As shown in fig. 3, the method specifically includes the following steps:
step 210, collecting running data corresponding to the application service on the client and behavior data generated by user operation at regular time, generating detection data and sending the detection data to the malicious behavior detection server.
The operation data may be data generated by an application service, such as upload, download, and click, and the behavior data may include normal operation data generated by a user, such as click, browse, and forward, and may also include abnormal operation data generated by data capture, and password trial.
In this embodiment, the detection data includes operation data corresponding to the application service and behavior data generated by user operation, and the client may perform timing acquisition on these data. For example, data collection may be performed every 5 minutes, and collected operation data and behavior data are packaged to generate detection data and sent to the malicious behavior detection server.
And step 220, receiving the alarm information sent by the information pushing end.
Wherein, the alarm information is determined by the method of the first embodiment.
In this embodiment, the client and the information push terminal may maintain a long connection through a message tunnel, where the long connection means that multiple data packets may be continuously transmitted over one connection, and during the connection maintenance period, if no data packet is transmitted, a link detection packet needs to be transmitted by both sides. By means of long connection, the transmission rate of the alarm information can be improved, and the client can timely receive the prompt of malicious behaviors.
And step 230, analyzing the alarm information, and executing corresponding alarm operation according to the analysis result.
In this embodiment, the alarm information may include device information, an alarm type, and a severity, and after receiving the alarm information, the client may analyze the alarm information, and if the device information is consistent with the device itself, may perform a corresponding operation according to the alarm type and the severity in the alarm information.
Optionally, the alert operation includes a text prompt, an audio play, and a forced shutdown of the application.
Specifically, the alarm operation corresponds to the alarm type and severity in the alarm information. For example, if the alarm type in the alarm information is a trial password and the severity is medium, the corresponding alarm operation may be audio playing, and the playing content may be "detect a trial password behavior, please stop the operation"; if the severity in the alarm information is high, the operation of forcibly closing the application can be adopted to stop the malicious behavior. Preferably, the alarm operation after the client receives the alarm information may be adjusted according to specific requirements.
Fig. 4 is a functional diagram of a client according to an embodiment of the present invention, as shown in the figure, the client may be divided into three parts: the system comprises an application service module, a detection data collection module and an application notification processing module. An application service module is an application providing various functions on a client; the detection data collection module is used for collecting the running data of the client application and the behavior data generated by the user operation, packaging the running data and the behavior data into detection data and sending the detection data to the behavior data analysis server; after receiving the application notification, the client analyzes the alarm information in the application notification by using the application notification processing module, and executes alarm operation (including text prompt, audio play, forced application closing and the like) according to the analysis result.
The embodiment of the invention firstly collects the running data corresponding to the application service on the client and the behavior data generated by the user operation at regular time, generates the detection data and sends the detection data to the malicious behavior detection server, then receives the alarm information sent by the information pushing end, and finally analyzes the alarm information and executes the corresponding alarm operation according to the analysis result. According to the malicious behavior warning method provided by the embodiment of the invention, the detection data is provided for the malicious behavior detection server side for malicious behavior detection, and when the warning information is received, the corresponding warning operation is executed according to the content in the warning information, so that the warning of the malicious behavior is realized, the malicious behavior can be timely stopped through remote control, and the information security is ensured.
EXAMPLE III
Fig. 5 is a schematic structural diagram of a malicious behavior detection apparatus according to a third embodiment of the present invention. As shown in fig. 5, the apparatus includes: a detection data acquisition module 310, a detection data analysis module 320, and an alarm information sending module 330.
And a detection data obtaining module 310, configured to obtain detection data sent by the client.
And the detection data analysis module 320 is configured to analyze the detection data according to a pre-trained malicious behavior detection model.
Optionally, the detection data analysis module 320 is further configured to:
determining a characteristic value corresponding to the detection data according to the malicious behavior detection model; and if the characteristic value is larger than the set threshold value, the corresponding analysis result is that the malicious behavior exists.
And the alarm information sending module 330 is configured to send alarm information to the information pushing end when the analysis result indicates that a malicious behavior exists, so that the information pushing end performs a malicious behavior alarm.
The device can execute the method provided by the first embodiment of the disclosure, and has corresponding functional modules and beneficial effects for executing the method. For technical details that are not described in detail in this embodiment, reference may be made to the method provided in the first embodiment of the present disclosure.
Example four
Fig. 6 is a schematic structural diagram of a malicious behavior warning device according to a fourth embodiment of the present invention. As shown in fig. 6, the apparatus includes: a detection data sending module 410, an alarm information receiving module 420 and an alarm operation executing module 430.
And the detection data sending module 410 is configured to collect, at regular time, the running data corresponding to the application service on the client and the behavior data generated by the user operation, generate detection data, and send the detection data to the malicious behavior detection server.
An alarm information receiving module 420, configured to receive alarm information sent by the information pushing end, where the alarm information is determined by the method according to any one of claims 1 to 4.
And an alarm operation executing module 430, configured to analyze the alarm information and execute a corresponding alarm operation according to an analysis result.
The device can execute the method provided by the second embodiment of the disclosure, and has corresponding functional modules and beneficial effects for executing the method. For details of the technology not described in detail in this embodiment, reference may be made to the method provided in the second embodiment of the present disclosure.
EXAMPLE five
Fig. 7 is a schematic structural diagram of a computer device according to a fifth embodiment of the present invention. FIG. 7 illustrates a block diagram of a computer device 512 suitable for use in implementing embodiments of the present invention. The computer device 512 shown in FIG. 7 is only an example and should not bring any limitations to the functionality or scope of use of embodiments of the present invention. Device 512 is a typical malicious behavior detection and/or alert computing device.
As shown in FIG. 7, computer device 512 is in the form of a general purpose computing device. Components of computer device 512 may include, but are not limited to: one or more processors 516, a storage device 528, and a bus 518 that couples the various system components including the storage device 528 and the processors 516.
The processor 516 executes programs stored in the storage device 528 to perform various functional applications and data processing, such as malicious behavior detection and/or warning methods provided by the above-described embodiments of the present invention.
EXAMPLE six
Embodiments of the present invention provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processing device, implements a malicious behavior detection and/or warning method as in embodiments of the present invention. The computer readable medium of the present invention described above may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to, when performing the malicious behavior detection method: acquiring detection data sent by a client; analyzing the detection data according to a pre-trained malicious behavior detection model; when the analysis result shows that the malicious behavior exists, sending alarm information to the information pushing end so that the information pushing end carries out malicious behavior alarm; when the malicious behavior warning method is executed: the method comprises the steps that running data corresponding to application services on a client and behavior data generated by user operation are collected regularly, detection data are generated and sent to a malicious behavior detection server side; receiving alarm information sent by an information pushing end, wherein the alarm information is determined by the method of any one of claims 1-4; and analyzing the alarm information, and executing corresponding alarm operation according to the analysis result.
Computer program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present disclosure may be implemented by software or hardware. Where the name of an element does not in some cases constitute a limitation on the element itself.
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A malicious behavior detection method, comprising:
acquiring detection data sent by a client;
analyzing the detection data according to a pre-trained malicious behavior detection model;
and when the analysis result shows that the malicious behavior exists, sending alarm information to an information pushing end so as to enable the information pushing end to alarm the malicious behavior.
2. The method of claim 1, wherein the step of training the malicious behavior detection model comprises:
acquiring training data, wherein the training data comprises application running data and user behavior data;
and adjusting parameters of the malicious behavior detection model according to the training data until the output of the malicious behavior detection model meets the set precision.
3. The method of claim 1, wherein analyzing the detection data according to a pre-trained malicious behavior detection model comprises:
determining a characteristic value corresponding to the detection data according to the malicious behavior detection model;
and if the characteristic value is larger than a set threshold value, the corresponding analysis result is that the malicious behavior exists.
4. The method of claim 1, wherein the alarm information comprises device information, alarm type, and severity.
5. A malicious behavior warning method is characterized by comprising the following steps:
the method comprises the steps that running data corresponding to application services on a client and behavior data generated by user operation are collected regularly, detection data are generated and sent to a malicious behavior detection server side;
receiving alarm information sent by an information pushing end, wherein the alarm information is determined by the method of any one of claims 1-4;
and analyzing the alarm information, and executing corresponding alarm operation according to the analysis result.
6. The method of claim 5, wherein the alert operation comprises a text prompt, an audio play, and a forced shutdown application.
7. A malicious activity detection apparatus, comprising:
the detection data acquisition module is used for acquiring detection data sent by the client;
the detection data analysis module is used for analyzing the detection data according to a pre-trained malicious behavior detection model;
and the warning information sending module is used for sending warning information to the information pushing end when the analysis result shows that the malicious behavior exists, so that the information pushing end carries out malicious behavior warning.
8. A malicious behavior alert device, comprising:
the detection data sending module is used for regularly collecting operation data corresponding to the application service on the client and behavior data generated by user operation, generating detection data and sending the detection data to the malicious behavior detection server;
the alarm information receiving module is used for receiving alarm information sent by an information pushing end, and the alarm information is determined by the method of any one of claims 1 to 4;
and the alarm operation execution module is used for analyzing the alarm information and executing corresponding alarm operation according to the analysis result.
9. A computer device, comprising: memory, processor and computer program stored on the memory and executable on the processor, which when executed by the processor implements the method of any of claims 1-6.
10. A computer-readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processing means, carries out the method according to any one of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210010093.0A CN114386028A (en) | 2022-01-06 | 2022-01-06 | Malicious behavior detection and alarm method, device, equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210010093.0A CN114386028A (en) | 2022-01-06 | 2022-01-06 | Malicious behavior detection and alarm method, device, equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114386028A true CN114386028A (en) | 2022-04-22 |
Family
ID=81199237
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210010093.0A Pending CN114386028A (en) | 2022-01-06 | 2022-01-06 | Malicious behavior detection and alarm method, device, equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114386028A (en) |
-
2022
- 2022-01-06 CN CN202210010093.0A patent/CN114386028A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107294808B (en) | Interface test method, device and system | |
CN105956474B (en) | Android platform software unusual checking system | |
US8805995B1 (en) | Capturing data relating to a threat | |
CN111064745B (en) | Self-adaptive back-climbing method and system based on abnormal behavior detection | |
US10958657B2 (en) | Utilizing transport layer security (TLS) fingerprints to determine agents and operating systems | |
CN108134816B (en) | Access to data on remote device | |
KR101496632B1 (en) | System for safe contents service for youths and method therefor | |
CN113114680B (en) | Detection method and detection device for file uploading vulnerability | |
CN112953971A (en) | Network security traffic intrusion detection method and system | |
CN113225339B (en) | Network security monitoring method and device, computer equipment and storage medium | |
CN111865987B (en) | Cheating flow processing method, device, equipment and storage medium | |
CN116707965A (en) | Threat detection method and device, storage medium and electronic equipment | |
CN116305290A (en) | System log security detection method and device, electronic equipment and storage medium | |
CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
KR20150064331A (en) | Device for monitoring web server and analysing malicious code | |
US10015181B2 (en) | Using natural language processing for detection of intended or unexpected application behavior | |
CN113132393A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
CN115361450B (en) | Request information processing method, apparatus, electronic device, medium, and program product | |
CN112507265A (en) | Method and device for anomaly detection based on tree structure and related products | |
CN112306826A (en) | Method and apparatus for processing information for terminal | |
CN114386028A (en) | Malicious behavior detection and alarm method, device, equipment and storage medium | |
CN114443480A (en) | Test method, test system, readable medium and electronic device | |
CN112003833A (en) | Abnormal behavior detection method and device | |
CN112565271B (en) | Web attack detection method and device | |
CN111611585A (en) | Terminal device monitoring method and device, electronic device and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |