CN104091118B - Legal power safety risk determines method and determining device - Google Patents

Legal power safety risk determines method and determining device Download PDF

Info

Publication number
CN104091118B
CN104091118B CN201410326154.XA CN201410326154A CN104091118B CN 104091118 B CN104091118 B CN 104091118B CN 201410326154 A CN201410326154 A CN 201410326154A CN 104091118 B CN104091118 B CN 104091118B
Authority
CN
China
Prior art keywords
application
security risk
authority
constraint
weight
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410326154.XA
Other languages
Chinese (zh)
Other versions
CN104091118A (en
Inventor
祝恒书
于魁飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhigu Ruituo Technology Services Co Ltd
Original Assignee
Beijing Zhigu Ruituo Technology Services Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhigu Ruituo Technology Services Co Ltd filed Critical Beijing Zhigu Ruituo Technology Services Co Ltd
Priority to CN201410326154.XA priority Critical patent/CN104091118B/en
Publication of CN104091118A publication Critical patent/CN104091118A/en
Application granted granted Critical
Publication of CN104091118B publication Critical patent/CN104091118B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the present application discloses a kind of legal power safety risk and determines method and determining device, and methods described includes:It is determined that at least one application relation between an at least application program and multiple authorities;Wherein, each the application relation in an at least application relation corresponds to the authority in the multiple authority of an application program in an at least application program;It is determined that each applies for the weights of relation in an at least application relation;The legal power safety value-at-risk of each authority in the multiple authority is determined according at least to the corresponding weights of described each application relation.The embodiment of the embodiment of the present application sets up the bigraph (bipartite graph) model of application program and authority by determining the weights of the application relation between application program and authority and the application relation, and the legal power safety value-at-risk of authority is obtained by the application relation and weights, and then the security risk that can more accurately define the competence is just.

Description

Permission security risk determination method and device
Technical Field
The present application relates to a data processing method, and in particular, to a technical scheme for determining an authority security risk.
Background
With the rapid development of mobile devices and mobile internet in recent years, the number of mobile applications has increased explosively. At the same time, the functionality of mobile applications is greatly expanded to enrich and meet users' diverse needs, such as: location Based Services (LBS), Social platform Based Services (SNS), and so forth. In fact, these rich functions depend on various user data and usage rights of the device, such as location access rights, address book access rights, short message access rights, etc. The use of these access rights raises concerns about privacy and security for the user, and thus more and more users desire to know the security of access rights.
Disclosure of Invention
The purpose of this application is: a technical scheme for determining security risk of a right is provided.
In a first aspect, an embodiment of the present application provides a method for determining an authority security risk, including:
determining at least one application relationship between at least one application program and a plurality of authorities; wherein each application relationship in the at least one application relationship corresponds to an application program in the at least one application program applying for a right in the plurality of rights;
determining a weight value of each application relation in the at least one application relation;
and determining the authority security risk value of each authority in the plurality of authorities at least according to the weight value corresponding to each application relation.
In a second aspect, an embodiment of the present application provides an authority security risk determination apparatus, including:
the application relation determining module is used for determining at least one application relation between at least one application program and a plurality of authorities; wherein each application relationship in the at least one application relationship corresponds to an application program in the at least one application program applying for a right in the plurality of rights;
a weight determination module, configured to determine a weight of each application relationship in the at least one application relationship;
and the risk value determining module is used for determining the authority security risk value of each authority in the plurality of authorities at least according to the weight value corresponding to each application relation.
According to at least one implementation scheme of the embodiment of the application, a bipartite graph model of the application and the authority is established by determining the application relation between the application and the authority and the weight of the application relation, and the authority security risk value of the authority is obtained through the application relation and the weight, so that the security risk level of the authority can be determined more accurately.
Drawings
Fig. 1 is a flowchart of a method for determining an authority security risk according to an embodiment of the present application;
fig. 2 is a schematic diagram of a bipartite graph of an application and an authority in an authority security risk determination method according to an embodiment of the present application;
FIG. 3 is a flowchart of another method for determining a security risk of a right according to an embodiment of the present application;
fig. 4 is a block diagram schematically illustrating a structure of an authority security risk determining apparatus according to an embodiment of the present application;
FIG. 5a is a block diagram schematically illustrating another rights security risk determining apparatus according to an embodiment of the present application;
fig. 5b is a schematic block diagram of a structure of a weight determination unit of an authority security risk determination device according to an embodiment of the present application;
fig. 6a and fig. 6b are schematic block diagrams of structures of another two rights security risk determining devices according to the embodiment of the present application, respectively;
fig. 7 is a block diagram schematically illustrating a structure of an electronic device according to an embodiment of the present application;
fig. 8 is a block diagram illustrating a structure of another apparatus for determining a security risk of a right according to an embodiment of the present application.
Detailed Description
The following detailed description of the present application will be made in conjunction with the accompanying drawings (like numerals represent like elements throughout the several figures) and examples. The following examples are intended to illustrate the present application but are not intended to limit the scope of the present application.
It will be understood by those within the art that the terms "first", "second", etc. in this application are used only to distinguish one step, device or module from another, and do not denote any particular technical meaning or necessarily logical order therebetween.
For an application applied to a user device, it may apply for at least one data usage right of the user device, for example, a desktop application applies for a usage right of photo data stored in the user device. The inventor of the application finds that when the security risk of the authority is evaluated, the evaluation accuracy can be improved by considering the potential relation between the application program and the authority.
As shown in fig. 1, an embodiment of the present application provides an authority security risk assessment method, including:
s110, determining at least one application relation between at least one application program and a plurality of authorities; wherein each application relationship in the at least one application relationship corresponds to an application program in the at least one application program applying for a right in the plurality of rights;
s120, determining a weight value of each application relation in the at least one application relation;
s130, determining an authority security risk value of each authority in the plurality of authorities at least according to the weight corresponding to each application relation.
The at least one application program in this embodiment of the present application may be one application program or multiple application programs, and the following embodiments in this embodiment of the present application describe the at least one application program as multiple application programs. The plurality of application programs and the plurality of authorities have a plurality of application relationships.
As shown in fig. 2, in the embodiment of the present application, the inventor proposes a bipartite graph-based model to determine the relationship between an application and a right, taking into account the characteristics of the application and the right. The method comprises the steps that a plurality of application programs are used as a first group of nodes in a bipartite graph, a plurality of authorities are used as a second group of nodes in the bipartite graph, and connection between the two groups of nodes is determined by application relation between the application programs and the authorities, namely, when and only when an application program applies for a right, the application program and the authorities have application relation and connection is established.
For example, the apparatus for determining the security risk of authority provided by the present invention, as the execution subject of the present embodiment, executes steps S110 to S130. In particular, the determining means may be provided in the user equipment or the server device in software, hardware or a combination of software and hardware.
According to the implementation scheme of the embodiment of the application, a bipartite graph model of the application and the authority is established by determining the application relation between the application and the authority and the weight of the application relation, and the authority security risk value of the authority is obtained through the application relation and the weight, so that the security risk level of the authority can be determined.
The steps of the method of the embodiment of the present application are further described below with reference to the bipartite graph shown in fig. 2:
in the embodiment of the present application, a bipartite graph shown in fig. 2 represents relationships between multiple applications and multiple rights in the embodiment of the present application, where the bipartite graph G may be represented as: g ═ V, E, W, where,
v is a node set, and has V ═ Va,Vp},
VaIs an application program set comprising the plurality of application programs a1~aMI.e. Va={a1,···,aMM is the number of the plurality of application programs and is a positive integer;
Vpis a set of rights comprising the plurality of rights p1~pNI.e. Vp={p1,···,pN}; n is the number of the plurality of authorities and is a positive integer;
e is a set of application relationships, wherein if and only if an application a in the plurality of applications is presentiApplying for a permission p of the plurality of permissionsjWhen there is an application relationship eij∈E;
W is a weight set, a weight Wij∈ W denotes said application relation eijThe weight of (2).
In the embodiment shown in FIG. 2, the bipartite graph includes 4 applications a1~a43 rights p1~p3(in the embodiment shown in FIG. 2, the application a1~a4Respectively as follows: angry birds (games), cut fruit (games), faceplates (socializing), and mascaras (games); the permission p1 is to read the state of the mobile phone, the permission p2 is to access the precise position, and the permission p3 represents to read the contact person); the application relationship set contains 8 application relationships (represented in fig. 2 by the connecting lines between the application and the rights): e.g. of the type11,e12,e21,e22,e32,e33,e42And e43They correspond to weights of 0.3, 0.7, 0.2, 0.8, 0.5, 0.5, 0.4 and 0.6, respectively.
In the embodiment of the present application, the weight wijRepresenting said application aiAnd the authority pjThe correlation of (c). In a possible implementation, the weight wijRepresenting said application aiApply for the permission pjThe probability of (c). Here application aiApplication authority pjMeans that in determining the application aiBefore applying which authorities it applies for authority pjThe possibility of (a). For example, for application relation e in FIG. 211In other words, 0.3 denotes the application program a1Application authority p1The probability of (2) is 0.3.
Of course, in other possible embodiments, the weight value may also be determined according to other criteria to indicate the degree of correlation between the application program and the right, and in particular, in one possible embodiment, the weight value may be determined according to a setting instruction of a user.
As described above, in a possible implementation manner of the embodiment of the present application, when determining the weight, the step S120 may determine the weight of each application relationship according to a probability that the application program corresponding to each application relationship applies for the authority.
In the embodiment of the present application, the probability may be obtained according to historical data. Optionally, in a possible implementation manner, the corresponding weight may be determined according to authority application history data of all application programs in an application category to which the application program belongs, where the application program corresponds to each application relationship. In the present embodiment, the application classification may be a classification according to a functional division of the application program, such as a game, an office, a map, or the like; but also a classification according to the developer of the application, or also a cluster classification according to the similarity of other aspects of the application, etc. Of course, one skilled in the art will recognize that the application classification may be a classification based on other classification criteria.
Optionally, in a possible implementation manner of the embodiment of the present application, the weight may be obtained according to a ratio of a frequency at which all applications apply for the permission in the application classification to which the applications belong to and a sum of a plurality of frequencies at which all applications apply for the plurality of permissions, respectively. Can be expressed by the following formula:
wherein f isijRepresenting said application aiApplication program application permission p in the application classificationjOf (c) is detected.
In a possible implementation manner of the embodiment of the present application, in order to obtain the normalized frequency, the frequency corresponding to the authority may be obtained by using a ratio of the number of the application programs applying for an authority in the application classification to all the application programs in the application classification. Of course, in other possible implementations of the embodiments of the present application, the frequency may also be determined in other ways.
In other possible implementation manners of the embodiment of the present application, in addition to determining the weight of each application relationship according to the application frequency of the authority, the weight may also be determined according to other parameters, such as external prior knowledge, which may calculate a correlation value between the application program and the authority for the opinion of experts in the field, other methods, and the like.
In a possible implementation manner of the embodiment of the present application, optionally, in step S130, the obtained rights security risk value of the right may be made more accurate through at least one constraint.
In one possible embodiment, the at least one constraint includes a first constraint that includes:
the higher the weight value corresponding to one application relation in the plurality of application relations is, the closer the application security risk value of an application program corresponding to the application relation is to the authority security risk value of an authority corresponding to the application relation.
In the embodiment of the application, the application security risk value represents the security risk of the corresponding application program, and the permission security risk value represents the security risk of the corresponding permission.
As will be appreciated by those skilled in the art, the first constraint takes into account the dominant relationship between the application and the rights. The higher the weight of an application and a right is, the stronger the correlation between the application and the right is, and when the risk of one is high, the other is bound to be high, and vice versa. Taking the embodiment shown in FIG. 2 as an example, for the authority p2In other words, the corresponding 4 application relations e12,e22,e32And e42The weights are 0.7, 0.8, 0.5 and 0.4, respectively, so that the authority p can be known according to the first constraint2Should be associated with application a2The application security risk values of (1) are closest.
Optionally, in a possible implementation, the at least one constraint further includes a second constraint, where the second constraint includes:
the more similar the authority application conditions of two applications in the plurality of applications are, the more similar the application security risk values of the two applications are.
In this embodiment, the right application status includes: and the application relation between the application authority of the application program and the application authority of the application program corresponds to the weight. When the permissions applied by the two application programs are more similar, and the weights applied for the same permission are more similar, the application security risk values of the two application programs should be more similar. Application a as shown in FIG. 21And application program a1All apply for permission p1And authority p2And application a3Or application a4In contrast, at this time, the application security of the two applicationsThe risk values should be closer; in addition, the two application programs not only apply for the same authority, but also respectively apply for the authority p1And authority p2Are also similar, so it is envisioned that application a1And application program a2Should be more similar. Likewise, application a3And application program a4Should also be more similar. Of course, application a1Or application a2And application program a3Or application a4Should be relatively dissimilar.
Optionally, in a possible implementation manner, the application program may be vector-represented by the weight values of all application relations corresponding to the application program, for example, the application program aiIs shown asWherein the vectorThe application program comprises N elements which sequentially correspond to N authorities, wherein when the application program applies for a authority, the corresponding element is a corresponding weight; when the application program aiIn the absence of a claim, this element is replaced by 0 (in this case the application a can be considered asiThe weight value of the right is applied to be 0); application program ajIs shown asFor example, in the embodiment shown in FIG. 2, application a1Corresponding vectorHere, 0 denotes the application program a1Without application of authority p3. The similarity of the two applications can be determined by the cosine distance of the vectors corresponding to the two applications:
of course, those skilled in the art will recognize that other methods for representing the similarity between two vectors may be used in the embodiments of the present application to determine the similarity between two applications, for example, the similarity between two vectors may be determined by the euclidean distance or the KL distance (Kullback-Leibler Divergence) between the two vectors.
Optionally, in a possible implementation, the at least one constraint further includes a third constraint, where the third constraint includes:
for two authorities in the plurality of authorities, the more similar the applied conditions of the two authorities are, the more similar the authority security risk values of the two authorities are.
In the embodiment of the present application, the applied status of the authority includes an application program applying the authority and a weight value of an application relationship corresponding to the authority applied by the application program. The more similar the application programs applying for the two authorities are, the more similar the application programs applying for the two authorities simultaneously are, the more similar the application relationship weights of the two authorities are, and the more similar the authority security risk values corresponding to the two authorities are. Still taking the embodiment shown in FIG. 2 as an example, it can be seen that the authority p1And authority p2Is simultaneously applied to program a1And application program a2Applied for, and at the same time, the two are respectively applied to the program a1And application program a2The applied weights are similar, and the authority p2And authority p3And is simultaneously applied to the program a3And application program a4Application, and authority p1And authority p3Is not applied by the same application, so it can be seen that at privilege p2And authority p3In, authority p1Is closer to the authority p2The rights security risk value of. Those skilled in the art will appreciate that if the right p3Only by application a1And application program a2Application, then permission p1And authority p3The rights security risk values of (a) are closer.
Optionally, in a possible implementation manner, the authority may be represented by a vector through the weights of all application relations corresponding to the authority, for example, the authority piIs shown as Wherein the vectorContains M elements, which are sequentially and respectively corresponding to M application programs, wherein, when an application program applies for the authority piWhen the weight value is greater than the threshold value, the corresponding element is the corresponding weight value; when an application program does not apply for the permission piWhen the element is replaced by 0 (at this time, the weight of the application program applying for the right is considered to be 0); permission pjIs shown asFor example, in the embodiment shown in FIG. 2, the privilege p1Corresponding vectorTwo 0 s here denote the application a respectively3And a4Without application of authority p1. The similarity of the two authorities can be determined by the cosine distance of the vectors corresponding to the two authorities:
similarly, those skilled in the art will recognize that other methods for representing the similarity between two vectors may be used in the embodiments of the present application to determine the similarity between two rights, such as the euclidean distance described above.
In order to make the obtained rights security risk value more accurate, external a priori knowledge may also be introduced into the calculation of the rights security risk value, and therefore, optionally, in one possible embodiment, the at least one constraint further includes a fourth constraint, and the fourth constraint includes:
the application security risk values of the plurality of application programs are respectively consistent with the prior application security risk values of the plurality of application programs;
and the permission security risk values of the plurality of permissions are respectively consistent with the prior permission security risk values of the plurality of permissions.
In this embodiment of the present application, the fact that the application security risk values of the plurality of application programs and the permission security risk values of the plurality of permissions are respectively consistent with the prior application security risk value and the prior permission security risk value means that the application and the permission security risk values should satisfy prior knowledge, for example: the a priori app security risk value of a first application is greater than the a priori app security risk value of a second application, and the app security risk value of the first application should also be generally greater than the app security risk value of the second application. In the embodiment of the present application, the fourth constraint is introduced, so that the acquired authority security risk value can be converged to a suitable range as soon as possible. In one possible embodiment, for a right, there may be multiple right security risk values that satisfy the above first, second, and third constraints, and then the fourth constraint may help determine which of the multiple right security risk values corresponding to the right is the right security risk value for which the right is more appropriate.
In one possible implementation manner of the embodiment of the present application, the method may further include:
obtaining the prior application security risk value of the at least one application and the prior permission security risk values of the plurality of permissions.
In this embodiment of the present application, the apriori application security risk value and the apriori authority security risk value may be obtained in various ways, for example, in some possible implementations, a security risk value set by a domain expert may be used, a security classification may be constructed according to an external risk report to obtain a corresponding security risk value, or a security mode that is most advanced in a related domain may be used to obtain a corresponding security risk value. In particular, in one possible implementation, the a priori application security risk value and the a priori permission security risk value may be obtained through user presetting.
In a possible implementation manner of the embodiment of the present application, in order to enable the obtaining efficiency of the corresponding application and permission security risk values to be higher, Naive Bayes (PNB) with information prior may be used to obtain the prior application security risk value and the prior permission security risk value.
In a possible implementation manner of the embodiment of the present application, the security risk value of each of the plurality of permissions may be determined according to the weight corresponding to each application relationship and the first to fourth constraints.
For example, in one possible implementation, a cost function is defined that combines the above four constraints, expressed for example as:
wherein,representing application aiIs applied to the security risk value of (a),representing application aiIs applied a priori with a security risk value,representing a right pjThe value of the security risk of the right of,representing a right pjThe first part above (the part in the first parenthesis) represents the fourth constraint mentioned above, the second part (the part in the second parenthesis) represents the second and third constraints, and the third part represents the first constraint. The parameters λ and μ are the parameters of the fourth constraint and the parameters of the second and third constraints, respectively, for controlling the first and second parts described above, which the user can set as desired. It can be seen that the cost function of the embodiments of the present application is not constrained by the second, third and fourth constraints when λ and μ are zero, but only needs to consider the first constraint.
It can be seen that in order to satisfy the constraints described above, suitable ones must be obtainedAndso that the cost function is as small as possible. Thus, in one possible embodiment, the feed may be given firstAndto assign an initial value, for example a value between 0 and 1, in one possible embodiment, for example:and continuously and iteratively updating the two values by a gradient descent method until the cost function is smaller than a set threshold value, for example, the cost function is minimized.
Of course, those skilled in the art will appreciate that the above cost function is only one possible way for the embodiments of the present application to find the rights security risk value, and the rights security risk value of the embodiments of the present application may also be obtained by other methods.
In the embodiment of the present application, after the authority security risk value of each of the plurality of authorities is obtained, further operations may be performed according to the security risks of the plurality of authorities.
Optionally, as shown in fig. 3, in one possible implementation, the method may further include:
s140, the plurality of authorities are sorted according to the authority security risk value of each authority. For example, a security risk based privilege usage recommendation may be made to a developer of an application according to the ranking of the plurality of privileges.
Optionally, in another possible implementation, the method may further include:
for each of the plurality of rights:
determining whether the corresponding authority security risk value is within a set threshold range;
and obtaining an instruction aiming at the authority corresponding to the authority security risk value which is not in the threshold range.
For example, in a possible implementation, when the security risk value of the right of a right exceeds the threshold range, the security risk of the right is considered to be high, which may pose a threat to the security privacy of the user, and at this time, for example, a right closing instruction may be obtained to close the authorization of the right.
The threshold range may be a fixed value or may be dynamically adjusted.
It is understood by those skilled in the art that, in the method according to the embodiments of the present application, the sequence numbers of the steps do not mean the execution sequence, and the execution sequence of the steps should be determined by their functions and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
As shown in fig. 4, one possible implementation manner of the embodiment of the present application provides an authority security risk determining apparatus 400, including:
an application relation determining module 410, configured to determine at least one application relation between at least one application program and a plurality of permissions; wherein each application relationship in the at least one application relationship corresponds to an application program in the at least one application program applying for a right in the plurality of rights;
a weight determination module 420, configured to determine a weight of each application relationship in the at least one application relationship;
a risk value determining module 430, configured to determine, according to at least the weight corresponding to each application relationship, an authority security risk value of each authority in the multiple authorities.
Similar to the method embodiments described above, the following embodiments of the present application further describe the at least one application as a plurality of applications. At this time, the application relation determining module 410 is configured to determine a plurality of application relations between the plurality of applications and the plurality of rights.
The apparatus 400 of the embodiment of the present application determines the relationship between the plurality of applications and the plurality of rights through a bipartite graph-based model. Reference is made in particular to the corresponding description of the embodiment shown in fig. 1.
According to the implementation scheme of the embodiment of the application, a bipartite graph model of the application and the authority is established by determining the application relation between the application and the authority and the weight of the application relation, and the authority security risk value of the authority is obtained through the application relation and the weight, so that the security risk level of the authority can be determined.
The present application example further illustrates each module of the present application example by the following embodiments.
In a possible implementation manner of the embodiment of the present application, for further description of the multiple application relationships between the multiple application programs and the multiple permissions and the weight corresponding to each application relationship, refer to the description of the implementation manner shown in fig. 2 in the foregoing method embodiment, and details are not repeated here.
In the embodiment of the present application, the weight of the application relationship corresponds to a correlation between the application program corresponding to the application relationship and the authority, and generally, the stronger the correlation, the larger the size of the weight. Therefore, the weight determination module 420 can determine the size of the weight according to the correlation between the application and the weight. In one possible embodiment, the relevance may be represented by the size of the probability that the application applies for the right. Of course, one skilled in the art will recognize that in other possible embodiments, the correlation between the application and the rights may be determined in other ways than by the probabilities. For example, in one possible embodiment, the correlation may be determined based on a user-experienced setting instruction.
Therefore, optionally, as shown in fig. 5a, in a possible implementation manner of this embodiment of the application, the weight determining module 420 may include:
the weight determination submodule 421 is configured to determine a weight of each application relationship according to the probability that the application program applies for the permission corresponding to each application relationship.
In a possible implementation manner of the embodiment of the present application, the probability may be obtained according to historical data. Further, in this embodiment, the weight determining submodule 421 may include:
a weight determining unit 4211, configured to determine the corresponding weight according to the permission application history data of all the applications in an application category to which the application belongs, where the application corresponds to each application relationship.
In the present embodiment, the application classification may be a classification according to functional division of an application, such as games, offices, maps, and the like; but also a classification according to the developer of the application, or also a cluster classification according to the similarity of other aspects of the application, etc. Of course, one skilled in the art will recognize that the application classification may also be a classification based on other classification criteria.
Optionally, as shown in fig. 5b, in a possible implementation, the weight determining unit 4211 includes:
a weight determination subunit 4211a, configured to obtain the weight according to a ratio of the frequency of applying for the permission by all the application programs in the application classification to a sum of multiple frequencies of respectively applying for the multiple permissions by all the application programs. Reference is made in particular to the corresponding description of the embodiment of the method shown in fig. 2.
In a possible implementation manner of the embodiment of the present application, in order to obtain the normalized frequency, the frequency corresponding to the authority may be obtained by using a ratio of the number of the application programs applying for an authority in the application classification to all the application programs in the application classification. Of course, in other possible implementations of the embodiments of the present application, the frequency may also be determined in other ways.
In order to determine the application security risk value of each application program more quickly and accurately, optionally, in a possible embodiment, the risk value determining module 430 includes:
a risk value determining submodule 431, configured to determine the permission security risk value of each permission according to the weight corresponding to each application relationship and at least one constraint;
wherein the at least one constraint comprises a first constraint comprising:
the higher the weight value corresponding to one application relation in the application relations is, the closer the application security risk value of the application program corresponding to the application relation is to the permission security risk value of the permission corresponding to the application relation.
In the embodiment of the application, the application security risk value represents the security risk of the corresponding application program, and the permission security risk value represents the security risk of the corresponding permission.
As will be appreciated by those skilled in the art, the first constraint takes into account the dominant relationship between the application and the rights. The higher the weight of an application and a right is, the stronger the correlation between the application and the right is, and when the risk of one is high, the other is bound to be high, and vice versa. Reference is made in particular to the corresponding description in the above-mentioned method embodiments.
Optionally, in a possible implementation, the at least one constraint further includes a second constraint, where the second constraint includes:
the more similar the authority application conditions of two applications in the plurality of applications are, the more similar the application security risk values of the two applications are.
In this embodiment, the right application status includes: and the application relation between the application authority of the application program and the application authority of the application program corresponds to the weight. When the permissions applied by the two application programs are more similar, and the weights applied for the same permission are more similar, the application security risk values of the two application programs should be more similar. Reference is made in particular to the corresponding description in the above-mentioned method embodiments.
Optionally, in a possible implementation manner, the application program may be represented by a vector through a weight of all application relationships corresponding to the application program, and at this time, the similarity between the two application programs may be determined through a cosine distance between the two application programs. Reference is made in particular to the corresponding description in the above-mentioned method embodiments.
Of course, those skilled in the art will recognize that other methods for representing the similarity between two vectors may be used in the embodiments of the present application to determine the similarity between two applications.
Optionally, in a possible implementation, the at least one constraint further includes a third constraint, where the third constraint includes:
for two authorities in the plurality of authorities, the more similar the applied conditions of the two authorities are, the more similar the authority security risk values of the two authorities are.
In the embodiment of the present application, the applied status of the authority includes an application program applying the authority and a weight value of an application relationship corresponding to the authority applied by the application program. The more similar the application programs applying for the two authorities are, the more similar the application programs applying for the two authorities simultaneously are, the more similar the application relationship weights of the two authorities are, and the more similar the authority security risk values corresponding to the two authorities are.
Optionally, in a possible implementation manner, the authority may be represented by a vector through the weights of all application relationships corresponding to one authority, and at this time, the similarity between two authorities may be determined through the cosine distance between the two authorities. Reference is made in particular to the corresponding description in the above-mentioned method embodiments.
Similarly, those skilled in the art will recognize that other methods for representing the similarity between two vectors may be used in the embodiments of the present application to determine the similarity between two rights.
In order to make the obtained rights security risk value more accurate, external a priori knowledge may also be introduced into the calculation of the rights security risk value, and therefore, optionally, in one possible embodiment, the at least one constraint further includes a fourth constraint, and the fourth constraint includes:
the application security risk values of the plurality of application programs are respectively consistent with the prior application security risk values of the plurality of application programs;
and the permission security risk values of the plurality of permissions are respectively consistent with the prior permission security risk values of the plurality of permissions.
In the embodiment of the present application, the application security risk values of the plurality of application programs and the permission security risk values of the plurality of permissions are respectively consistent with the prior application security risk value and the prior permission security risk value, which means that the application and the permission security risk values should satisfy the prior knowledge. For example, the application security risk value should be as close as possible to the a priori application security risk value and the rights security risk value should be as close as possible to the a priori rights security risk value, provided that other constraints are simultaneously satisfied. In the embodiment of the present application, the fourth constraint is introduced, so that the obtained right security risk value can be converged to a suitable range as soon as possible, specifically refer to the corresponding description in the above method embodiment.
Optionally, in a possible implementation, the apparatus 400 further includes:
a priori risk value obtaining module 460, configured to obtain the priori application security risk value of the at least one application and the priori permission security risk values of the plurality of permissions.
In this embodiment of the present application, the apriori application security risk value and the apriori authority security risk value may be obtained in various ways, for example, in some possible implementations, a security risk value set by a domain expert may be used, a security classification may be constructed according to an external risk report to obtain a corresponding security risk value, or a security mode that is most advanced in a related domain may be used to obtain a corresponding security risk value. In particular, in one possible implementation, the a priori application security risk value and the a priori permission security risk value may be obtained through user presetting.
In a possible implementation manner of the embodiment of the present application, in order to make the obtaining efficiency of the corresponding application and permission security risk values higher, a PNB may be used to obtain the prior application security risk value and the prior permission security risk value.
In a possible implementation manner of the embodiment of the present application, the authority security risk value of each of the plurality of authorities may be determined according to the weight corresponding to each application relationship and the first to fourth constraints.
For example, in one possible implementation, the authority security risk value of each authority may be obtained by the cost function in the above method embodiment. Reference is made in particular to the corresponding description in the above-mentioned method embodiments.
Of course, those skilled in the art can appreciate that the above cost function is only one possible way for the embodiment of the present application to find the application security risk value and the rights security risk value, and the application security risk value and the rights security risk value of the embodiment of the present application can also be obtained by other formulas or functions.
In this embodiment of the present application, after obtaining the security risk value of each right in the plurality of rights, the device may further perform a further operation according to the security risks of the plurality of rights.
Optionally, as shown in fig. 6a, in one possible implementation, the apparatus 400 may further include:
a permission ordering module 440, configured to order the plurality of permissions according to the permission security risk value of each permission. For example, a security risk based privilege usage recommendation may be made to a developer of an application according to the ranking of the plurality of privileges.
Optionally, as shown in fig. 6b, in another possible implementation, the apparatus 400 may further include:
an instruction fetch module 450 for, for each of the plurality of permissions:
determining whether the corresponding authority security risk value is within a set threshold range;
and obtaining an instruction aiming at the authority corresponding to the authority security risk value which is not in the threshold range.
For example, in a possible implementation, when the security risk value of the right of a right exceeds the threshold range, the security risk of the right is considered to be high, which may pose a threat to the security privacy of the user, and at this time, the instruction obtaining module 450 may obtain, for example, a right closing instruction for closing the authorization of the right.
The threshold range may be a fixed value or may be dynamically adjusted.
As shown in fig. 7, in one possible implementation manner of the embodiment of the present application, an electronic device 700 is provided, which includes the rights security risk determining apparatus 710 described above.
In one possible implementation, the electronic device 700 may be a user equipment, and optionally, may be a mobile user equipment. In another possible implementation, the electronic device 700 may also be a server.
Fig. 8 is a schematic structural diagram of another permission security risk determining apparatus 800 according to an embodiment of the present application, and a specific implementation of the permission security risk determining apparatus 800 is not limited in the specific embodiment of the present application. As shown in fig. 8, the rights security risk determining apparatus 800 may include:
a processor (processor)810, a communication Interface 820, a memory 830, and a communication bus 840. Wherein:
processor 810, communication interface 820, and memory 830 communicate with one another via a communication bus 840.
A communication interface 820 for communicating with a network element, such as a client.
The processor 810 is configured to execute the program 832, and may specifically perform the relevant steps in the above method embodiments.
In particular, the program 832 may include program code comprising computer operational instructions.
The processor 810 may be a central processing unit CPU, or an application specific Integrated circuit asic, or one or more Integrated circuits configured to implement embodiments of the present application.
The memory 830 stores a program 832. Memory 830 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory. The program 832 may specifically be used to cause the rights security risk determining device 800 to perform the following steps:
determining at least one application relationship between at least one application program and a plurality of authorities; wherein each application relationship in the at least one application relationship corresponds to an application program in the at least one application program applying for a right in the plurality of rights;
determining a weight value of each application relation in the at least one application relation;
and determining the authority security risk value of each authority in the plurality of authorities at least according to the weight value corresponding to each application relation.
For specific implementation of each step in the program 832, reference may be made to corresponding steps and corresponding descriptions in units in the foregoing embodiments, which are not described herein again. It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described devices and modules may refer to the corresponding process descriptions in the foregoing method embodiments, and are not described herein again.
Those of ordinary skill in the art will appreciate that the various illustrative elements and method steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above embodiments are merely illustrative, and not restrictive, and those skilled in the relevant art can make various changes and modifications without departing from the spirit and scope of the present application, and therefore all equivalent technical solutions also fall within the scope of the present application, and the scope of the present application is defined by the appended claims.

Claims (21)

1. An authority security risk determination method, comprising:
determining at least one application relationship between at least one application program and a plurality of authorities; wherein each application relationship in the at least one application relationship corresponds to an application program in the at least one application program applying for a right in the plurality of rights;
determining a weight value of each application relation in the at least one application relation;
determining an authority security risk value of each authority in the plurality of authorities at least according to the weight corresponding to each application relation;
wherein the determining the authority security risk value of each authority in the plurality of authorities at least according to the weight corresponding to each application relationship comprises:
determining the authority security risk value of each authority according to the weight corresponding to each application relation and at least one constraint;
wherein the at least one constraint comprises a first constraint comprising:
the higher the weight value corresponding to one application relation in the at least one application relation is, the closer the application security risk value of an application program corresponding to the application relation is to the authority security risk value of an authority corresponding to the application relation.
2. The method of claim 1, wherein the method further comprises:
and sequencing the plurality of authorities according to the authority security risk value of each authority.
3. The method of claim 1, wherein the method further comprises:
for each of the plurality of rights:
determining whether the corresponding authority security risk value is within a set threshold range;
and obtaining an instruction aiming at the authority corresponding to the authority security risk value which is not in the threshold range.
4. The method of claim 1, wherein the weight of each application relationship is determined according to a probability that the application program corresponding to each application relationship applies for the permission.
5. The method according to claim 1, wherein the corresponding weight value is determined according to the permission application history data of all the applications in an application classification to which the application belongs corresponding to each application relationship.
6. The method of claim 5, wherein the weight is obtained according to a ratio of a frequency of applying for the permission by all the applications in the application classification to a sum of a plurality of frequencies of respectively applying for the plurality of permissions by all the applications.
7. The method of claim 1, wherein the at least one application is a plurality of applications, the at least one constraint further comprising a second constraint comprising:
the more similar the authority application conditions of two applications in the plurality of applications are, the more similar the application security risk values of the two applications are.
8. The method of claim 1, wherein the at least one constraint further comprises a third constraint, the third constraint comprising:
for two authorities in the plurality of authorities, the more similar the applied conditions of the two authorities are, the more similar the authority security risk values of the two authorities are.
9. The method of claim 1, wherein the at least one constraint further comprises a fourth constraint, the fourth constraint comprising:
the application security risk values of the at least one application are respectively consistent with the prior application security risk values of the at least one application;
and the permission security risk values of the plurality of permissions are respectively consistent with the prior permission security risk values of the plurality of permissions.
10. The method of claim 9, wherein the method further comprises:
obtaining the prior application security risk value of the at least one application and the prior permission security risk values of the plurality of permissions.
11. An authority security risk determination apparatus, comprising:
the application relation determining module is used for determining at least one application relation between at least one application program and a plurality of authorities; wherein each application relationship in the at least one application relationship corresponds to an application program in the at least one application program applying for a right in the plurality of rights;
a weight determination module, configured to determine a weight of each application relationship in the at least one application relationship;
a risk value determining module, configured to determine, according to at least the weight corresponding to each application relationship, an authority security risk value of each authority in the plurality of authorities;
wherein the risk value determination module comprises:
a risk value determining submodule, configured to determine the permission security risk value of each permission according to the weight corresponding to each application relationship and at least one constraint;
wherein the at least one constraint comprises a first constraint comprising:
the higher the weight value corresponding to one application relation in the at least one application relation is, the closer the application security risk value of the application program corresponding to the application relation is to the authority security risk value of an authority corresponding to the application relation.
12. The apparatus of claim 11, wherein the apparatus further comprises:
and the permission ordering module is used for ordering the plurality of permissions according to the permission security risk value of each permission.
13. The apparatus of claim 11, wherein the apparatus further comprises:
an instruction acquisition module to, for each of the plurality of permissions:
determining whether the corresponding authority security risk value is within a set threshold range;
and obtaining an instruction aiming at the authority corresponding to the authority security risk value which is not in the threshold range.
14. The apparatus of claim 11, wherein the weight determination module comprises:
and the weight determination submodule is used for determining the weight of each application relation according to the probability of the application program corresponding to each application relation applying for the permission.
15. The apparatus of claim 14, wherein the weight determination submodule comprises:
and the weight value determining unit is used for determining the corresponding weight value according to the permission application historical data of all the application programs in an application classification to which the application program belongs, which corresponds to each application relation.
16. The apparatus of claim 15, wherein the weight determination unit comprises:
and the weight determining subunit is configured to obtain the weight according to a ratio of the frequency at which the all application programs apply for the permission in the application classification to a sum of the frequencies at which the all application programs respectively apply for the plurality of permissions.
17. The apparatus of claim 11, wherein the at least one application is a plurality of applications, the at least one constraint further comprising a second constraint, the second constraint comprising:
the more similar the authority application conditions of two applications in the plurality of applications are, the more similar the application security risk values of the two applications are.
18. The apparatus of claim 11, wherein the at least one constraint further comprises a third constraint, the third constraint comprising:
for two authorities in the plurality of authorities, the more similar the applied conditions of the two authorities are, the more similar the authority security risk values of the two authorities are.
19. The apparatus of claim 11, wherein the at least one constraint further comprises a fourth constraint, the fourth constraint comprising:
the application security risk values of the at least one application are respectively consistent with the prior application security risk values of the at least one application;
and the permission security risk values of the plurality of permissions are respectively consistent with the prior permission security risk values of the plurality of permissions.
20. The apparatus of claim 19, wherein the apparatus further comprises:
a priori risk value obtaining module, configured to obtain the priori application security risk value of the at least one application and the priori permission security risk values of the plurality of permissions.
21. An electronic device, characterized in that it comprises an authorization security risk determining means according to any of claims 11-20.
CN201410326154.XA 2014-07-09 2014-07-09 Legal power safety risk determines method and determining device Active CN104091118B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410326154.XA CN104091118B (en) 2014-07-09 2014-07-09 Legal power safety risk determines method and determining device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410326154.XA CN104091118B (en) 2014-07-09 2014-07-09 Legal power safety risk determines method and determining device

Publications (2)

Publication Number Publication Date
CN104091118A CN104091118A (en) 2014-10-08
CN104091118B true CN104091118B (en) 2017-07-04

Family

ID=51638833

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410326154.XA Active CN104091118B (en) 2014-07-09 2014-07-09 Legal power safety risk determines method and determining device

Country Status (1)

Country Link
CN (1) CN104091118B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103473504A (en) * 2013-09-25 2013-12-25 西安交通大学 Android malicious code detection method based on class analysis
CN103593238A (en) * 2012-08-16 2014-02-19 腾讯科技(深圳)有限公司 Method and device for controlling invocation of application programming interfaces

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100005935A (en) * 2008-07-08 2010-01-18 주식회사 비즈모델라인 Method for identifying own program usage permission jointly and terminal device, recording medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103593238A (en) * 2012-08-16 2014-02-19 腾讯科技(深圳)有限公司 Method and device for controlling invocation of application programming interfaces
CN103473504A (en) * 2013-09-25 2013-12-25 西安交通大学 Android malicious code detection method based on class analysis

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于类别以及权限的Android恶意程序检测;张叶慧等;《计算机工程与设计》;20140531;第35卷(第5期);第1568-1571页,图2、3 *

Also Published As

Publication number Publication date
CN104091118A (en) 2014-10-08

Similar Documents

Publication Publication Date Title
CN104091071B (en) The risk of application program determines method and determining device
US10474827B2 (en) Application recommendation method and application recommendation apparatus
US11836643B2 (en) System for secure federated learning
WO2018149292A1 (en) Object clustering method and apparatus
US20210110013A1 (en) Systems and methods for user-authentication despite error-containing password
JP5755822B1 (en) Similarity calculation system, similarity calculation method, and program
WO2018170454A2 (en) Using different data sources for a predictive model
US9697381B2 (en) Computing system with identity protection mechanism and method of operation thereof
CN104156467B (en) API recommends method and API recommendation apparatus
CN106650828B (en) Intelligent terminal security level classification method based on support vector machine
CN104091131B (en) The relation of application program and authority determines method and determining device
CN111400504A (en) Method and device for identifying enterprise key people
US9245149B1 (en) System and method for controling privileges of consumers of personal data
US10749910B1 (en) Multidimensional vectors for analyzing and visually displaying identity permissions
Zheng et al. Incorporating Context Correlation into Context-aware Matrix Factorization.
CN104348624B (en) A kind of method and apparatus of Hash authentication trustworthiness
CN109165354A (en) Blind date friend-making matching process and device based on block chain
US11907401B2 (en) Systems and methods to maintain user privacy whtle providing recommendations
WO2017092581A1 (en) User data sharing method and device
CN109816543A (en) A kind of image lookup method and device
US20120106853A1 (en) Image search
CN107679053B (en) Site recommendation method and device, computer equipment and storage medium
Chu et al. Variational cross-network embedding for anonymized user identity linkage
CN104156468B (en) API recommends method and API recommendation apparatus
CN104091117B (en) Clustering method based on security risk and clustering apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant