WO2020232685A1 - Malicious quickapp detection method and terminal - Google Patents

Malicious quickapp detection method and terminal Download PDF

Info

Publication number
WO2020232685A1
WO2020232685A1 PCT/CN2019/088038 CN2019088038W WO2020232685A1 WO 2020232685 A1 WO2020232685 A1 WO 2020232685A1 CN 2019088038 W CN2019088038 W CN 2019088038W WO 2020232685 A1 WO2020232685 A1 WO 2020232685A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
detection model
instrumentation code
unit
cloud server
Prior art date
Application number
PCT/CN2019/088038
Other languages
French (fr)
Chinese (zh)
Inventor
郭子亮
Original Assignee
深圳市欢太科技有限公司
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市欢太科技有限公司, Oppo广东移动通信有限公司 filed Critical 深圳市欢太科技有限公司
Priority to CN201980090970.6A priority Critical patent/CN113366477A/en
Priority to PCT/CN2019/088038 priority patent/WO2020232685A1/en
Publication of WO2020232685A1 publication Critical patent/WO2020232685A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the invention relates to the field of terminals, in particular to a detection method and terminal for malicious quick applications.
  • Quick application is a new application form based on the mobile phone hardware platform. Users do not need to download and install, click to use, and enjoy the performance experience of native applications. At present, with the development of fast apps, more and more fast apps appear in people's lives, such as QR code and ride fast apps, WeChat ordering fast apps, etc.
  • fast apps developed based on terminals are reviewed (manually run or machine scanned rpk files) before they are released, and fast apps will be put on the shelves after the approval is passed, and fast apps that fail the review will not be put on the shelves.
  • technologies that are only reviewed before release can easily be bypassed by malicious developers' anti-virus technologies, causing harm to users.
  • the embodiment of the present invention provides a method and terminal for detecting malicious quick applications, which conducts malicious research and judgment of quick applications by collecting application logs in real time, and has extremely strong anti-anti-anti-kill ability and improves user experience.
  • the first aspect of the embodiments of the present invention discloses a method for detecting malicious quick applications, and the method includes:
  • the API corresponding to the instrumentation code is the target API, obtain the log of the fast application that calls the target API;
  • the operation that triggers the instrumentation code is a risk operation
  • the identification of the fast application and the judgment result are sent to the cloud server.
  • the second aspect of the present invention discloses a method for acquiring a detection model, the method including:
  • a third aspect of the present invention discloses a terminal, the terminal includes:
  • the determining unit is configured to determine whether the application programming interface API corresponding to the instrumentation code is the target API according to the trigger strategy when it is detected that the instrumentation code is triggered;
  • An obtaining unit configured to obtain a log of the fast application that calls the target API if the API corresponding to the instrumentation code is the target API;
  • the judging unit is configured to judge whether the operation that triggers the instrumentation code is a risk operation according to the log of the quick application and the detection model;
  • the sending unit is configured to send the identification of the fast application and the judgment result to the cloud server if the operation that triggers the instrumentation code is a risk operation.
  • the fourth aspect of the present invention discloses a cloud server, which includes:
  • the acquisition unit is used to acquire historical operating data of fast applications
  • a training unit configured to train the historical operating data using a machine learning algorithm to obtain a detection model
  • the sending unit is used to send the detection model to the terminal.
  • the fifth aspect of the present invention discloses a storage medium in which a program is stored; when the program is executed, the processor executes the method described in the first aspect or the second aspect.
  • a sixth aspect of the present invention discloses a terminal.
  • the terminal includes a processor and a memory; a program is stored in the memory; when the program is run, the processor executes the method described in the first aspect.
  • FIG. 1 is a schematic diagram of the architecture of a malicious fast application detection system provided by an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a process of training a detection model for malicious fast applications according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a method for detecting malicious fast applications according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of another method for detecting malicious fast applications according to an embodiment of the present invention.
  • FIG. 5 is a schematic flowchart of another method for detecting malicious fast applications according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a terminal provided by an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of a cloud server provided by an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a physical structure of a terminal according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of the physical structure of a mobile phone according to an embodiment of the present invention.
  • the embodiment of the present invention provides a method and terminal for detecting malicious quick applications, which can quickly identify malicious quick applications, and promote the cloud server to process the malicious quick applications to prevent the malicious quick applications from harming users.
  • Quick application is a new application form based on the mobile phone hardware platform. Users do not need to download and install, click to use, and enjoy the performance experience of native applications.
  • the fast application framework is deeply integrated into the mobile phone systems of various manufacturers, which can realize seamless connection between user needs and application services at the operating system level, improve user experience and application service conversion efficiency, and support the generation of desktop icons and other retention capabilities.
  • rpk file The file generated after the fast application source code and resources are compiled and packaged. In fact, it is the final output obtained by packaging and compressing the resources required by the fast application runtime into a file, and signing the compressed file, similar to the Android APK file ( AndroidPackage, Android installation package).
  • Fast application engine Provides the rpk file operating environment, which is essentially an APK, and provides a series of interfaces (API) for rpk.
  • Quick Application API Application Programming Interface
  • the interface provided by the Quick Application Engine for developers.
  • Anti-Virus It is the opposite of Anti-Virus and Anti-Spyware.
  • the English name is Anti-AntiVirus, which translates to "Anti-Virus Technology”. It is a technology that enables virus Trojans to avoid being checked and killed by anti-virus software.
  • Virus-free refers to virus files that have been processed by the technology of virus-free.
  • the anti-kill in the present invention mainly refers to the technology used by malicious quick application developers to evade or bypass the quick application platform audit mechanism.
  • Monkey emulator A stress testing software provided by Google for Android application developers. It tests the stress resistance of applications in high-stress environments by randomly generating user touches and keyboard operations. This article uses it to simulate ordinary users enter.
  • Instrumentation Insert a piece of custom code into the code, and the custom code will be executed during the running of the program.
  • a malicious quick application detection system deployed in a terminal which can respond to detection in a timely manner and has extremely strong anti-anti-killing ability, so that malicious quick applications can be discovered and dealt with in a timely manner to avoid Cause harm to users.
  • this system mainly includes a part deployed in the cloud (or called a cloud server) and a part deployed in the terminal.
  • the model training module is responsible for training and generating a detection model or virus library from massive data, and sending it to the terminal for use;
  • the result processing module is responsible for receiving the detection results reported by the terminal, and removing malicious quick applications.
  • the event monitor is pre-embedded in the fast application engine, and insert stubs at each API of the fast application engine.
  • the instrumentation code buried in each API is triggered, and the API call is recorded Become a log;
  • the vector generator is responsible for cleaning the log and generating the vectors needed for detection;
  • the analysis determiner classifies the vector according to the model issued by the cloud to determine whether the fast application is malicious, and reports the result to the cloud for disposal .
  • this program mainly includes model training process and testing process:
  • the analysis and judgment module uses the received behavior vector and the pre-loaded model file to call the prediction program of the model to determine the behavior vector.
  • a batch of detection points can be preset in the fast application engine of the terminal to collect the running logs of the fast application, and the fast application can be researched and judged based on the generated log and detection model to detect whether the fast application is Malicious, and send the identification and detection result of the malicious quick application to the cloud for disposal (for example, the cloud can remove the malicious quick application from the shelves, etc.).
  • the cloud uses the collected massive samples and behavioral data to train the detection model and send it to the terminal.
  • the terminal can continuously receive the updated model issued by the cloud, thereby having the ability to continuously detect malicious fast applications.
  • FIG. 4 is a schematic flowchart of a method for detecting malicious fast applications according to an embodiment of the present invention.
  • a method for detecting malicious fast applications provided by an embodiment of the present invention includes the following content:
  • the cloud server obtains historical operation data of the fast application; uses a machine learning algorithm to train the historical operation data to obtain a detection model; and sends the detection model to a terminal;
  • the cloud server can be deployed in a centralized manner or in a distributed manner.
  • the deployment method of the cloud server is not limited here.
  • the method for obtaining the detection model by the cloud server can refer to the method described in FIG. 2, which will not be repeated here.
  • the terminal receives the detection model sent by the cloud server and stores the detection model.
  • the terminal may be an electronic device such as a smart phone, a tablet computer, a smart wearable device, and a computer.
  • API can be instrumented according to requirements; all APIs can also be instrumented.
  • the target API needs to be set for targeted detection.
  • the target API can be an API for payment, such as an API for extracting private information.
  • each API is triggered, it will be tested once, which will have a greater impact on performance.
  • the trigger strategy can be customized according to the actual situation. For example, if we are more concerned about malicious deductions, then we can define a detection to be triggered every time the SMS API is triggered.
  • the method further includes: when it is detected that the instrumentation code is triggered, generating a log of the target application according to the call record of the target API.
  • the instrumentation code is triggered, and the instrumentation code of the target API is executed soon, and the instrumentation code generates a log of the target application according to the call record of the target API, and then returns to the call of the target API Address, complete the target API call.
  • the log includes quick application identification, behavior identification, behavior parameter, and trigger time.
  • the API corresponding to the instrumentation code is the target API, that is, it is determined that the behavior needs to be detected according to the trigger strategy, then all logs of this fast application will be taken from the logs.
  • S105 Determine whether the operation that triggers the instrumentation code is a risk operation according to the log of the quick application and the detection model;
  • the judging whether the operation that triggers the instrumentation code is a risk operation according to the log of the fast application and the detection model includes: generating a behavior vector according to the log of the fast application; and comparing the behavior vector with the detection model The model is matched; according to the matching result, it is judged whether the operation that triggers the instrumentation code is a risk operation.
  • the terminal may send a vector generation method acquisition request to the cloud server, and receive the vector generation method fed back by the cloud server.
  • the method for generating the behavior vector may also be pre-installed on the terminal.
  • the judgment result may be indication information used to indicate the classification of the fast application.
  • it can be low-risk malicious applications and high-risk malicious applications.
  • the cloud server will store the processing strategy of each type of fast application. For example, high-risk malicious applications will be removed directly; for example, low-risk malicious applications will suspend their services and need to reconfirm the risks.
  • the fast application corresponding to the fast application identifier is processed according to a preset strategy.
  • the method further includes: receiving operating data fed back by the terminal; updating the detection model using the operating data fed back by the terminal; and feeding back the update to the terminal After the detection model.
  • the terminal uses the target detection model in the received update message to update the previously stored detection model.
  • FIG. 5 is a schematic flowchart of a method for detecting malicious fast applications according to an embodiment of the present invention.
  • a method for detecting malicious fast applications provided by an embodiment of the present invention includes the following contents:
  • the cloud server receives the behavior log fed back by the fast application engine; performs model training according to the behavior log to obtain a detection model; and sends the detection model to the terminal;
  • the cloud server can be deployed in a centralized or distributed manner, and the deployment mode of the cloud server is not limited again.
  • the method for obtaining the detection model by the cloud server can refer to the method described in FIG. 2, which will not be repeated here.
  • the cloud server may convert the behavior log into a behavior vector according to a preset method, and use a preset machine learning algorithm to train the behavior vector to obtain a detection model.
  • the preset machine learning algorithm may be a supervised learning algorithm, a Bayesian learning algorithm, a classification learning algorithm, etc., which are not listed here.
  • the cloud server may send the detection model to multiple terminals. It is understandable that, for example, if the terminal is registered on the cloud server, the cloud server will send the detection model to the registered terminal.
  • the terminal may be an electronic device such as a smart phone, a tablet computer, a smart wearable device, and a computer.
  • the cloud server receives the operating data fed back by the terminal; uses the operating data fed back by the terminal to update the detection model; and feeds back the updated detection model to the terminal;
  • the cloud server will receive the feedback results from each terminal in real time. Then, at each preset time period, the detection model is updated according to the received result, and the updated model is pushed to the terminal.
  • API can be instrumented according to requirements; all APIs can also be instrumented.
  • the target API needs to be set for targeted detection.
  • the target API can be an API for payment, such as an API for extracting private information.
  • each API is triggered, it will be tested once, which will have a greater impact on performance.
  • the trigger strategy can be customized according to the actual situation. For example, if we are more concerned about malicious deductions, then we can define a detection to be triggered every time the SMS API is triggered.
  • the method further includes: when it is detected that the instrumentation code is triggered, generating a log of the target application according to the call record of the target API.
  • the log includes quick application identification, behavior identification, behavior parameter, and trigger time.
  • the API corresponding to the instrumentation code is the target API, that is, it is determined that the behavior needs to be detected according to the trigger strategy, then all logs of this fast application are taken out of the logs.
  • the terminal generates a behavior vector according to the log of the fast application; matches the behavior vector with the detection model; and determines whether the operation that triggers the instrumentation code is a risk operation according to the matching result.
  • the terminal may send a vector generation method acquisition request to the cloud server, and receive the vector generation method fed back by the cloud server.
  • the method for generating the behavior vector may also be pre-installed on the terminal.
  • the judgment result may be indication information used to indicate the classification of the fast application.
  • it can be low-risk malicious applications and high-risk malicious applications.
  • the cloud server will store the processing strategy of each type of fast application. For example, high-risk malicious applications will be removed directly; for example, low-risk malicious applications will suspend their services and need to reconfirm the risks.
  • the cloud server processes the fast application corresponding to the fast application identifier according to a preset strategy.
  • the cloud server trains the detection model based on massive data
  • the detection model will be subsequently updated based on the operating data fed back by each terminal, and the terminal will perform malicious quick applications based on the updated detection model.
  • the cloud server is further promoted to process the malicious quick application.
  • FIG. 6 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
  • the terminal may be a device such as a smart phone, a tablet computer, or a smart wearable device.
  • the terminal 300 includes:
  • the determining unit 301 is configured to determine whether the application programming interface API corresponding to the instrumentation code is the target API according to the trigger strategy when it is detected that the instrumentation code is triggered;
  • the acquiring unit 302 is configured to, if the API corresponding to the instrumentation code is the target API, acquire the log of the quick application that calls the target API;
  • the judging unit 303 is configured to judge whether the operation that triggers the instrumentation code is a risk operation according to the log of the quick application and the detection model;
  • the sending unit 304 is configured to send the identification of the fast application and the judgment result to the cloud server if the operation that triggers the instrumentation code is a risk operation.
  • the judgment unit 303 is specifically configured to: generate a behavior vector according to the log of the fast application; match the behavior vector with the detection model; determine whether the operation that triggers the instrumentation code is a risk according to the matching result operating.
  • the terminal 300 further includes a receiving unit and a storage unit;
  • the receiving unit is configured to receive the detection model sent by the cloud server
  • the storage unit is used to store the detection model.
  • the terminal 300 further includes an update unit
  • the update unit is configured to use the target detection model in the received update message to update the previously stored detection model when an update message sent by the cloud server is received.
  • the terminal 300 further includes a generating unit
  • the generating unit is configured to generate a log of the target application program according to the call record of the target API when it is detected that the instrumentation code is triggered.
  • the log includes quick application identification, behavior identification, behavior parameters, and trigger time.
  • the above-mentioned logic unit may be used to execute the steps corresponding to the terminal in FIG. 4 or FIG. 5, and the specific description is shown in FIG. 4 or FIG. 5 for the description of the method, which will not be repeated here.
  • FIG. 7 is a schematic structural diagram of a cloud server provided by an embodiment of the present invention.
  • an embodiment of the present invention provides a cloud server 400, where.
  • the cloud server 400 includes:
  • the acquiring unit 401 is configured to acquire historical operating data of the fast application
  • the training unit 402 is configured to use a machine learning algorithm to train the historical operating data to obtain a detection model
  • the sending unit 403 is configured to send the detection model to the terminal.
  • the cloud server 400 further includes a first receiving unit and a processing unit:
  • the first receiving unit is configured to receive a detection message fed back by the terminal, and the detection message includes a quick application identifier and a detection result;
  • the processing unit is configured to, if the detection result indicates that the fast application corresponding to the fast application identifier has risky operations, process the fast application corresponding to the fast application identifier according to a preset strategy.
  • the cloud server 400 further includes a second receiving unit and an updating unit;
  • the second receiving unit is configured to receive operating data fed back by the terminal
  • the update unit is configured to update the detection model by using the operating data fed back by the terminal;
  • the sending unit is further configured to feed back the updated detection model to the terminal.
  • the logic unit can be used to execute the steps corresponding to the cloud server in FIG. 4 or FIG. 5, and the specific description is shown in FIG. 4 or FIG. 5 for the description of the method, which will not be repeated here.
  • a terminal in another embodiment of the present invention, includes hardware such as a CPU 501, a memory 502, a bus 503, and a display screen 504.
  • the terminal 500 may be a device such as a smart phone, a tablet computer, or a smart wearable device.
  • the CPU 501 executes a program pre-stored in the memory 502, and the execution process specifically includes:
  • the API corresponding to the instrumentation code is the target API, obtain the log of the fast application that calls the target API;
  • the operation that triggers the instrumentation code is a risk operation
  • the identification of the fast application and the judgment result are sent to the cloud server.
  • the judging whether the operation that triggers the instrumentation code is a risk operation according to the log of the fast application and the detection model includes:
  • the execution process further includes:
  • the execution process further includes:
  • the previously stored detection model is updated by using the target detection model in the received update message.
  • the execution process further includes:
  • the log of the target application is generated according to the call record of the target API.
  • the log includes fast application identification, behavior identification, behavior parameter, and trigger time.
  • the physical structure of the cloud server is also shown in Figure 8.
  • the physical structure provided in FIG. 8 can also perform the steps corresponding to the cloud server in FIG. 4 or FIG. 5.
  • FIG. 9 is a block diagram of a part of the structure of a mobile phone related to a terminal according to an embodiment of the present invention.
  • the mobile phone includes: a radio frequency (RF) circuit 610, a memory 620, an input unit 630, a display unit 640, a sensor 650, an audio circuit 660, a wireless fidelity (Wireless Fidelity, WiFi) module 670, and a processor 680 , And power supply 690 and other components.
  • RF radio frequency
  • FIG. 9 does not constitute a limitation on the mobile phone, and may include more or less components than those shown in the figure, or a combination of certain components, or different component arrangements.
  • the RF circuit 610 can be used for receiving and transmitting information.
  • the RF circuit 610 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like.
  • the RF circuit 610 can also communicate with the network and other devices through wireless communication.
  • the above wireless communication can use any communication standard or protocol, including but not limited to Global System of Mobile Communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (Code Division) Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), E-mail, Short Messaging Service (SMS), etc.
  • GSM Global System of Mobile Communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • E-mail Short Messaging Service
  • the memory 620 may be used to store software programs and modules, and the processor 610 executes various functional applications and data processing of the mobile phone by running the software programs and modules stored in the memory 620.
  • the memory 620 may mainly include a storage program area and a storage data area, where the storage program area may store an operating system and at least one application program required by a function (such as wi-fi network connection function, positioning function, polling strategy formulation function, etc.) Etc.; the data storage area can store data created based on the use of the mobile phone (such as user Wi-Fi usage records, etc.).
  • the memory 620 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, a flash memory device, or other volatile solid-state storage devices.
  • the input unit 630 may be used to receive inputted digital or character information, and generate key signal input related to user settings and function control of the mobile phone.
  • the input unit 630 may include a fingerprint recognition module 931 and other input devices 632.
  • the fingerprint identification module 631 can collect the fingerprint data of the user on it.
  • the fingerprint identification module 631 may include an optical fingerprint module, a capacitive fingerprint module, and a radio frequency fingerprint module.
  • the fingerprint identification module 631 as a capacitive fingerprint identification module as an example, it specifically includes sensing electrodes (n1 abnormal sensing electrodes and n2 normal sensing electrodes) and a signal processing circuit connected to the sensing electrodes (such as an amplifying circuit, noise Suppression circuit, analog-to-digital conversion circuit, etc.).
  • the input unit 630 may also include other input devices 932.
  • other input devices 632 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackball, mouse, joystick, and the like.
  • the display unit 640 may be used to display information input by the user or information provided to the user and various menus of the mobile phone.
  • the display unit 640 may include a display screen 641.
  • the display screen 641 may be configured in the form of a liquid crystal display (LCD), an organic light-emitting diode (OLED), etc.
  • LCD liquid crystal display
  • OLED organic light-emitting diode
  • FIG. 9 the fingerprint identification module 631 and the display screen 641 are used as two independent components to realize the input and input functions of the mobile phone, in some embodiments, the fingerprint identification module 631 and the display screen 641 may be combined. Integrate to realize the input and output functions of the mobile phone.
  • the mobile phone may also include at least one sensor 650, such as a light sensor, a motion sensor, and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor.
  • the ambient light sensor can adjust the brightness of the display 641 according to the brightness of the ambient light.
  • the proximity sensor can turn off the display 641 and/or when the mobile phone is moved to the ear. Or backlight.
  • the accelerometer sensor can detect the magnitude of acceleration in various directions (usually three-axis), and can detect the magnitude and direction of gravity when stationary, and can be used to identify mobile phone posture applications (such as horizontal and vertical screen switching, related Games, magnetometer posture calibration), vibration recognition related functions (such as pedometer, percussion), etc.; as for other sensors such as gyroscopes, barometers, hygrometers, thermometers, infrared sensors, etc., which can be configured in mobile phones, we will not here Repeat.
  • mobile phone posture applications such as horizontal and vertical screen switching, related Games, magnetometer posture calibration), vibration recognition related functions (such as pedometer, percussion), etc.
  • vibration recognition related functions such as pedometer, percussion
  • other sensors such as gyroscopes, barometers, hygrometers, thermometers, infrared sensors, etc., which can be configured in mobile phones, we will not here Repeat.
  • the audio circuit 660, the speaker 661, and the microphone 662 can provide an audio interface between the user and the mobile phone.
  • the audio circuit 660 can transmit the electric signal converted from the received audio data to the speaker 661, and the speaker 661 converts it into a sound signal for output; on the other hand, the microphone 662 converts the collected sound signal into an electric signal, and the audio circuit 990 After being received, it is converted into audio data, and then processed by the audio data output processor 680, and sent to, for example, another mobile phone via the RF circuit 610, or the audio data is output to the memory 620 for further processing.
  • WiFi is a short-distance wireless transmission technology.
  • the mobile phone can help users send and receive emails, browse web pages, and access streaming media through the WiFi module 670. It provides users with wireless broadband Internet access.
  • FIG. 9 shows the WiFi module 670, it is understandable that it is not a necessary component of the mobile phone and can be omitted as needed without changing the essence of the invention.
  • the processor 680 is the control center of the mobile phone. It uses various interfaces and lines to connect various parts of the entire mobile phone. It executes by running or executing software programs and/or modules stored in the memory 620, and calling data stored in the memory 620. Various functions and processing data of the mobile phone can be used to monitor the mobile phone as a whole.
  • the processor 680 may include one or more processing units; preferably, the processor 980 may integrate an application processor and a modem processor, where the application processor mainly processes the operating system, user interface, and application programs, etc. , The modem processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 680.
  • the mobile phone also includes a power source 690 (such as a battery) for supplying power to various components.
  • a power source 690 such as a battery
  • the power source may be logically connected to the processor 680 through a power management system, so that functions such as charging, discharging, and power management are realized through the power management system.
  • the mobile phone may also include a camera, a Bluetooth module, etc., which will not be repeated here.
  • the method flow of each step corresponding to the terminal can be implemented based on the structure of the mobile phone.
  • the disclosed device may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present invention essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present invention.
  • the aforementioned storage media include: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present invention provides a malicious quickapp detection method and a terminal. The method comprises: if it is detected that an instrumentation code is triggered, determining whether the application programming interface (API) corresponding to the instrumentation code is a target API according to a trigger policy; if the API corresponding to the instrumentation code is the target API, obtaining the log of a quickapp calling the target API; determining, according to the log of the quickapp and a detection model, whether the operation of triggering the instrumentation code is a risky operation; if the operation of triggering the instrumentation code is the risky operation, sending the identifier of the quickapp and the determination result to a cloud server. Therefore, by collecting logs during running in real time to study and determine the maliciousness of quickapps, a malicious quickapp can be quickly determined, thereby promoting the cloud server to handle the malicious quickapp to prevent the malicious quickapp from harming users.

Description

一种恶意快应用的检测方法及终端Method and terminal for detecting malicious quick application 技术领域Technical field
本发明涉及终端领域,具体涉及了一种恶意快应用的检测方法及终端。The invention relates to the field of terminals, in particular to a detection method and terminal for malicious quick applications.
背景技术Background technique
快应用(quickapp)是一种基于手机硬件平台的新型应用形态。用户无需下载安装,即点即用,享受原生应用的性能体验。目前,随着快应用的发展,越来越多的快应用程序出现在了人们的生活中,例如扫码乘车快应用、微信点餐快应用等。Quick application (quickapp) is a new application form based on the mobile phone hardware platform. Users do not need to download and install, click to use, and enjoy the performance experience of native applications. At present, with the development of fast apps, more and more fast apps appear in people's lives, such as QR code and ride fast apps, WeChat ordering fast apps, etc.
目前基于终端开发的快应用都是在发布之前对其进行审核(人工运行或机器扫描rpk文件),审核通过后即上架快应用,对审核不通过的快应用不予上架。然而只在发布前进行审核的技术很容易被恶意开发者的免杀技术所绕过,对用户造成伤害。At present, fast apps developed based on terminals are reviewed (manually run or machine scanned rpk files) before they are released, and fast apps will be put on the shelves after the approval is passed, and fast apps that fail the review will not be put on the shelves. However, technologies that are only reviewed before release can easily be bypassed by malicious developers' anti-virus technologies, causing harm to users.
发明内容Summary of the invention
本发明实施例提供了一种恶意快应用的检测方法及终端,通过实时收集应用程序的日志的方式来进行快应用的恶意研判,具备极强的抗免杀能力,提升用户的体验。The embodiment of the present invention provides a method and terminal for detecting malicious quick applications, which conducts malicious research and judgment of quick applications by collecting application logs in real time, and has extremely strong anti-anti-anti-kill ability and improves user experience.
本发明实施例第一方面公开了一种恶意快应用的检测方法,所述方法包括:The first aspect of the embodiments of the present invention discloses a method for detecting malicious quick applications, and the method includes:
当检测到插桩代码被触发时,根据触发策略确定所述插桩代码对应的应用程序编程接口API是否为目标API;When it is detected that the instrumentation code is triggered, determine whether the application programming interface API corresponding to the instrumentation code is the target API according to the trigger strategy;
若所述插桩代码对应的API为目标API,则获取调用所述目标API的快应用的日志;If the API corresponding to the instrumentation code is the target API, obtain the log of the fast application that calls the target API;
根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作;Determine whether the operation that triggers the instrumentation code is a risk operation according to the log of the quick application and the detection model;
若触发所述插桩代码的操作为风险操作,则向云服务器发送所述快应用的标识以及判断结果。If the operation that triggers the instrumentation code is a risk operation, the identification of the fast application and the judgment result are sent to the cloud server.
本发明第二方面公开了一种检测模型的获取方法,所述方法包括:The second aspect of the present invention discloses a method for acquiring a detection model, the method including:
获取快应用的历史运行数据;Get the historical operating data of the fast application;
利用机器学习算法对所述历史运行数据进行训练以获取检测模型;Using a machine learning algorithm to train the historical operating data to obtain a detection model;
向终端发送所述检测模型。Send the detection model to the terminal.
本发明第三方面公开了一种终端,所述终端包括:A third aspect of the present invention discloses a terminal, the terminal includes:
确定单元,用于当检测到插桩代码被触发时,根据触发策略确定所述插桩代码对应的应用程序编程接口API是否为目标API;The determining unit is configured to determine whether the application programming interface API corresponding to the instrumentation code is the target API according to the trigger strategy when it is detected that the instrumentation code is triggered;
获取单元,用于若所述插桩代码对应的API为目标API,则获取调用所述目标API的 快应用的日志;An obtaining unit, configured to obtain a log of the fast application that calls the target API if the API corresponding to the instrumentation code is the target API;
判断单元,用于根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作;The judging unit is configured to judge whether the operation that triggers the instrumentation code is a risk operation according to the log of the quick application and the detection model;
发送单元,用于若触发所述插桩代码的操作为风险操作,则向云服务器发送所述快应用的标识以及判断结果。The sending unit is configured to send the identification of the fast application and the judgment result to the cloud server if the operation that triggers the instrumentation code is a risk operation.
本发明第四方面公开了一种云服务器,所述云服务器包括:The fourth aspect of the present invention discloses a cloud server, which includes:
获取单元,用于获取快应用的历史运行数据;The acquisition unit is used to acquire historical operating data of fast applications;
训练单元,用于利用机器学习算法对所述历史运行数据进行训练以获取检测模型;A training unit, configured to train the historical operating data using a machine learning algorithm to obtain a detection model;
发送单元,用于向终端发送所述检测模型。The sending unit is used to send the detection model to the terminal.
本发明第五方面公开了一种存储介质,所述存储介质中存储有程序;当所述程序被运行时,处理器执行第一方面或第二方面所述的方法。The fifth aspect of the present invention discloses a storage medium in which a program is stored; when the program is executed, the processor executes the method described in the first aspect or the second aspect.
本发明第六方面公开了一种终端,所述终端包括处理器和存储器;所述存储器中存储有程序;当所述程序被运行时,处理器执行第一方面所述的方法。A sixth aspect of the present invention discloses a terminal. The terminal includes a processor and a memory; a program is stored in the memory; when the program is run, the processor executes the method described in the first aspect.
可以看出,本发明实施例的方案中,当检测到插桩代码被触发时,根据触发策略确定所述插桩代码对应的应用程序调用接口API是否为目标API;若所述插桩代码对应的API为目标API,则获取调用所述目标API的快应用的日志;根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作;若触发所述插桩代码的操作为风险操作,则向云服务器发送所述快应用的标识以及判断结果。从而可知,通过实时收集运行时日志的方式来进行快应用的恶意研判,能够快速确定恶意的快应用,进而推动云服务器对该恶意快应用进行处理,以防止恶意快应用对用户进行伤害。It can be seen that in the solution of the embodiment of the present invention, when it is detected that the instrumentation code is triggered, it is determined according to the trigger strategy whether the application call interface API corresponding to the instrumentation code is the target API; if the instrumentation code corresponds to If the API of is the target API, obtain the log of the quick application that called the target API; determine whether the operation that triggered the instrumentation code is a risk operation according to the log of the quick application and the detection model; if the instrumentation code is triggered If the operation is a risk operation, the identification of the fast application and the judgment result are sent to the cloud server. Therefore, it can be seen that by collecting runtime logs in real time to conduct malicious research and judgment of fast applications, malicious fast applications can be quickly determined, and the cloud server can be pushed to process the malicious fast applications to prevent malicious fast applications from harming users.
附图说明Description of the drawings
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly describe the technical solutions in the embodiments of the present invention, the following will briefly introduce the drawings needed in the embodiments. Obviously, the drawings in the following description are some embodiments of the present invention. For those of ordinary skill in the art, without creative work, other drawings can be obtained from these drawings.
图1为本发明实施例提供的一种恶意快应用检测系统的架构示意图;FIG. 1 is a schematic diagram of the architecture of a malicious fast application detection system provided by an embodiment of the present invention;
图2为本发明实施例提供的一种恶意快应用的检测模型训练的流程示意图;FIG. 2 is a schematic diagram of a process of training a detection model for malicious fast applications according to an embodiment of the present invention;
图3为本发明实施例提供的一种恶意快应用检测方法的流程示意图;3 is a schematic flowchart of a method for detecting malicious fast applications according to an embodiment of the present invention;
图4为本发明实施例提供的另一种恶意快应用检测方法的流程示意图;4 is a schematic flowchart of another method for detecting malicious fast applications according to an embodiment of the present invention;
图5为本发明实施例提供的另一种恶意快应用检测方法的流程示意图;FIG. 5 is a schematic flowchart of another method for detecting malicious fast applications according to an embodiment of the present invention;
图6为本发明实施例提供的一种终端的结构示意图;FIG. 6 is a schematic structural diagram of a terminal provided by an embodiment of the present invention;
图7为本发明实施例提供的一种云服务器的结构示意图;FIG. 7 is a schematic structural diagram of a cloud server provided by an embodiment of the present invention;
图8为本发明实施例提供的一种终端的物理结构示意图;FIG. 8 is a schematic diagram of a physical structure of a terminal according to an embodiment of the present invention;
图9为本发明实施例提供的一种手机的物理结构示意图。FIG. 9 is a schematic diagram of the physical structure of a mobile phone according to an embodiment of the present invention.
具体实施方式Detailed ways
本发明实施例提供了一种恶意快应用的检测方法及终端,能够快速的识别恶意快应用,并推动云服务器对恶意快应用进行处理,以防止该恶意快应用对用户进行伤害。The embodiment of the present invention provides a method and terminal for detecting malicious quick applications, which can quickly identify malicious quick applications, and promote the cloud server to process the malicious quick applications to prevent the malicious quick applications from harming users.
为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚地描述,显然,所描述的实施例是本发明一部分的实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明保护的范围。In order to enable those skilled in the art to better understand the solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are the present invention. Part of the embodiment, not all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
本发明说明书、权利要求书和附图中出现的术语“第一”、“第二”和“第三”等是用于区别不同的对象,而并非用于描述特定的顺序。此外,术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second" and "third" appearing in the specification, claims, and drawings of the present invention are used to distinguish different objects, rather than describing a specific sequence. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or device that includes a series of steps or units is not limited to the listed steps or units, but optionally includes unlisted steps or units, or optionally also includes Other steps or units inherent to these processes, methods, products or equipment.
另外,本发明的下述实施例可能用到以下术语,此处对下列术语进行解释说明。In addition, the following terms may be used in the following embodiments of the present invention, and the following terms are explained here.
快应用(quickapp):是一种基于手机硬件平台的新型应用形态。用户无需下载安装,即点即用,享受原生应用的性能体验。快应用框架深度集成进各厂商手机系统中,可以在操作系统层面实现用户需求与应用服务间的无缝连接,提升用户的使用体验和应用服务的转化效率,同时支持生成桌面图标等留存能力。Quick application (quickapp): is a new application form based on the mobile phone hardware platform. Users do not need to download and install, click to use, and enjoy the performance experience of native applications. The fast application framework is deeply integrated into the mobile phone systems of various manufacturers, which can realize seamless connection between user needs and application services at the operating system level, improve user experience and application service conversion efficiency, and support the generation of desktop icons and other retention capabilities.
rpk文件:快应用的源码和资源编译打包后生成的文件,其实是将快应用运行时需要的资源打包压缩为一个文件,并对压缩文件进行签名得到的最终产出,类似Android的APK文件(AndroidPackage,安卓安装包)。rpk file: The file generated after the fast application source code and resources are compiled and packaged. In fact, it is the final output obtained by packaging and compressing the resources required by the fast application runtime into a file, and signing the compressed file, similar to the Android APK file ( AndroidPackage, Android installation package).
恶意快应用:通常在用户不知情的情况下给用户利益带来损失的快应用。Malicious fast apps: fast apps that usually bring losses to users' interests without the user's knowledge.
快应用引擎:提供rpk文件运行环境,本质上是一个APK,为rpk提供了一系列接口(API)。Fast application engine: Provides the rpk file operating environment, which is essentially an APK, and provides a series of interfaces (API) for rpk.
快应用API(Application Programming Interface,应用程序编程接口):快应用引擎为开发者提供的接口。Quick Application API (Application Programming Interface): The interface provided by the Quick Application Engine for developers.
免杀:是反病毒(AntiVirus)与反间谍(AntiSpyware)的对立面,英文为Anti-AntiVirus,翻译为“反杀毒技术”。是一种能使病毒木马避免被杀毒软件查杀的技术。免杀病毒是指经过免杀技术处理过后的病毒文件。本发明中的免杀主要指恶意快应用开发者用来逃避或绕过快应用平台审核机制的技术。Anti-Virus: It is the opposite of Anti-Virus and Anti-Spyware. The English name is Anti-AntiVirus, which translates to "Anti-Virus Technology". It is a technology that enables virus Trojans to avoid being checked and killed by anti-virus software. Virus-free refers to virus files that have been processed by the technology of virus-free. The anti-kill in the present invention mainly refers to the technology used by malicious quick application developers to evade or bypass the quick application platform audit mechanism.
Monkey模拟器:Google为Android应用开发者提供的一款压力测试软件,它通过随机产生用户的触摸和键盘操作来测试应用在高压力使用环境下的抗压能力,本文使用其来模拟普通的用户输入。Monkey emulator: A stress testing software provided by Google for Android application developers. It tests the stress resistance of applications in high-stress environments by randomly generating user touches and keyboard operations. This article uses it to simulate ordinary users enter.
插桩:在代码中插入一段自定义的代码,该程序的运行过程中就会执行该自定义的代码。Instrumentation: Insert a piece of custom code into the code, and the custom code will be executed during the running of the program.
在本发明的一个实施例中,公开了一种部署在终端中的恶意快应用检测系统,能够及时响应检测,具备极强的抗免杀能力,使得恶意快应用可以及时被发现和处置,避免对用户造成伤害。In one embodiment of the present invention, a malicious quick application detection system deployed in a terminal is disclosed, which can respond to detection in a timely manner and has extremely strong anti-anti-killing ability, so that malicious quick applications can be discovered and dealt with in a timely manner to avoid Cause harm to users.
具体的,如图1所示,本系统主要包括在部署在云端的部分(或称为云服务器)和部署在终端的部分。Specifically, as shown in Figure 1, this system mainly includes a part deployed in the cloud (or called a cloud server) and a part deployed in the terminal.
在云端,模型训练模块负责从海量数据中训练和生成检测模型或病毒库,下发给终端使用;结果处置模块负责接收终端上报的检测结果,对恶意快应用进行下架等处置。In the cloud, the model training module is responsible for training and generating a detection model or virus library from massive data, and sending it to the terminal for use; the result processing module is responsible for receiving the detection results reported by the terminal, and removing malicious quick applications.
在终端,事件监控器是预埋在快应用引擎里的,在快应用引擎的各个API处插桩,当终端上有应用运行,触发埋在各API处的插桩代码,将此API调用记录成为一条日志;向量生成器则负责对日志进行清洗并生成检测时需要的向量;分析判定器则根据云端下发的模型对向量进行分类从而判定快应用是否恶意,并将结果上报到云端进行处置。In the terminal, the event monitor is pre-embedded in the fast application engine, and insert stubs at each API of the fast application engine. When an application is running on the terminal, the instrumentation code buried in each API is triggered, and the API call is recorded Become a log; the vector generator is responsible for cleaning the log and generating the vectors needed for detection; the analysis determiner classifies the vector according to the model issued by the cloud to determine whether the fast application is malicious, and reports the result to the cloud for disposal .
从流程上来说,本方案主要包括模型训练流程和检测流程:In terms of process, this program mainly includes model training process and testing process:
如图2所示的训练流程,该模型训练是在云端完成的,该部分的工作流程如下:The training process shown in Figure 2. The model training is completed in the cloud. The workflow of this part is as follows:
1)选取一批带标签(指明此样本带有何种风险行为)的训练样本(RPK文件)。1) Select a batch of training samples (RPK files) with labels (indicate what kind of risky behavior this sample carries).
2)将样本逐个推送到快应用引擎中,此快应用引擎已经预先在各个API处插桩。2) Push the samples one by one to the fast application engine, which has been pre-instrumented at each API.
3)使用Monkey等工具随机地模拟用户的操作。3) Use tools such as Monkey to randomly simulate user operations.
4)此时必定会触发快应用的API,此时即运行我们定义的插桩代码,我们的插桩代码只需将此API调用记录下来输出一条日志即可,然后返回到原来API的调用地址,完成API 调用。该日志至少包含四个字段:快应用标识(标记此日志是由哪个快应用所触发)、行为id(快应用所触发的API的ID)、行为参数(快应用所触发的API的参数)、触发时间(此API被触发的时间)。4) At this time, the fast application API will be triggered. At this time, we will run the instrumentation code we defined. Our instrumentation code only needs to record this API call and output a log, and then return to the original API call address , Complete the API call. The log contains at least four fields: quick app identification (mark which quick app triggered this log), behavior id (the ID of the API triggered by the quick app), behavior parameters (the parameters of the API triggered by the quick app), Trigger time (the time this API was triggered).
5)程序运行一段时间后,我们即可得到一个行为序列,我们将行为序列转换为行为向量,转换方式可以有很多种,例如:按照触发时间增长排序,将所有的行为id(数字)直接组成一串数字。或者使用预置的关键词库对行为参数进行匹配,使用命中关键词的次数来生成向量。5) After the program runs for a period of time, we can get a behavior sequence. We convert the behavior sequence into a behavior vector. There are many conversion methods, for example: sort according to the increase of trigger time, and directly compose all behavior ids (numbers) a string of numbers. Or use a preset keyword library to match behavior parameters, and use the number of hits to generate vectors.
6)重复上述过程,直到得到所有训练集样本的行为向量。将行为向量和它所对应样本的标签(包含何种风险行为)输入训练程序中训练,最后得到一个模型文件。这里的训练算法可以有多种选择,比如LSTM(Long Short-Term Memory,是长短期记忆网络)等。6) Repeat the above process until the behavior vectors of all training set samples are obtained. Input the behavior vector and its corresponding sample label (what kind of risk behavior) into the training program to train, and finally get a model file. There are many choices for the training algorithm here, such as LSTM (Long Short-Term Memory) and so on.
如图3所示的检测流程,该检测部分是在终端上进行的,该部分的工作流程如下:The detection process shown in Figure 3, the detection part is carried out on the terminal, the work flow of this part is as follows:
1)当插桩代码被触发,首先将此API调用记录来成为一条日志,该日志至少包含四个字段:快应用标识、行为id、行为参数、触发时间(字段含义和训练流程中的一致)。然后返回到原来API的调用地址,完成API调用,以下流程全部异步进行,不阻塞API的调用。1) When the instrumentation code is triggered, first record the API call to become a log. The log contains at least four fields: quick app ID, behavior id, behavior parameter, and trigger time (the meaning of the fields is the same as in the training process) . Then return to the original API call address to complete the API call. The following processes are all performed asynchronously without blocking the API call.
2)匹配预先设置的触发策略以判断是否需要进行检测,这是因为我们的插桩点比较多,如果每个API被触发都做一次检测,对性能影响较大。触发策略可以根据实际情况自定义,例如,如果我们比较关注恶意扣费行为,那我们可以定义在每次触发发送短信API的时候就触发一次检测。2) Match the preset trigger strategy to determine whether detection is needed. This is because we have more instrumentation points. If each API is triggered, a detection is performed, which will have a greater impact on performance. The trigger strategy can be customized according to the actual situation. For example, if we are more concerned about malicious deductions, then we can define a detection to be triggered every time the SMS API is triggered.
3)如果触发策略判定此次行为需要进行检测,则从日志中取出此快应用的所有日志,生成行为向量(生成方法必须和训练阶段的向量生成方式保持一致)。使用行为向量调用分析判定模块。3) If the trigger strategy determines that this behavior needs to be detected, all logs of this fast application will be taken from the logs to generate behavior vectors (the generation method must be consistent with the vector generation method in the training phase). Use behavior vector to call analysis and judgment module.
4)分析判定模块使用接收到的行为向量和预先加载的模型文件,调用模型的预测程序对行为向量进行判定。4) The analysis and judgment module uses the received behavior vector and the pre-loaded model file to call the prediction program of the model to determine the behavior vector.
5)如果判定结果表明此行为有风险,则将快应用标识和检测结果上报到云端,由云端来处置。5) If the judgment result shows that the behavior is risky, the quick application identification and detection result are reported to the cloud, and the cloud will handle it.
通过图2和图3所提供的方法,可以在终端的快应用引擎里预设一批检测点以收集快应用的运行日志,基于生成的日志和检测模型对快应用进行研判,检测快应用是否恶意,并将恶意快应用的标识和检测结果发送到云端进行处置(比如云端可以将该恶意快应用进 行下架等)。云端则利用收集到的海量样本和行为数据,训练得到检测模型,并下发到终端。另外,终端可以不断接收到云端下发的更新的模型,从而具备持续检测恶意快应用的能力。Through the methods provided in Figures 2 and 3, a batch of detection points can be preset in the fast application engine of the terminal to collect the running logs of the fast application, and the fast application can be researched and judged based on the generated log and detection model to detect whether the fast application is Malicious, and send the identification and detection result of the malicious quick application to the cloud for disposal (for example, the cloud can remove the malicious quick application from the shelves, etc.). The cloud uses the collected massive samples and behavioral data to train the detection model and send it to the terminal. In addition, the terminal can continuously receive the updated model issued by the cloud, thereby having the ability to continuously detect malicious fast applications.
请参阅图4,图4是本发明一个实施例提供的一种恶意快应用的检测方法的流程示意图。其中,如图4所示,本发明的一个实施例提供的一种恶意快应用的检测方法包括以下内容:Please refer to FIG. 4, which is a schematic flowchart of a method for detecting malicious fast applications according to an embodiment of the present invention. Wherein, as shown in FIG. 4, a method for detecting malicious fast applications provided by an embodiment of the present invention includes the following content:
S101、云服务器获取快应用的历史运行数据;利用机器学习算法对所述历史运行数据进行训练以获取检测模型;以及向终端发送所述检测模型;S101. The cloud server obtains historical operation data of the fast application; uses a machine learning algorithm to train the historical operation data to obtain a detection model; and sends the detection model to a terminal;
其中,需要指出的时,该云服务器可以集中部署,也可以是分布式部署,在此不对云服务器的部署方式做限定。另外,云服务器获取检测模型的方法可参考图2所述的方法,在此不再赘述。Among them, when it needs to be pointed out, the cloud server can be deployed in a centralized manner or in a distributed manner. The deployment method of the cloud server is not limited here. In addition, the method for obtaining the detection model by the cloud server can refer to the method described in FIG. 2, which will not be repeated here.
S102、终端接收所述云服务器发送的检测模型并存储所述检测模型;S102. The terminal receives the detection model sent by the cloud server and stores the detection model.
举例来说,终端可以为智能手机、平板电脑、智能穿戴式设备、计算机等电子设备。For example, the terminal may be an electronic device such as a smart phone, a tablet computer, a smart wearable device, and a computer.
S103、当检测到插桩代码被触发时,根据触发策略确定所述插桩代码对应的应用程序编程接口API是否为目标API;S103: When it is detected that the instrumentation code is triggered, determine whether the application programming interface API corresponding to the instrumentation code is the target API according to the trigger strategy;
其中,需要指出的是,可以根据需求将API进行插桩;也可以对所有的API进行插桩。Among them, what needs to be pointed out is that API can be instrumented according to requirements; all APIs can also be instrumented.
另外,可以理解的是,如果插桩的API较多,但是为了针对性的检测,需要设定目标API,比如目标API可以是进行付款的API,比如对隐私信息进行提取的API等。In addition, it is understandable that if there are many APIs for instrumentation, the target API needs to be set for targeted detection. For example, the target API can be an API for payment, such as an API for extracting private information.
另外,还需要指出的是,在的情况下插桩点比较多,如果每个API被触发都做一次检测,对性能影响较大。可选的,触发策略可以根据实际情况自定义,例如,如果我们比较关注恶意扣费行为,那我们可以定义在每次触发发送短信API的时候就触发一次检测。In addition, it needs to be pointed out that there are more instrumentation points in the case. If each API is triggered, it will be tested once, which will have a greater impact on performance. Optionally, the trigger strategy can be customized according to the actual situation. For example, if we are more concerned about malicious deductions, then we can define a detection to be triggered every time the SMS API is triggered.
另外,可选的,所述方法还包括:当检测到插桩代码被触发时,根据所述目标API的调用记录生成所述目标应用程序的日志。In addition, optionally, the method further includes: when it is detected that the instrumentation code is triggered, generating a log of the target application according to the call record of the target API.
其中,可以理解的是,所述插桩代码被触发即快应用运行了目标API的插桩代码,则插桩代码根据目标API的调用记录生成目标应用程序的日志,然后返回到目标API的调用地址,完成目标API调用。其中,所述日志包括快应用标识、行为标识、行为参数以及触发时间。Among them, it is understandable that the instrumentation code is triggered, and the instrumentation code of the target API is executed soon, and the instrumentation code generates a log of the target application according to the call record of the target API, and then returns to the call of the target API Address, complete the target API call. Wherein, the log includes quick application identification, behavior identification, behavior parameter, and trigger time.
S104、若所述插桩代码对应的API为目标API,则获取调用所述目标API的快应用的日志;S104: If the API corresponding to the instrumentation code is the target API, obtain a log of the fast application that calls the target API;
举例来说,如果若所述插桩代码对应的API为目标API,即根据触发策略判定此次行 为需要进行检测,则从日志中取出此快应用的所有日志。For example, if the API corresponding to the instrumentation code is the target API, that is, it is determined that the behavior needs to be detected according to the trigger strategy, then all logs of this fast application will be taken from the logs.
S105、根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作;S105: Determine whether the operation that triggers the instrumentation code is a risk operation according to the log of the quick application and the detection model;
可选的,所述根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作,包括:根据快应用的日志生成行为向量;将所述行为向量与所述检测模型进行匹配;根据匹配的结果判断触发所述插桩代码的操作是否为风险操作。Optionally, the judging whether the operation that triggers the instrumentation code is a risk operation according to the log of the fast application and the detection model includes: generating a behavior vector according to the log of the fast application; and comparing the behavior vector with the detection model The model is matched; according to the matching result, it is judged whether the operation that triggers the instrumentation code is a risk operation.
其中,需要指出的是,生成行为向量的方法必须和训练阶段的向量生成方式保持一致。因此,终端可以向云服务器发送向量生成方法获取请求,接收所述云服务器反馈的向量生成方法。可选的,该行为向量的生成方法也可以是预先安装在终端上的。Among them, it should be pointed out that the method of generating behavior vectors must be consistent with the vector generation method in the training phase. Therefore, the terminal may send a vector generation method acquisition request to the cloud server, and receive the vector generation method fed back by the cloud server. Optionally, the method for generating the behavior vector may also be pre-installed on the terminal.
S106、若触发所述插桩代码的操作为风险操作,则向云服务器发送所述快应用的标识以及判断结果;S106: If the operation that triggers the instrumentation code is a risk operation, send the identification of the fast application and the judgment result to the cloud server;
其中,该判断结果可以是指示信息,用于指示该快应用的分类。比如可以是低风险恶意应用,高风险恶意应用。相应的,云服务器会存储每类快应用的处理策略。比如高风险恶意应用则直接进行下架;比如低风险恶意应用则暂停服务,需要重新确认风险。Wherein, the judgment result may be indication information used to indicate the classification of the fast application. For example, it can be low-risk malicious applications and high-risk malicious applications. Correspondingly, the cloud server will store the processing strategy of each type of fast application. For example, high-risk malicious applications will be removed directly; for example, low-risk malicious applications will suspend their services and need to reconfirm the risks.
S107、接收所述终端反馈的检测消息,所述检测消息中包括快应用标识和检测结果;S107. Receive a detection message fed back by the terminal, where the detection message includes a quick application identifier and a detection result.
S108、若所述检测结果指示所述快应用标识对应的快应用存在风险操作,则按照预设策略对所述快应用标识对应的快应用进行处理。S108. If the detection result indicates that the fast application corresponding to the fast application identifier has a risky operation, the fast application corresponding to the fast application identifier is processed according to a preset strategy.
可选的,所述向终端发送所述检测模型之后,所述方法还包括:接收所述终端反馈的运行数据;利用所述终端反馈的运行数据更新所述检测模型;向所述终端反馈更新后的检测模型。相应的,当接收到所述云服务器发送的更新消息时,终端利用所述接收到更新消息中的目标检测模型更新之前存储的检测模型。Optionally, after the sending of the detection model to the terminal, the method further includes: receiving operating data fed back by the terminal; updating the detection model using the operating data fed back by the terminal; and feeding back the update to the terminal After the detection model. Correspondingly, when receiving the update message sent by the cloud server, the terminal uses the target detection model in the received update message to update the previously stored detection model.
可以看出,本发明实施例的方案中,当检测到插桩代码被触发时,根据触发策略确定所述插桩代码对应的应用程序调用接口API是否为目标API;若所述插桩代码对应的API为目标API,则获取调用所述目标API的快应用的日志;根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作;若触发所述插桩代码的操作为风险操作,则向云服务器发送所述快应用的标识以及判断结果。从而可知,通过实时收集运行时日志的方式来进行快应用的恶意研判,能够快速确定恶意的快应用,进而推动云服务器对该恶意快应用进行处理,以防止恶意快应用对用户进行伤害。It can be seen that in the solution of the embodiment of the present invention, when it is detected that the instrumentation code is triggered, it is determined according to the trigger strategy whether the application call interface API corresponding to the instrumentation code is the target API; if the instrumentation code corresponds to If the API of is the target API, obtain the log of the quick application that called the target API; determine whether the operation that triggered the instrumentation code is a risk operation according to the log of the quick application and the detection model; if the instrumentation code is triggered If the operation is a risk operation, the identification of the fast application and the judgment result are sent to the cloud server. Therefore, it can be seen that by collecting runtime logs in real time to conduct malicious research and judgment of fast applications, malicious fast applications can be quickly determined, and the cloud server can be pushed to process the malicious fast applications to prevent malicious fast applications from harming users.
请参阅图5,图5是本发明一个实施例提供的一种恶意快应用的检测方法的流程示意 图。其中,如图5所示,本发明的一个实施例提供的一种恶意快应用的检测方法包括以下内容:Please refer to FIG. 5, which is a schematic flowchart of a method for detecting malicious fast applications according to an embodiment of the present invention. Wherein, as shown in FIG. 5, a method for detecting malicious fast applications provided by an embodiment of the present invention includes the following contents:
S201、云服务器接收快应用引擎反馈的行为日志;根据所述行为日志进行模型训练以获取检测模型;以及向终端发送所述检测模型;S201: The cloud server receives the behavior log fed back by the fast application engine; performs model training according to the behavior log to obtain a detection model; and sends the detection model to the terminal;
其中,需要指出的时,该云服务器可以集中部署,也可以是分布式部署,再次不对云服务器的部署方式做限定。另外,云服务器获取检测模型的方法可参考图2所述的方法,在此不再赘述。Among them, when it needs to be pointed out, the cloud server can be deployed in a centralized or distributed manner, and the deployment mode of the cloud server is not limited again. In addition, the method for obtaining the detection model by the cloud server can refer to the method described in FIG. 2, which will not be repeated here.
具体的,云服务器可以按照预设的方法将行为日志转化为行为向量,并利用预设的机器学习算法对所述行为向量进行训练以获取检测模型。其中,所述预设的机器学习算法可以是监督学习算法,贝叶斯学习算法,分类学习算法等,在此不一一列举。Specifically, the cloud server may convert the behavior log into a behavior vector according to a preset method, and use a preset machine learning algorithm to train the behavior vector to obtain a detection model. Wherein, the preset machine learning algorithm may be a supervised learning algorithm, a Bayesian learning algorithm, a classification learning algorithm, etc., which are not listed here.
可以理解的是,云服务器可以向多个终端发送所述检测模型。可以理解的是,比如终端在该云服务器上进行了注册,那么,云服务器就会向该注册的终端发送检测模型。It is understandable that the cloud server may send the detection model to multiple terminals. It is understandable that, for example, if the terminal is registered on the cloud server, the cloud server will send the detection model to the registered terminal.
举例来说,终端可以为智能手机、平板电脑、智能穿戴式设备、计算机等电子设备。For example, the terminal may be an electronic device such as a smart phone, a tablet computer, a smart wearable device, and a computer.
S202、所述云服务器接收所述终端反馈的运行数据;利用所述终端反馈的运行数据更新所述检测模型;向所述终端反馈更新后的检测模型;S202: The cloud server receives the operating data fed back by the terminal; uses the operating data fed back by the terminal to update the detection model; and feeds back the updated detection model to the terminal;
可以理解的是,云服务器会实时接收各个终端反馈的结果。然后每个预设时间段,会根据接收到的结果更新所述检测模型,并向所述终端推送所述更新过的模型。It is understandable that the cloud server will receive the feedback results from each terminal in real time. Then, at each preset time period, the detection model is updated according to the received result, and the updated model is pushed to the terminal.
S203、当接收到所述云服务器发送的更新消息时,终端利用所述接收到更新消息中的目标检测模型更新之前存储的检测模型;S203: When receiving the update message sent by the cloud server, the terminal uses the target detection model in the received update message to update the previously stored detection model;
S204、当检测到插桩代码被触发时,终端根据触发策略确定所述插桩代码对应的应用程序编程接口API是否为目标API;S204: When it is detected that the instrumentation code is triggered, the terminal determines whether the application programming interface API corresponding to the instrumentation code is the target API according to the trigger strategy;
其中,需要指出的是,可以根据需求将API进行插桩;也可以对所有的API进行插桩。Among them, what needs to be pointed out is that API can be instrumented according to requirements; all APIs can also be instrumented.
另外,可以理解的是,如果插桩的API较多,但是为了针对性的检测,需要设定目标API,比如目标API可以是进行付款的API,比如对隐私信息进行提取的API等。In addition, it is understandable that if there are many APIs for instrumentation, the target API needs to be set for targeted detection. For example, the target API can be an API for payment, such as an API for extracting private information.
另外,还需要指出的是,在的情况下插桩点比较多,如果每个API被触发都做一次检测,对性能影响较大。可选的,触发策略可以根据实际情况自定义,例如,如果我们比较关注恶意扣费行为,那我们可以定义在每次触发发送短信API的时候就触发一次检测。In addition, it needs to be pointed out that there are more stub points in the case. If each API is triggered, it will be tested once, which will have a greater impact on performance. Optionally, the trigger strategy can be customized according to the actual situation. For example, if we are more concerned about malicious deductions, then we can define a detection to be triggered every time the SMS API is triggered.
另外,可选的,所述方法还包括:当检测到插桩代码被触发时,根据所述目标API的调用记录生成所述目标应用程序的日志。其中,所述日志包括快应用标识、行为标识、行为 参数以及触发时间。In addition, optionally, the method further includes: when it is detected that the instrumentation code is triggered, generating a log of the target application according to the call record of the target API. Wherein, the log includes quick application identification, behavior identification, behavior parameter, and trigger time.
S205、若所述插桩代码对应的API为目标API,则终端获取调用所述目标API的快应用的日志;S205: If the API corresponding to the instrumentation code is the target API, the terminal obtains the log of the quick application that calls the target API;
举例来说,如果若所述插桩代码对应的API为目标API,即根据触发策略判定此次行为需要进行检测,则从日志中取出此快应用的所有日志。For example, if the API corresponding to the instrumentation code is the target API, that is, it is determined that the behavior needs to be detected according to the trigger strategy, then all logs of this fast application are taken out of the logs.
S206、终端根据所述快应用的日志生成行为向量;将所述行为向量与所述检测模型进行匹配;根据匹配的结果判断触发所述插桩代码的操作是否为风险操作。S206. The terminal generates a behavior vector according to the log of the fast application; matches the behavior vector with the detection model; and determines whether the operation that triggers the instrumentation code is a risk operation according to the matching result.
其中,需要指出的是,生成行为向量的方法必须和训练阶段的向量生成方式保持一致。因此,终端可以向云服务器发送向量生成方法获取请求,接收所述云服务器反馈的向量生成方法。可选的,该行为向量的生成方法也可以是预先安装在终端上的。Among them, it should be pointed out that the method of generating behavior vectors must be consistent with the vector generation method in the training phase. Therefore, the terminal may send a vector generation method acquisition request to the cloud server, and receive the vector generation method fed back by the cloud server. Optionally, the method for generating the behavior vector may also be pre-installed on the terminal.
S207、若触发所述插桩代码的操作为风险操作,则终端向云服务器发送所述快应用的标识以及判断结果;S207: If the operation that triggers the instrumentation code is a risk operation, the terminal sends the identification of the fast application and the judgment result to the cloud server;
其中,该判断结果可以是指示信息,用于指示该快应用的分类。比如可以是低风险恶意应用,高风险恶意应用。相应的,云服务器会存储每类快应用的处理策略。比如高风险恶意应用则直接进行下架;比如低风险恶意应用则暂停服务,需要重新确认风险。Wherein, the judgment result may be indication information used to indicate the classification of the fast application. For example, it can be low-risk malicious applications and high-risk malicious applications. Correspondingly, the cloud server will store the processing strategy of each type of fast application. For example, high-risk malicious applications will be removed directly; for example, low-risk malicious applications will suspend their services and need to reconfirm the risks.
S208、若所述检测结果指示所述快应用标识对应的快应用存在风险操作,则云服务器按照预设策略对所述快应用标识对应的快应用进行处理。S208: If the detection result indicates that the fast application corresponding to the fast application identifier has a risky operation, the cloud server processes the fast application corresponding to the fast application identifier according to a preset strategy.
可以看出,本发明实施例的方案中,云服务器根据海量数据训练出检测模型后,后续会根据各个终端反馈的运行数据更新所述检测模型,终端会根据更新后的检测模型进行恶意快应用的识别,进而推动云服务器对该恶意快应用进行处理,以防止恶意快应用对用户进行伤害。It can be seen that in the solution of the embodiment of the present invention, after the cloud server trains the detection model based on massive data, the detection model will be subsequently updated based on the operating data fed back by each terminal, and the terminal will perform malicious quick applications based on the updated detection model. In order to prevent the malicious quick application from harming users, the cloud server is further promoted to process the malicious quick application.
请参阅图6,图6是本发明的一个实施例提供的一种终端的结构示意图。其中,如图6所示,本发明的一个实施例提供的一种终端300,其中,该终端可以是智能手机、平板电脑、智能穿戴设备等设备。该终端300包括:Please refer to FIG. 6, which is a schematic structural diagram of a terminal according to an embodiment of the present invention. Among them, as shown in FIG. 6, an embodiment of the present invention provides a terminal 300, where the terminal may be a device such as a smart phone, a tablet computer, or a smart wearable device. The terminal 300 includes:
确定单元301,用于当检测到插桩代码被触发时,根据触发策略确定所述插桩代码对应的应用程序编程接口API是否为目标API;The determining unit 301 is configured to determine whether the application programming interface API corresponding to the instrumentation code is the target API according to the trigger strategy when it is detected that the instrumentation code is triggered;
获取单元302,用于若所述插桩代码对应的API为目标API,则获取调用所述目标API的快应用的日志;The acquiring unit 302 is configured to, if the API corresponding to the instrumentation code is the target API, acquire the log of the quick application that calls the target API;
判断单元303,用于根据所述快应用的日志以及检测模型判断触发所述插桩代码的操 作是否为风险操作;The judging unit 303 is configured to judge whether the operation that triggers the instrumentation code is a risk operation according to the log of the quick application and the detection model;
发送单元304,用于若触发所述插桩代码的操作为风险操作,则向云服务器发送所述快应用的标识以及判断结果。The sending unit 304 is configured to send the identification of the fast application and the judgment result to the cloud server if the operation that triggers the instrumentation code is a risk operation.
可选的,判断单元303,具体用于:根据快应用的日志生成行为向量;将所述行为向量与所述检测模型进行匹配;根据匹配的结果判断触发所述插桩代码的操作是否为风险操作。Optionally, the judgment unit 303 is specifically configured to: generate a behavior vector according to the log of the fast application; match the behavior vector with the detection model; determine whether the operation that triggers the instrumentation code is a risk according to the matching result operating.
可选的,终端300还包括接收单元和存储单元;Optionally, the terminal 300 further includes a receiving unit and a storage unit;
所述接收单元,用于接收所述云服务器发送的所述检测模型;The receiving unit is configured to receive the detection model sent by the cloud server;
所述存储单元,用于存储所述检测模型。The storage unit is used to store the detection model.
可选的,终端300还包括更新单元;Optionally, the terminal 300 further includes an update unit;
所述更新单元,用于当接收到所述云服务器发送的更新消息时,利用所述接收到更新消息中的目标检测模型更新之前存储的检测模型。The update unit is configured to use the target detection model in the received update message to update the previously stored detection model when an update message sent by the cloud server is received.
可选的,终端300还包括生成单元;Optionally, the terminal 300 further includes a generating unit;
所述生成单元,用于当检测到插桩代码被触发时,根据所述目标API的调用记录生成所述目标应用程序的日志。The generating unit is configured to generate a log of the target application program according to the call record of the target API when it is detected that the instrumentation code is triggered.
另外,需要指出的是,所述日志包括快应用标识、行为标识、行为参数以及触发时间。In addition, it should be pointed out that the log includes quick application identification, behavior identification, behavior parameters, and trigger time.
其中,上述逻辑单元可以用于执行图4或图5中终端对应的步骤,具体描述详见图4或图5对所述方法的描述,在此不再赘述。The above-mentioned logic unit may be used to execute the steps corresponding to the terminal in FIG. 4 or FIG. 5, and the specific description is shown in FIG. 4 or FIG. 5 for the description of the method, which will not be repeated here.
请参阅图7,图7是本发明的一个实施例提供的一种云服务器的结构示意图。其中,如图7所示,本发明的一个实施例提供的一种云服务器400,其中,。该云服务器400包括:Please refer to FIG. 7, which is a schematic structural diagram of a cloud server provided by an embodiment of the present invention. Among them, as shown in FIG. 7, an embodiment of the present invention provides a cloud server 400, where. The cloud server 400 includes:
获取单元401,用于获取快应用的历史运行数据;The acquiring unit 401 is configured to acquire historical operating data of the fast application;
训练单元402,用于利用机器学习算法对所述历史运行数据进行训练以获取检测模型;The training unit 402 is configured to use a machine learning algorithm to train the historical operating data to obtain a detection model;
发送单元403,用于向终端发送所述检测模型。The sending unit 403 is configured to send the detection model to the terminal.
可选的,云服务器400还包括第一接收单元和处理单元:Optionally, the cloud server 400 further includes a first receiving unit and a processing unit:
所述第一接收单元,用于接收所述终端反馈的检测消息,所述检测消息中包括快应用标识和检测结果;The first receiving unit is configured to receive a detection message fed back by the terminal, and the detection message includes a quick application identifier and a detection result;
所述处理单元,用于若所述检测结果指示所述快应用标识对应的快应用存在风险操作,则按照预设策略对所述快应用标识对应的快应用进行处理。The processing unit is configured to, if the detection result indicates that the fast application corresponding to the fast application identifier has risky operations, process the fast application corresponding to the fast application identifier according to a preset strategy.
可选的,云服务器400还包括第二接收单元和更新单元;Optionally, the cloud server 400 further includes a second receiving unit and an updating unit;
所述第二接收单元,用于接收所述终端反馈的运行数据;The second receiving unit is configured to receive operating data fed back by the terminal;
所述更新单元,用于利用所述终端反馈的运行数据更新所述检测模型;The update unit is configured to update the detection model by using the operating data fed back by the terminal;
所述发送单元,还用于向所述终端反馈更新后的检测模型。The sending unit is further configured to feed back the updated detection model to the terminal.
其中,所述逻辑单元可以用于执行图4或图5中云服务器所对应的步骤,具体描述详见图4或图5对所述方法的描述,在此不再赘述。Wherein, the logic unit can be used to execute the steps corresponding to the cloud server in FIG. 4 or FIG. 5, and the specific description is shown in FIG. 4 or FIG. 5 for the description of the method, which will not be repeated here.
请参阅图8,在本发明的另一个实施例中,提供一种终端。所述终端500包括CPU501、存储器502、总线503,显示屏504等硬件。其中,该终端500可以是智能手机、平板电脑、智能穿戴设备等设备。Referring to FIG. 8, in another embodiment of the present invention, a terminal is provided. The terminal 500 includes hardware such as a CPU 501, a memory 502, a bus 503, and a display screen 504. Wherein, the terminal 500 may be a device such as a smart phone, a tablet computer, or a smart wearable device.
其中,CPU501执行预先存储在存储器502中的程序,该执行过程具体包括:Wherein, the CPU 501 executes a program pre-stored in the memory 502, and the execution process specifically includes:
当检测到插桩代码被触发时,根据触发策略确定所述插桩代码对应的应用程序编程接口API是否为目标API;When it is detected that the instrumentation code is triggered, determine whether the application programming interface API corresponding to the instrumentation code is the target API according to the trigger strategy;
若所述插桩代码对应的API为目标API,则获取调用所述目标API的快应用的日志;If the API corresponding to the instrumentation code is the target API, obtain the log of the fast application that calls the target API;
根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作;Determine whether the operation that triggers the instrumentation code is a risk operation according to the log of the quick application and the detection model;
若触发所述插桩代码的操作为风险操作,则向云服务器发送所述快应用的标识以及判断结果。If the operation that triggers the instrumentation code is a risk operation, the identification of the fast application and the judgment result are sent to the cloud server.
可选的,所述根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作,包括:Optionally, the judging whether the operation that triggers the instrumentation code is a risk operation according to the log of the fast application and the detection model includes:
根据快应用的日志生成行为向量;Generate behavior vector according to the log of fast application;
将所述行为向量与所述检测模型进行匹配;Matching the behavior vector with the detection model;
根据匹配的结果判断触发所述插桩代码的操作是否为风险操作。Determine whether the operation that triggers the instrumentation code is a risk operation according to the matching result.
可选的,所述根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作之前,所述执行过程还包括:Optionally, before the judging whether the operation that triggers the instrumentation code is a risk operation according to the log of the fast application and the detection model, the execution process further includes:
接收所述云服务器发送的所述检测模型;Receiving the detection model sent by the cloud server;
并存储所述检测模型。And store the detection model.
可选的,所述执行过程还包括:Optionally, the execution process further includes:
当接收到所述云服务器发送的更新消息时,利用所述接收到更新消息中的目标检测模型更新之前存储的检测模型。When an update message sent by the cloud server is received, the previously stored detection model is updated by using the target detection model in the received update message.
可选的,所述执行过程还包括:Optionally, the execution process further includes:
当检测到插桩代码被触发时,根据所述目标API的调用记录生成所述目标应用程序的 日志。When it is detected that the instrumentation code is triggered, the log of the target application is generated according to the call record of the target API.
可选的,所述日志包括快应用标识、行为标识、行为参数以及触发时间。Optionally, the log includes fast application identification, behavior identification, behavior parameter, and trigger time.
可以看出,本发明实施例的方案中,当检测到插桩代码被触发时,根据触发策略确定所述插桩代码对应的应用程序调用接口API是否为目标API;若所述插桩代码对应的API为目标API,则获取调用所述目标API的快应用的日志;根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作;若触发所述插桩代码的操作为风险操作,则向云服务器发送所述快应用的标识以及判断结果。从而可知,通过实时收集运行时日志的方式来进行快应用的恶意研判,能够快速确定恶意的快应用,进而推动云服务器对该恶意快应用进行处理,以防止恶意快应用对用户进行伤害。It can be seen that in the solution of the embodiment of the present invention, when it is detected that the instrumentation code is triggered, it is determined according to the trigger strategy whether the application call interface API corresponding to the instrumentation code is the target API; if the instrumentation code corresponds to If the API of is the target API, obtain the log of the quick application that called the target API; determine whether the operation that triggered the instrumentation code is a risk operation according to the log of the quick application and the detection model; if the instrumentation code is triggered If the operation is a risk operation, the identification of the fast application and the judgment result are sent to the cloud server. Therefore, it can be seen that by collecting runtime logs in real time to conduct malicious research and judgment of fast applications, malicious fast applications can be quickly determined, and the cloud server can be pushed to process the malicious fast applications to prevent malicious fast applications from harming users.
另外,需要指出的是,云服务器的物理结构也如图8所示。也就是说,图8所提供的物理结构还可以执行图4或图5中云服务器对应的步骤。In addition, it should be pointed out that the physical structure of the cloud server is also shown in Figure 8. In other words, the physical structure provided in FIG. 8 can also perform the steps corresponding to the cloud server in FIG. 4 or FIG. 5.
请参阅图9,图9是本发明的一个实施例提供的终端相关的手机部分结构的框图。参考图9,手机包括:射频(Radio Frequency,RF)电路610、存储器620、输入单元630、显示单元640、传感器650、音频电路660、无线保真(Wireless Fidelity,WiFi)模块670、处理器680、以及电源690等部件。本领域技术人员可以理解,图9中示出的手机结构并不构成对手机的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Please refer to FIG. 9, which is a block diagram of a part of the structure of a mobile phone related to a terminal according to an embodiment of the present invention. Referring to FIG. 9, the mobile phone includes: a radio frequency (RF) circuit 610, a memory 620, an input unit 630, a display unit 640, a sensor 650, an audio circuit 660, a wireless fidelity (Wireless Fidelity, WiFi) module 670, and a processor 680 , And power supply 690 and other components. Those skilled in the art can understand that the structure of the mobile phone shown in FIG. 9 does not constitute a limitation on the mobile phone, and may include more or less components than those shown in the figure, or a combination of certain components, or different component arrangements.
下面结合图9对手机的各个构成部件进行具体的介绍:The following is a detailed introduction to each component of the mobile phone in conjunction with Figure 9:
RF电路610可用于信息的接收和发送。通常,RF电路610包括但不限于天线、至少一个放大器、收发信机、耦合器、低噪声放大器(Low Noise Amplifier,LNA)、双工器等。此外,RF电路610还可以通过无线通信与网络和其他设备通信。上述无线通信可以使用任一通信标准或协议,包括但不限于全球移动通讯系统(Global System of Mobile communication,GSM)、通用分组无线服务(General Packet Radio Service,GPRS)、码分多址(Code Division Multiple Access,CDMA)、宽带码分多址(Wideband Code Division Multiple Access,WCDMA)、长期演进(Long Term Evolution,LTE)、电子邮件、短消息服务(Short Messaging Service,SMS)等。The RF circuit 610 can be used for receiving and transmitting information. Generally, the RF circuit 610 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, the RF circuit 610 can also communicate with the network and other devices through wireless communication. The above wireless communication can use any communication standard or protocol, including but not limited to Global System of Mobile Communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (Code Division) Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), E-mail, Short Messaging Service (SMS), etc.
存储器620可用于存储软件程序以及模块,处理器610通过运行存储在存储器620的软件程序以及模块,从而执行手机的各种功能应用以及数据处理。存储器620可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用 程序(比如wi-fi网络连接功能、定位功能、轮询策略制定功能等)等;存储数据区可存储根据手机的使用所创建的数据(比如用户Wi-Fi使用记录等)等。此外,存储器620可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。The memory 620 may be used to store software programs and modules, and the processor 610 executes various functional applications and data processing of the mobile phone by running the software programs and modules stored in the memory 620. The memory 620 may mainly include a storage program area and a storage data area, where the storage program area may store an operating system and at least one application program required by a function (such as wi-fi network connection function, positioning function, polling strategy formulation function, etc.) Etc.; the data storage area can store data created based on the use of the mobile phone (such as user Wi-Fi usage records, etc.). In addition, the memory 620 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, a flash memory device, or other volatile solid-state storage devices.
输入单元630可用于接收输入的数字或字符信息,以及产生与手机的用户设置以及功能控制有关的键信号输入。具体地,输入单元630可包括指纹识别模组931以及其他输入设备632。指纹识别模组631,可采集用户在其上的指纹数据。可选的,指纹识别模组631可包括光学式指纹模块、电容式指纹模块以及射频式指纹模块。以指纹识别模组631为电容式指纹识别模组为例,具体包括感应电极(n1个异常感应电极和n2个正常感应电极)和与所述感应电极连接的信号处理电路(如放大电路、噪声抑制电路、模数转化电路,等等)。除了指纹识别模组631,输入单元630还可以包括其他输入设备932。具体地,其他输入设备632可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。The input unit 630 may be used to receive inputted digital or character information, and generate key signal input related to user settings and function control of the mobile phone. Specifically, the input unit 630 may include a fingerprint recognition module 931 and other input devices 632. The fingerprint identification module 631 can collect the fingerprint data of the user on it. Optionally, the fingerprint identification module 631 may include an optical fingerprint module, a capacitive fingerprint module, and a radio frequency fingerprint module. Taking the fingerprint identification module 631 as a capacitive fingerprint identification module as an example, it specifically includes sensing electrodes (n1 abnormal sensing electrodes and n2 normal sensing electrodes) and a signal processing circuit connected to the sensing electrodes (such as an amplifying circuit, noise Suppression circuit, analog-to-digital conversion circuit, etc.). In addition to the fingerprint recognition module 631, the input unit 630 may also include other input devices 932. Specifically, other input devices 632 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackball, mouse, joystick, and the like.
显示单元640可用于显示由用户输入的信息或提供给用户的信息以及手机的各种菜单。显示单元640可包括显示屏641,可选的,可以采用液晶显示器(Liquid Crystal Display,LCD)、有机发光二极管(Organic Light-Emitting Diode,OLED)等形式来配置显示屏641。虽然在图9中,指纹识别模组631与显示屏641是作为两个独立的部件来实现手机的输入和输入功能,但是在某些实施例中,可以将指纹识别模组631与显示屏641集成而实现手机的输入和输出功能。The display unit 640 may be used to display information input by the user or information provided to the user and various menus of the mobile phone. The display unit 640 may include a display screen 641. Optionally, the display screen 641 may be configured in the form of a liquid crystal display (LCD), an organic light-emitting diode (OLED), etc. Although in FIG. 9, the fingerprint identification module 631 and the display screen 641 are used as two independent components to realize the input and input functions of the mobile phone, in some embodiments, the fingerprint identification module 631 and the display screen 641 may be combined. Integrate to realize the input and output functions of the mobile phone.
手机还可包括至少一种传感器650,比如光传感器、运动传感器以及其他传感器。具体地,光传感器可包括环境光传感器及接近传感器,其中,环境光传感器可根据环境光线的明暗来调节显示屏641的亮度,接近传感器可在手机移动到耳边时,关闭显示屏641和/或背光。作为运动传感器的一种,加速计传感器可检测各个方向上(一般为三轴)加速度的大小,静止时可检测出重力的大小及方向,可用于识别手机姿态的应用(比如横竖屏切换、相关游戏、磁力计姿态校准)、振动识别相关功能(比如计步器、敲击)等;至于手机还可配置的陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器,在此不再赘述。The mobile phone may also include at least one sensor 650, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor. The ambient light sensor can adjust the brightness of the display 641 according to the brightness of the ambient light. The proximity sensor can turn off the display 641 and/or when the mobile phone is moved to the ear. Or backlight. As a kind of motion sensor, the accelerometer sensor can detect the magnitude of acceleration in various directions (usually three-axis), and can detect the magnitude and direction of gravity when stationary, and can be used to identify mobile phone posture applications (such as horizontal and vertical screen switching, related Games, magnetometer posture calibration), vibration recognition related functions (such as pedometer, percussion), etc.; as for other sensors such as gyroscopes, barometers, hygrometers, thermometers, infrared sensors, etc., which can be configured in mobile phones, we will not here Repeat.
音频电路660、扬声器661,传声器662可提供用户与手机之间的音频接口。音频电路660可将接收到的音频数据转换后的电信号,传输到扬声器661,由扬声器661转换为声音信号输出;另一方面,传声器662将收集的声音信号转换为电信号,由音频电路990接收 后转换为音频数据,再将音频数据输出处理器680处理后,经RF电路610以发送给比如另一手机,或者将音频数据输出至存储器620以便进一步处理。The audio circuit 660, the speaker 661, and the microphone 662 can provide an audio interface between the user and the mobile phone. The audio circuit 660 can transmit the electric signal converted from the received audio data to the speaker 661, and the speaker 661 converts it into a sound signal for output; on the other hand, the microphone 662 converts the collected sound signal into an electric signal, and the audio circuit 990 After being received, it is converted into audio data, and then processed by the audio data output processor 680, and sent to, for example, another mobile phone via the RF circuit 610, or the audio data is output to the memory 620 for further processing.
WiFi属于短距离无线传输技术,手机通过WiFi模块670可以帮助用户收发电子邮件、浏览网页和访问流式媒体等,它为用户提供了无线的宽带互联网访问。虽然图9示出了WiFi模块670,但是可以理解的是,其并不属于手机的必须构成,完全可以根据需要在不改变发明的本质的范围内而省略。WiFi is a short-distance wireless transmission technology. The mobile phone can help users send and receive emails, browse web pages, and access streaming media through the WiFi module 670. It provides users with wireless broadband Internet access. Although FIG. 9 shows the WiFi module 670, it is understandable that it is not a necessary component of the mobile phone and can be omitted as needed without changing the essence of the invention.
处理器680是手机的控制中心,利用各种接口和线路连接整个手机的各个部分,通过运行或执行存储在存储器620内的软件程序和/或模块,以及调用存储在存储器620内的数据,执行手机的各种功能和处理数据,从而对手机进行整体监控。可选的,处理器680可包括一个或多个处理单元;优选的,处理器980可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器680中。The processor 680 is the control center of the mobile phone. It uses various interfaces and lines to connect various parts of the entire mobile phone. It executes by running or executing software programs and/or modules stored in the memory 620, and calling data stored in the memory 620. Various functions and processing data of the mobile phone can be used to monitor the mobile phone as a whole. Optionally, the processor 680 may include one or more processing units; preferably, the processor 980 may integrate an application processor and a modem processor, where the application processor mainly processes the operating system, user interface, and application programs, etc. , The modem processor mainly deals with wireless communication. It can be understood that the foregoing modem processor may not be integrated into the processor 680.
手机还包括给各个部件供电的电源690(比如电池),优选的,电源可以通过电源管理系统与处理器680逻辑相连,从而通过电源管理系统实现管理充电、放电、以及功耗管理等功能。The mobile phone also includes a power source 690 (such as a battery) for supplying power to various components. Preferably, the power source may be logically connected to the processor 680 through a power management system, so that functions such as charging, discharging, and power management are realized through the power management system.
尽管未示出,手机还可以包括摄像头、蓝牙模块等,在此不再赘述。Although not shown, the mobile phone may also include a camera, a Bluetooth module, etc., which will not be repeated here.
前述图4或图5所示的实施例中,终端对应的各步骤方法流程可以基于该手机的结构实现。In the foregoing embodiment shown in FIG. 4 or FIG. 5, the method flow of each step corresponding to the terminal can be implemented based on the structure of the mobile phone.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above-mentioned embodiments, the description of each embodiment has its own focus. For parts that are not described in detail in an embodiment, reference may be made to related descriptions of other embodiments.
在本申请所提供的几个实施例中,应该理解到,所揭露的装置,可通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed device may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各 个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, the functional units in the various embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可为个人计算机、服务器或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present invention essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage media include: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program code .
以上所述,以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present invention, but not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions recorded in the embodiments are modified, or some of the technical features are equivalently replaced; these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present invention.

Claims (18)

  1. 一种恶意快应用的检测方法,其特征在于,所述方法包括:A method for detecting malicious quick applications, characterized in that the method includes:
    当检测到插桩代码被触发时,根据触发策略确定所述插桩代码对应的快应用程序编程接口API是否为目标API;When it is detected that the instrumentation code is triggered, determine whether the fast application programming interface API corresponding to the instrumentation code is the target API according to the trigger strategy;
    若所述插桩代码对应的API为目标API,则获取调用所述目标API的快应用的日志;If the API corresponding to the instrumentation code is the target API, obtain the log of the fast application that calls the target API;
    根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作;Determine whether the operation that triggers the instrumentation code is a risk operation according to the log of the quick application and the detection model;
    若触发所述插桩代码的操作为风险操作,则向云服务器发送所述快应用的标识以及判断结果。If the operation that triggers the instrumentation code is a risk operation, the identification of the fast application and the judgment result are sent to the cloud server.
  2. 根据权利要求1所述的方法,其特征在于,所述根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作,包括:The method according to claim 1, wherein the judging whether the operation that triggers the instrumentation code is a risk operation according to the log of the fast application and the detection model comprises:
    根据快应用的日志生成行为向量;Generate behavior vector according to the log of fast application;
    将所述行为向量与所述检测模型进行匹配;Matching the behavior vector with the detection model;
    根据匹配的结果判断触发所述插桩代码的操作是否为风险操作。Determine whether the operation that triggers the instrumentation code is a risk operation according to the matching result.
  3. 根据权利要求2所述的方法,其特征在于,所述根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作之前,所述方法还包括:The method according to claim 2, wherein before the judging whether the operation that triggers the instrumentation code is a risk operation according to the log of the fast application and the detection model, the method further comprises:
    接收所述云服务器发送的所述检测模型;Receiving the detection model sent by the cloud server;
    并存储所述检测模型。And store the detection model.
  4. 根据权利要求3所述的方法,其特征在于,所述方法还包括:The method according to claim 3, wherein the method further comprises:
    当接收到所述云服务器发送的更新消息时,利用所述接收到更新消息中的目标检测模型更新之前存储的检测模型。When an update message sent by the cloud server is received, the previously stored detection model is updated by using the target detection model in the received update message.
  5. 根据权利要求4所述的方法,其特征在于,所述方法还包括:The method according to claim 4, wherein the method further comprises:
    当检测到插桩代码被触发时,根据所述目标API的调用记录生成所述目标应用程序的日志。When it is detected that the instrumentation code is triggered, a log of the target application program is generated according to the call record of the target API.
  6. 根据权利要求5所述的方法,其特征在于,所述日志包括快应用标识、行为标识、行为参数以及触发时间。The method according to claim 5, wherein the log includes a quick application identifier, a behavior identifier, a behavior parameter, and a trigger time.
  7. 一种检测模型的获取方法,其特征在于,所述方法包括:A method for acquiring a detection model, characterized in that the method includes:
    获取快应用的历史运行数据;Get the historical operating data of the fast application;
    利用机器学习算法对所述历史运行数据进行训练以获取检测模型;Using a machine learning algorithm to train the historical operating data to obtain a detection model;
    向终端发送所述检测模型。Send the detection model to the terminal.
  8. 根据权利要求7所述的方法,其特征在于,所述向终端发送所述检测模型之后,所述方法还包括:The method according to claim 7, wherein after the sending the detection model to the terminal, the method further comprises:
    接收所述终端反馈的检测消息,所述检测消息中包括快应用标识和检测结果;Receiving a detection message fed back by the terminal, where the detection message includes a quick application identifier and a detection result;
    若所述检测结果指示所述快应用标识对应的快应用存在风险操作,则按照预设策略对所述快应用标识对应的快应用进行处理。If the detection result indicates that the fast application corresponding to the fast application identifier has risky operations, the fast application corresponding to the fast application identifier is processed according to a preset strategy.
  9. 根据权利要求7或8所述的方法,其特征在于,所述向终端发送所述检测模型之后,所述方法还包括:The method according to claim 7 or 8, wherein after the sending the detection model to the terminal, the method further comprises:
    接收所述终端反馈的运行数据;Receiving operating data fed back by the terminal;
    利用所述终端反馈的运行数据更新所述检测模型;Update the detection model by using the operating data fed back by the terminal;
    向所述终端反馈更新后的检测模型。Feed back the updated detection model to the terminal.
  10. 一种终端,其特征在于,所述终端包括:A terminal, characterized in that the terminal includes:
    确定单元,用于当检测到插桩代码被触发时,根据触发策略确定所述插桩代码对应的应用程序编程接口API是否为目标API;The determining unit is configured to determine whether the application programming interface API corresponding to the instrumentation code is the target API according to the trigger strategy when it is detected that the instrumentation code is triggered;
    获取单元,用于若所述插桩代码对应的API为目标API,则获取调用所述目标API的快应用的日志;An obtaining unit, configured to obtain a log of the fast application that calls the target API if the API corresponding to the instrumentation code is the target API;
    判断单元,用于根据所述快应用的日志以及检测模型判断触发所述插桩代码的操作是否为风险操作;The judging unit is configured to judge whether the operation that triggers the instrumentation code is a risk operation according to the log of the quick application and the detection model;
    发送单元,用于若触发所述插桩代码的操作为风险操作,则向云服务器发送所述快应用的标识以及判断结果。The sending unit is configured to send the identification of the fast application and the judgment result to the cloud server if the operation that triggers the instrumentation code is a risk operation.
  11. 根据权利要求10所述的终端,其特征在于,所述判断单元,具体用于:The terminal according to claim 10, wherein the judging unit is specifically configured to:
    根据快应用的日志生成行为向量;Generate behavior vector according to the log of fast application;
    将所述行为向量与所述检测模型进行匹配;Matching the behavior vector with the detection model;
    根据匹配的结果判断触发所述插桩代码的操作是否为风险操作。Determine whether the operation that triggers the instrumentation code is a risk operation according to the matching result.
  12. 根据权利要求11所述的终端,其特征在于,所述终端还包括接收单元和存储单元;The terminal according to claim 11, wherein the terminal further comprises a receiving unit and a storage unit;
    所述接收单元,用于接收所述云服务器发送的所述检测模型;The receiving unit is configured to receive the detection model sent by the cloud server;
    所述存储单元,用于存储所述检测模型。The storage unit is used to store the detection model.
  13. 根据权利要求12所述的终端,其特征在于,所述终端还包括更新单元;The terminal according to claim 12, wherein the terminal further comprises an update unit;
    所述更新单元,用于当接收到所述云服务器发送的更新消息时,利用所述接收到更新 消息中的目标检测模型更新之前存储的检测模型。The update unit is configured to use the target detection model in the received update message to update the previously stored detection model when an update message sent by the cloud server is received.
  14. 根据权利要求13所述的终端,其特征在于,所述终端还包括生成单元;The terminal according to claim 13, wherein the terminal further comprises a generating unit;
    所述生成单元,用于当检测到插桩代码被触发时,根据所述目标API的调用记录生成所述目标应用程序的日志。The generating unit is configured to generate a log of the target application program according to the call record of the target API when it is detected that the instrumentation code is triggered.
  15. 根据权利要求14所述的终端,其特征在于,所述日志包括快应用标识、行为标识、行为参数以及触发时间。The terminal according to claim 14, wherein the log includes a quick application identifier, a behavior identifier, a behavior parameter, and a trigger time.
  16. 一种云服务器,其特征在于,所述云服务器包括:A cloud server, characterized in that the cloud server includes:
    获取单元,用于获取快应用的历史运行数据;The acquisition unit is used to acquire historical operating data of fast applications;
    训练单元,用于利用机器学习算法对所述历史运行数据进行训练以获取检测模型;A training unit, configured to train the historical operating data using a machine learning algorithm to obtain a detection model;
    发送单元,用于向终端发送所述检测模型。The sending unit is used to send the detection model to the terminal.
  17. 根据权利要求16所述的云服务器,其特征在于,所述云服务器还包括第一接收单元和处理单元:The cloud server of claim 16, wherein the cloud server further comprises a first receiving unit and a processing unit:
    所述第一接收单元,用于接收所述终端反馈的检测消息,所述检测消息中包括快应用标识和检测结果;The first receiving unit is configured to receive a detection message fed back by the terminal, and the detection message includes a quick application identifier and a detection result;
    所述处理单元,用于若所述检测结果指示所述快应用标识对应的快应用存在风险操作,则按照预设策略对所述快应用标识对应的快应用进行处理。The processing unit is configured to, if the detection result indicates that the fast application corresponding to the fast application identifier has risky operations, process the fast application corresponding to the fast application identifier according to a preset strategy.
  18. 根据权利要求16或17所述的云服务器,其特征在于,所述云服务器还包括第二接收单元和更新单元;The cloud server according to claim 16 or 17, wherein the cloud server further comprises a second receiving unit and an updating unit;
    所述第二接收单元,用于接收所述终端反馈的运行数据;The second receiving unit is configured to receive operating data fed back by the terminal;
    所述更新单元,用于利用所述终端反馈的运行数据更新所述检测模型;The update unit is configured to update the detection model by using the operating data fed back by the terminal;
    所述发送单元,还用于向所述终端反馈更新后的检测模型。The sending unit is further configured to feed back the updated detection model to the terminal.
PCT/CN2019/088038 2019-05-22 2019-05-22 Malicious quickapp detection method and terminal WO2020232685A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980090970.6A CN113366477A (en) 2019-05-22 2019-05-22 Malicious fast application detection method and terminal
PCT/CN2019/088038 WO2020232685A1 (en) 2019-05-22 2019-05-22 Malicious quickapp detection method and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/088038 WO2020232685A1 (en) 2019-05-22 2019-05-22 Malicious quickapp detection method and terminal

Publications (1)

Publication Number Publication Date
WO2020232685A1 true WO2020232685A1 (en) 2020-11-26

Family

ID=73459023

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/088038 WO2020232685A1 (en) 2019-05-22 2019-05-22 Malicious quickapp detection method and terminal

Country Status (2)

Country Link
CN (1) CN113366477A (en)
WO (1) WO2020232685A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113238801A (en) * 2021-05-17 2021-08-10 上海中通吉网络技术有限公司 Express scanning information acquisition method, device and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
WO2015108516A1 (en) * 2014-01-14 2015-07-23 Citrix Systems, Inc. Evaluating application integrity
CN104834859A (en) * 2015-04-24 2015-08-12 南京邮电大学 Method for dynamically detecting malicious behavior in Android App (Application)
CN105893848A (en) * 2016-04-27 2016-08-24 南京邮电大学 Precaution method for Android malicious application program based on code behavior similarity matching
CN107622200A (en) * 2016-07-14 2018-01-23 腾讯科技(深圳)有限公司 The safety detecting method and device of application program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103186740A (en) * 2011-12-27 2013-07-03 北京大学 Automatic detection method for Android malicious software
WO2015108516A1 (en) * 2014-01-14 2015-07-23 Citrix Systems, Inc. Evaluating application integrity
CN104834859A (en) * 2015-04-24 2015-08-12 南京邮电大学 Method for dynamically detecting malicious behavior in Android App (Application)
CN105893848A (en) * 2016-04-27 2016-08-24 南京邮电大学 Precaution method for Android malicious application program based on code behavior similarity matching
CN107622200A (en) * 2016-07-14 2018-01-23 腾讯科技(深圳)有限公司 The safety detecting method and device of application program

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113238801A (en) * 2021-05-17 2021-08-10 上海中通吉网络技术有限公司 Express scanning information acquisition method, device and system

Also Published As

Publication number Publication date
CN113366477A (en) 2021-09-07

Similar Documents

Publication Publication Date Title
EP3647981B1 (en) Security scanning method and apparatus for mini program, and electronic device
CN108932429B (en) Application program analysis method, terminal and storage medium
KR102057565B1 (en) Computing device to detect malware
CN106709346B (en) Document handling method and device
Liu et al. A two-layered permission-based android malware detection scheme
US9894096B1 (en) Behavioral scanning of mobile applications
CN103400076B (en) Malware detection methods, devices and systems on a kind of mobile terminal
CN106874037B (en) Application program installation method and device and mobile terminal
CN109558734B (en) Stack security detection method and device and mobile device
CN106598584B (en) Method, device and system for processing resource file
Anwar et al. A static approach towards mobile botnet detection
US8914893B2 (en) Method and system for mobile information security protection
CN110399720B (en) File detection method and related device
CN110196795B (en) Method and related device for detecting running state of mobile terminal application
CN106649126B (en) Method and device for testing application program
WO2017012241A1 (en) File inspection method, device, apparatus and non-volatile computer storage medium
CN107622200A (en) The safety detecting method and device of application program
Dai et al. Behavior-based malware detection on mobile phone
CN107171894A (en) The method of terminal device, distributed high in the clouds detecting system and pattern detection
CN116956080A (en) Data processing method, device and storage medium
US9189363B2 (en) System, method, and computer program product for monitoring an execution flow of a function
CN108304697B (en) Method and device for detecting APP secondary packaging and mobile terminal
CN109726555B (en) Virus detection processing method, virus prompting method and related equipment
WO2020232685A1 (en) Malicious quickapp detection method and terminal
KR101657667B1 (en) Malicious app categorization apparatus and malicious app categorization method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19929852

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19929852

Country of ref document: EP

Kind code of ref document: A1