CN105050091B - Eavesdropping behavior detection method and device - Google Patents
Eavesdropping behavior detection method and device Download PDFInfo
- Publication number
- CN105050091B CN105050091B CN201510279225.XA CN201510279225A CN105050091B CN 105050091 B CN105050091 B CN 105050091B CN 201510279225 A CN201510279225 A CN 201510279225A CN 105050091 B CN105050091 B CN 105050091B
- Authority
- CN
- China
- Prior art keywords
- state
- characteristic value
- call
- incoming call
- current incoming
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W24/00—Supervisory, monitoring or testing arrangements
- H04W24/04—Arrangements for maintaining operational condition
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Telephonic Communication Services (AREA)
- Telephone Function (AREA)
Abstract
The invention discloses a method and a device for detecting eavesdropping behavior, which relate to the technical field of mobile communication, and the method comprises the following steps: s1, acquiring a first state parameter of the current incoming call, establishing a first state matrix according to the acquired first state parameter, and calculating a first eigenvalue of the first state matrix; s2, comparing the first characteristic value with a preset blacklist and a preset white list, and blocking the current incoming call when the first characteristic value exists in the blacklist; and when the first characteristic value exists in the white list, continuously answering the current incoming call. According to the method and the device, the first state parameter of the current incoming call is acquired, the first state matrix is established according to the first state parameter, the first characteristic value of the first state matrix is compared with the preset blacklist and the preset white list, and the processing of the current incoming call is determined according to the comparison result, so that the call can be prevented from being intercepted, and meanwhile, the normal function of the terminal is not influenced.
Description
Technical Field
The present invention relates to the field of mobile communications technologies, and in particular, to a method and an apparatus for detecting an eavesdropping behavior.
Background
Along with the popularization of intelligent terminals, eavesdropping and anti-eavesdropping technologies on the intelligent terminals are also paid more and more attention by people. The existing interception technology is mainly divided into two types in function, one type is environment interception, and the other type is environment recording. In the former method, malicious software is installed on a target terminal, so that the terminal can automatically communicate with remote equipment without being perceived by a user, and the sound around the current user terminal is intercepted by lawless persons. The latter means that after a malicious program is implanted into the terminal, the sound around the terminal is recorded by a microphone and uploaded to a remote device under the condition that the condition allows, so that user information is leaked.
The interception and anti-interception technologies are complementary and are uniform in contradiction. With the development of prevention technical means, eavesdropping means and malicious software are continuously upgraded, and a plurality of trojans and viruses are implanted into a system framework layer or even an operating system kernel through bugs. At present, there are three main ways for preventing eavesdropping of an intelligent terminal: antivirus software, external equipment and a customization system.
The existing mobile terminal antivirus anti-eavesdropping technology mainly comprises three aspects: application program scanning, process monitoring and suspicious incoming call intercepting. The application program scanning mainly comprises the steps of scanning and analyzing software installed on the current mobile terminal, matching according to an existing malicious software library, and reminding and deleting software meeting conditions. The process monitoring mainly refers to a process having a function of recording or accessing a microphone in a monitoring terminal, the process is monitored during a call, and program processes meeting monitoring conditions are distinguished, alarmed and cut off, for example, some processes read the microphone in the terminal call process and read and write a large number of files, and the process is suspected. The suspicious incoming and outgoing call interception mainly comprises the steps of carrying out database matching on the number of the opposite party who comes and goes, intercepting the call which is brought into a blacklist of the database, and carrying out user reminding on the suspicious incoming call or the outgoing call.
Because the antivirus anti-eavesdropping function is realized by depending on the feature library, certain feature codes need to be matched for scanning discrimination and process detection of malicious software, and the feature codes need to be provided by a background server. The generation of signatures is based on trojans or malware that have been identified, often after their mass propagation. Although the cloud searching and killing technology can reduce the identification time to a certain extent, the real-time problem cannot be solved. In addition, the anti-virus software is usually based on the application layer for eavesdropping protection, i.e. only scanning and distinguishing the application program, and injection attack on the framework layer and the operating system layer is usually ineffective.
The external equipment eavesdropping protection means is realized by adding portable external equipment on the basis of not changing the original structure of the mobile terminal. The external equipment is mainly divided into two types of signal flow monitoring and voice signal reprocessing. Some external devices provide monitoring conditions of signal streams, such as through conversion of signal acquisition sources, provide voice acquisition indication signals to identify communication states, and thus determine whether a microphone of the mobile terminal is used or collects voice; some peripheral hardware provides specific pronunciation secret device for mobile terminal, reacquires, handles, adds the noise etc. to the voice signal, increases the obstacle for eavesdropping, but external equipment can increase the protection cost, and is unfavorable for carrying, and is difficult to popularize in the in-service use.
Some protection modes of the customized system relate to hardware re-customization, and some protection modes relate to operating system customization. The method mainly aims at redesigning voice stream processing, a microphone, a telephone subsystem module and the like of an intelligent terminal operating system, monitors hardware calling related to terminal call, and provides a protection function for call eavesdropping, and the design destroys the integrity of a primary operating system and is not beneficial to the healthy development of a unified ecological circle of the intelligent terminal; new defects may be caused while introducing the protection mechanism; moreover, the customization of eavesdropping protection is strong, and the eavesdropping protection only can be specific to a specific machine type and cannot be popularized on a large scale.
Disclosure of Invention
In order to prevent the call from being intercepted and ensure that the normal function of the terminal is not influenced, the invention provides an interception behavior detection method, which comprises the following steps:
s1, acquiring a first state parameter of the current incoming call, establishing a first state matrix according to the acquired first state parameter, and calculating a first eigenvalue of the first state matrix;
s2, comparing the first characteristic value with a preset blacklist and a preset white list, and blocking the current incoming call when the first characteristic value exists in the blacklist; and when the first characteristic value exists in the white list, continuously answering the current incoming call.
In step S2, when the first feature value is not in the black list and the white list, step S3 is executed;
s3, judging whether the first characteristic value exists in a state model, if so, comparing the weight corresponding to the first characteristic value with a preset range, and if the first characteristic value is larger than or equal to the upper limit value of the preset range, continuing to answer the current incoming call and ending the process; when the first characteristic value is smaller than or equal to the lower limit value of the preset range, blocking the current incoming call and ending the process; when the first characteristic value meets the preset range, executing step S4; if the first feature value does not exist in the state model, adding the first feature value to the state model, and setting the weight corresponding to the first feature value as an initial value, and performing step S4;
and S4, prompting the user whether to continue answering the current call, receiving a selection instruction of the user, continuing to answer the current call if the user selects to continue answering, increasing the weight corresponding to the first characteristic value, and blocking the current call if the user selects not to continue answering, and decreasing the weight corresponding to the first characteristic value.
Wherein the first state parameter comprises: at least one of a screen state, a screen interface, a gravitational acceleration, a network connection state, an uplink volume state, a memory state, and a data traffic state.
In step S1, the acquiring the first state parameter of the current incoming call specifically includes:
the method comprises the steps of obtaining first state parameters before answering a current incoming call, when answering the current incoming call and after answering the current incoming call.
Before step S1, the method further includes:
acquiring a second state parameter of a normal call, establishing a second state matrix according to the second state parameter, calculating a second characteristic value of the second state matrix, and adding the second characteristic value to the white list;
acquiring a third state parameter of the wiretap call, establishing a third state matrix according to the third state parameter, calculating a third characteristic value of the third state matrix, and adding the third characteristic value to the blacklist.
The invention also discloses a device for detecting the eavesdropping behavior, which comprises:
the characteristic calculation unit is used for acquiring a first state parameter of the current incoming call, establishing a first state matrix according to the acquired first state parameter, and calculating a first characteristic value of the first state matrix;
the characteristic comparison unit is used for comparing the first characteristic value with a preset blacklist and a preset white list and blocking the current incoming call when the first characteristic value exists in the blacklist; and when the first characteristic value exists in the white list, continuously answering the current incoming call.
The characteristic comparison unit is further configured to call a model judgment unit when the first characteristic value does not exist in the blacklist and the whitelist;
the model judging unit is used for judging whether the first characteristic value exists in a state model or not, comparing the weight corresponding to the first characteristic value with a preset range if the first characteristic value exists in the state model, and continuously answering the current incoming call when the first characteristic value is larger than or equal to the upper limit value of the preset range; when the first characteristic value is smaller than or equal to the lower limit value of the preset range, the current incoming call is blocked; when the first characteristic value meets the preset range, calling a user selection unit; if the first characteristic value does not exist in the state model, adding the first characteristic value into the state model, setting the weight corresponding to the first characteristic value as an initial value, and calling a user selection unit;
and the user selection unit is used for prompting the user whether to continuously answer the current call or not, receiving a selection instruction of the user, continuously answering the current call and increasing the weight corresponding to the first characteristic value if the user selects to continuously answer, and blocking the current call and reducing the weight corresponding to the first characteristic value if the user selects not to continuously answer.
Wherein the first state parameter comprises: at least one of a screen state, a screen interface, a gravitational acceleration, a network connection state, an uplink volume state, a memory state, and a data traffic state.
The feature calculating unit is further configured to obtain first state parameters before answering the current incoming call, when answering the current incoming call, and after answering the current incoming call, respectively.
Wherein the apparatus further comprises:
the white list establishing unit is used for acquiring a second state parameter of the normal call, establishing a second state matrix according to the second state parameter, calculating a second characteristic value of the second state matrix, and adding the second characteristic value to the white list;
and the blacklist establishing unit is used for acquiring a third state parameter of the wiretap call, establishing a third state matrix according to the third state parameter, calculating a third characteristic value of the third state matrix, and adding the third characteristic value to the blacklist.
The invention does not depend on a remote feature library, does not change the original structures of the terminal and the system, does not need to increase external equipment, and only needs to acquire the first state parameter of the current incoming call, establish a first state matrix according to the first state parameter, compare the first characteristic value of the first state matrix with a preset blacklist and a preset white list, and determine the processing of the current incoming call according to the comparison result, thereby preventing the call from being intercepted and simultaneously ensuring that the normal function of the terminal is not influenced.
Drawings
Fig. 1 is a flowchart of an eavesdropping detection method according to an embodiment of the present invention;
fig. 2 is a flowchart of an eavesdropping detection method according to an embodiment of the present invention;
fig. 3 is a block diagram of an eavesdropping detecting device according to an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
Fig. 1 is a flowchart of an eavesdropping detection method according to an embodiment of the present invention; referring to fig. 1, the method includes:
s1, acquiring a first state parameter of the current incoming call, establishing a first state matrix according to the acquired first state parameter, and calculating a first eigenvalue of the first state matrix;
in a specific implementation, the state of the terminal can be divided into a "dumb state" and an "on state" according to whether there is an incoming call; the "dumb state" is the parameter state when no incoming call is received, and the "on state" is the parameter state when the incoming call is connected.
Wherein, the state parameters may include:
(a) screen status. The screen state can be acquired by registering PowerManager and calling the issscreen () function in the PowerManager;
(b) and (6) screen interface. Because the Android management application program process is realized by putting a process Activity object into the task stack, the stack top element is the currently running process, and the screen interface can be obtained by acquiring the stack top element of the task stack when a call comes;
(c) acceleration of gravity. When the mobile terminal is changed from a 'dumb state' to a 'on state', registering a sensorManager, wherein an acceleration sensor can sense the acceleration of the mobile terminal in three directions of x, y and z, setting a threshold value 15 through testing after the acceleration is obtained, and judging that the mobile terminal is in the moving process when the acceleration generated in any one direction of the three directions of x, y and z exceeds the threshold value;
(d) a network connection status. Registering TelephonyManager, and monitoring the network connection state of the terminal by creating a PhoneStateListener monitor, wherein in the monitoring return result, DATA _ DISCONNECTED represents that the network is DISCONNECTED, DATA _ CONNECTING represents that the network is CONNECTED, and DATA _ CONNECTED represents that the network is CONNECTED;
(e) an up volume state. The method can analyze the UPLINK volume VOICE _ UPLINK in the call process by using the AndiRecord, and can process by using the means of background sound filtering and the like;
(f) and (5) memory state. Data in the file "/proc/meminfo" can be read by registering an ActivityManager, and relevant information of a memory can be obtained;
(g) a data traffic status. Traffic statistics can be obtained by the traffic classes, a getTotalTxBytes () function can obtain total sending traffic, and a traffic.
Of course, other parameters may be included similarly, and this embodiment is not limited thereto.
It should be noted that the first state parameter of the current incoming call includes: the first state parameter before answering the current call, the first state parameter when answering the current call, and the first state parameter after answering the current call, therefore, in step S1, the obtaining the first state parameter of the current call specifically includes:
first state parameters before answering a current incoming call, when answering the current incoming call and after answering the current incoming call are respectively obtained.
It is understood that the first state parameters include: at least one of a screen status, a screen interface, a gravitational acceleration, a network connection status, an uplink volume status, a memory status, and a data traffic status, but of course, other similar parameters may also be included.
S2, comparing the first characteristic value with a preset blacklist and a preset white list, and blocking the current incoming call when the first characteristic value exists in the blacklist; and when the first characteristic value exists in the white list, continuously answering the current incoming call.
According to the method, a remote feature library is not relied on, the original structures of the terminal and the system are not changed, external equipment is not required to be added, only the first state parameter of the current incoming call is obtained, the first state matrix is established according to the first state parameter, the first feature value of the first state matrix is compared with the preset blacklist and the preset white list, and the current incoming call is determined to be processed according to the comparison result, so that the call is prevented from being intercepted, and meanwhile, the normal function of the terminal is not influenced.
As the different call scenes cause different state parameters, the pre-established white list and black list are difficult to cover all call scenes, and if the state parameters of a certain call scene do not exist in the white list and the black list, the determination cannot be made, and optionally, in step S2, when the first characteristic value does not exist in the black list and the white list, step S3 is executed to solve the problem;
s3, judging whether the first characteristic value exists in a state model, if so, comparing the weight corresponding to the first characteristic value with a preset range, and if the first characteristic value is larger than or equal to the upper limit value of the preset range, continuing to answer the current incoming call and ending the process; when the first characteristic value is smaller than or equal to the lower limit value of the preset range, blocking the current incoming call and ending the process; when the first characteristic value satisfies the preset range (it should be noted that the preset range does not include the upper limit value and the lower limit value), step S4 is executed; if the first feature value does not exist in the state model, adding the first feature value to the state model, and setting the weight corresponding to the first feature value as an initial value, and performing step S4;
and S4, prompting the user whether to continue answering the current call, receiving a selection instruction of the user, continuing to answer the current call if the user selects to continue answering, increasing the weight corresponding to the first characteristic value, and blocking the current call if the user selects not to continue answering, and decreasing the weight corresponding to the first characteristic value.
In the above process, the risk level that a call may be intercepted may be classified into three categories, i.e., high, medium, and low, according to the possibility that the call is intercepted. High indicates that the call is likely to be intercepted by the environment and should be blocked as soon as possible; the method is characterized in that the possibility of the intercepted danger is high, but the system cannot judge and needs a user to participate in the determination; a low level indicates a lower threat level and no interception is required. The three classes correspond to three record tables, can be mutually converted, and provide a user interaction interface.
And classifying the danger levels according to the characteristic values and the judgment rules, and blocking or alarming according to the judgment result. Such as: when the feature value is in the blacklist or the corresponding weight is less than or equal to-10, the risk level can be considered as high; the hazard level is medium when the feature values are not in the blacklist and whitelist and the corresponding weights are between-10 and 10.
In the specific implementation, user reminding is carried out aiming at the medium danger level, the reminding mode comprises vibration and ringing, an alarm box is popped out, the user can make judgment and selection independently, and user reminding is carried out on a suspicious process; and directly blocking the call aiming at the high-risk level, and performing suspicious program and process investigation by utilizing the application program and process behavior monitoring technology to remind the user to stop and uninstall the application. An interface interacting with a user can be provided, the user can participate and coordinate the anti-eavesdropping judgment, manually modify the blacklist and feed back to the eavesdropping judgment module, so that the eavesdropping prevention is more accurate
The following describes the process of establishing the state model in the above steps S3 to S4 with a specific example:
firstly, a state model is established, wherein a model M ═ (fv, w) is established in the state model for each incoming call state, wherein fv represents a characteristic value, and w represents the weight occupied by the characteristic value.
When the user selects to continue listening, adding the characteristic value λ into the model M, and setting the weight of the model M to be 1, that is, when the characteristic value λ appears next time, the user can make a judgment because of a certain accidental factor, and when the user selects to listen, the user continues to add the corresponding weight to 1, that is, when M is (λ, 2), and so on.
When the user chooses not to continue listening, the feature value mu is added into the model M, the weight of the model M is set to be-1, namely M is (mu-1), when the feature value mu appears next time, the user can also make a judgment due to certain accidental factors, and when the user chooses to hang up, the corresponding weight of the model M is continuously reduced by 1, namely M is (mu-2), and the like.
By self-learning, the model M is continuously improved (fv, w) until the weight corresponding to a certain characteristic value α is greater than or equal to 10, and when the incoming call is monitored again, if the characteristic value is α, the call can be continuously answered, and meanwhile, when the weight corresponding to a certain characteristic value β is less than or equal to-10, and when the incoming call is monitored again, if the characteristic value is β, the call is blocked.
In a specific implementation, since the black list and the white list are preset, before step S1, the method may further include a process of establishing the black list and the white list:
s001: acquiring a second state parameter of a normal call (correspondingly, the first state parameter of the normal call comprises the second state parameter before answering the normal call, the second state parameter when answering the normal call and the second state parameter after answering the normal call), establishing a second state matrix according to the second state parameter, calculating a second characteristic value of the second state matrix, and adding the second characteristic value into the white list;
the list creation process is illustrated below as a specific example:
when the user answers the normal CALL, the STATE parameter may be a condition described below from the first two seconds (before answering the normal CALL) when the CALL _ STATE _ RINGING is monitored to the last five seconds (after answering the normal CALL) when the CALL _ STATE _ OFFHOOK is monitored.
(a) The screen state is as follows: lock screen (represented by 0) - > unlock (represented by 1) - > lock screen;
(b) the screen interface is as follows: other interfaces (represented by 0) - > call interface (represented by 1) - > call interface;
(c) the gravity acceleration is: no gravitational acceleration (denoted by 0) > producing gravitational acceleration (denoted by 1) > no gravitational acceleration;
(d) the network connection state is as follows: no network linkage (represented by 0) - > no network linkage (represented by 0);
(e) the uplink volume state is: no sound (indicated by 0) > volume up (indicated by 1);
(f) the memory state is: the memory size is a- > the memory size is a;
(g) the data flow state is: the data flow size is b- > the data flow size is b.
From the above variations, the following state matrix can be established:
the rows of the matrix respectively represent parameters a to g, and the columns of the matrix respectively represent values of corresponding parameters in three conditions of 2s before the incoming call state, 2s after the incoming call state and 5s after the incoming call state.
The eigenvalue λ 1 of the state matrix can be obtained by calculation, because when the state matrix appears, it is determined that the call is normal, the eigenvalue λ 1 can be added into a white list, the eigenvalue of the state matrix can be obtained next incoming call, and if the eigenvalue is λ 1, the call can be continuously answered.
S002: acquiring a third state parameter of the wiretap call (correspondingly, the first state parameter of the wiretap call comprises the third state parameter before wiretap call answering, the third state parameter when wiretap call answering and the third state parameter after wiretap call answering), establishing a third state matrix according to the third state parameter, calculating a third characteristic value of the third state matrix, and adding the third characteristic value into the blacklist.
The process of establishing the black list is described as a specific example below: similarly to the white list example described above, the following is directed to a case where it is highly likely that the call is intercepted.
(a) The screen state is as follows: the method comprises the following steps that screen locking- > screen locking, in order to achieve silent answering, malicious codes installed in a mobile phone cannot unlock a screen when eavesdropping communication is received;
(b) the screen interface is as follows: other interfaces- > other interfaces, in order not to be found by the user, the call interface can not appear when the user eavesdrops the call;
(c) the gravity acceleration is: the method has the advantages that the method has no gravity acceleration- > no gravity acceleration, and no action of answering the call exists because the user does not know the call;
(d) the network connection state is as follows: no network connection- > network connection exists, and the network connection may be opened in the call process in order to upload call records when eavesdropping the call;
(e) the uplink volume state is: no sound- > no sound, and the receiver is generally closed when the eavesdropping call is switched on in order to be not found by the user;
(f) the memory state is: the memory size is a- > the memory size is a + inc1, and when a call is intercepted, the call can be recorded in a stealing mode and temporarily stored;
(g) the data flow state is: the data traffic size is b- > the data traffic size is b + inc 2.
The following user state matrix may be established:
the rows of the matrix respectively represent parameters a, b to g, and the columns of the matrix respectively represent values of corresponding parameters under three conditions of 2s before the incoming call state, 2s after the incoming call state to the answering state and 5s after the answering state.
The eigenvalue λ 2 of the state matrix can be obtained by calculation, because when such a state matrix occurs, it is determined that the call is eavesdropped, the eigenvalue λ 2 can be added to the blacklist, the eigenvalue of the state matrix is acquired next incoming call, and if the eigenvalue is λ 2, the blocking is performed automatically.
In the above manner, a black list and a white list of feature values can be established by analysis.
Fig. 3 is a block diagram showing the configuration of an eavesdropping detecting device according to an embodiment of the present invention; referring to fig. 3, the apparatus includes:
the characteristic calculation unit is used for acquiring a first state parameter of the current incoming call, establishing a first state matrix according to the acquired first state parameter, and calculating a first characteristic value of the first state matrix;
the characteristic comparison unit is used for comparing the first characteristic value with a preset blacklist and a preset white list and blocking the current incoming call when the first characteristic value exists in the blacklist; and when the first characteristic value exists in the white list, continuously answering the current incoming call.
Optionally, the feature comparison unit is further configured to call a model judgment unit when the first feature value does not exist in the blacklist and the whitelist;
the model judging unit is used for judging whether the first characteristic value exists in a state model or not, comparing the weight corresponding to the first characteristic value with a preset range if the first characteristic value exists in the state model, and continuously answering the current incoming call when the first characteristic value is larger than or equal to the upper limit value of the preset range; when the first characteristic value is smaller than or equal to the lower limit value of the preset range, the current incoming call is blocked; when the first characteristic value meets the preset range, calling a user selection unit; if the first characteristic value does not exist in the state model, adding the first characteristic value into the state model, setting the weight corresponding to the first characteristic value as an initial value, and calling a user selection unit;
and the user selection unit is used for prompting the user whether to continuously answer the current call or not, receiving a selection instruction of the user, continuously answering the current call and increasing the weight corresponding to the first characteristic value if the user selects to continuously answer, and blocking the current call and reducing the weight corresponding to the first characteristic value if the user selects not to continuously answer.
Optionally, the first state parameter includes: at least one of a screen state, a screen interface, a gravitational acceleration, a network connection state, an uplink volume state, a memory state, and a data traffic state.
Optionally, the feature calculating unit is further configured to obtain first state parameters before answering the current incoming call, when answering the current incoming call, and after answering the current incoming call, respectively.
Optionally, the apparatus further comprises:
the white list establishing unit is used for acquiring a second state parameter of the normal call, establishing a second state matrix according to the second state parameter, calculating a second characteristic value of the second state matrix, and adding the second characteristic value to the white list;
and the blacklist establishing unit is used for acquiring a third state parameter of the wiretap call, establishing a third state matrix according to the third state parameter, calculating a third characteristic value of the third state matrix, and adding the third characteristic value to the blacklist.
The above embodiments are only for illustrating the invention and are not to be construed as limiting the invention, and those skilled in the art can make various changes and modifications without departing from the spirit and scope of the invention, therefore, all equivalent technical solutions also belong to the scope of the invention, and the scope of the invention is defined by the claims.
Claims (8)
1. A eavesdropping detection method, comprising:
s1, acquiring a first state parameter of the current incoming call, establishing a first state matrix according to the acquired first state parameter, and calculating a first eigenvalue of the first state matrix;
s2, comparing the first characteristic value with a preset blacklist and a preset white list, and blocking the current incoming call when the first characteristic value exists in the blacklist; when the first characteristic value exists in the white list, continuing to answer the current incoming call;
in step S2, if the first feature value is not in the black list and the white list, performing step S3;
s3, judging whether the first characteristic value exists in a state model, if so, comparing the weight corresponding to the first characteristic value with a preset range, and if the first characteristic value is larger than or equal to the upper limit value of the preset range, continuing to answer the current incoming call and ending the process; when the first characteristic value is smaller than or equal to the lower limit value of the preset range, blocking the current incoming call and ending the process; when the first characteristic value meets the preset range, executing step S4; if the first feature value does not exist in the state model, adding the first feature value to the state model, and setting the weight corresponding to the first feature value as an initial value, and performing step S4;
and S4, prompting the user whether to continue answering the current call, receiving a selection instruction of the user, continuing to answer the current call if the user selects to continue answering, increasing the weight corresponding to the first characteristic value, and blocking the current call if the user selects not to continue answering, and decreasing the weight corresponding to the first characteristic value.
2. The method of claim 1, wherein the first state parameter comprises: at least one of a screen state, a screen interface, a gravitational acceleration, a network connection state, an uplink volume state, a memory state, and a data traffic state.
3. The method according to claim 1, wherein in step S1, the acquiring the first state parameter of the current incoming call specifically includes:
the method comprises the steps of obtaining first state parameters before answering a current incoming call, when answering the current incoming call and after answering the current incoming call.
4. The method according to claim 1, wherein before step S1, the method further comprises:
acquiring a second state parameter of a normal call, establishing a second state matrix according to the second state parameter, calculating a second characteristic value of the second state matrix, and adding the second characteristic value to the white list;
acquiring a third state parameter of the wiretap call, establishing a third state matrix according to the third state parameter, calculating a third characteristic value of the third state matrix, and adding the third characteristic value to the blacklist.
5. An eavesdropping behavior detection apparatus, comprising:
the characteristic calculation unit is used for acquiring a first state parameter of the current incoming call, establishing a first state matrix according to the acquired first state parameter, and calculating a first characteristic value of the first state matrix;
the characteristic comparison unit is used for comparing the first characteristic value with a preset blacklist and a preset white list and blocking the current incoming call when the first characteristic value exists in the blacklist; when the first characteristic value exists in the white list, continuing to answer the current incoming call;
the characteristic comparison unit is further used for calling a model judgment unit when the first characteristic value does not exist in the blacklist and the white list;
the model judging unit is used for judging whether the first characteristic value exists in a state model or not, comparing the weight corresponding to the first characteristic value with a preset range if the first characteristic value exists in the state model, and continuously answering the current incoming call when the first characteristic value is larger than or equal to the upper limit value of the preset range; when the first characteristic value is smaller than or equal to the lower limit value of the preset range, the current incoming call is blocked; when the first characteristic value meets the preset range, calling a user selection unit; if the first characteristic value does not exist in the state model, adding the first characteristic value into the state model, setting the weight corresponding to the first characteristic value as an initial value, and calling a user selection unit;
and the user selection unit is used for prompting the user whether to continuously answer the current call or not, receiving a selection instruction of the user, continuously answering the current call and increasing the weight corresponding to the first characteristic value if the user selects to continuously answer, and blocking the current call and reducing the weight corresponding to the first characteristic value if the user selects not to continuously answer.
6. The apparatus of claim 5, wherein the first state parameter comprises: at least one of a screen state, a screen interface, a gravitational acceleration, a network connection state, an uplink volume state, a memory state, and a data traffic state.
7. The apparatus of claim 5, wherein the feature calculating unit is further configured to obtain the first status parameters before answering the current incoming call, when answering the current incoming call, and after answering the current incoming call, respectively.
8. The apparatus of claim 5, further comprising:
the white list establishing unit is used for acquiring a second state parameter of the normal call, establishing a second state matrix according to the second state parameter, calculating a second characteristic value of the second state matrix, and adding the second characteristic value to the white list;
and the blacklist establishing unit is used for acquiring a third state parameter of the wiretap call, establishing a third state matrix according to the third state parameter, calculating a third characteristic value of the third state matrix, and adding the third characteristic value to the blacklist.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510279225.XA CN105050091B (en) | 2015-05-27 | 2015-05-27 | Eavesdropping behavior detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510279225.XA CN105050091B (en) | 2015-05-27 | 2015-05-27 | Eavesdropping behavior detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105050091A CN105050091A (en) | 2015-11-11 |
| CN105050091B true CN105050091B (en) | 2020-04-10 |
Family
ID=54456192
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510279225.XA Active CN105050091B (en) | 2015-05-27 | 2015-05-27 | Eavesdropping behavior detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105050091B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107294907A (en) * | 2016-04-01 | 2017-10-24 | 北京中密安信息安全技术有限公司 | Wired detection method of stealing secret information |
| CN106227585B (en) * | 2016-05-31 | 2020-02-14 | 北京金山安全软件有限公司 | Application program starting method, device and equipment |
| CN106203098A (en) * | 2016-07-14 | 2016-12-07 | 中国科学院信息工程研究所 | Application layer eavesdropping means of defence and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101820367A (en) * | 2010-03-05 | 2010-09-01 | 成都市华为赛门铁克科技有限公司 | Spam over internet telephony monitoring method, device and system |
| CN102223431A (en) * | 2011-06-27 | 2011-10-19 | 杨子江 | Method and system for preventing harassment call |
| CN102957781A (en) * | 2012-11-16 | 2013-03-06 | 广东欧珀移动通信有限公司 | Do not disturb control method for mobile terminal |
| CN103002145A (en) * | 2012-11-28 | 2013-03-27 | 广东欧珀移动通信有限公司 | Phone answering method and device based on mobile terminal |
| CN104217164A (en) * | 2014-09-11 | 2014-12-17 | 工业和信息化部电子第五研究所 | Method and device for detecting malicious software of intelligent mobile terminal |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8190121B2 (en) * | 2007-08-23 | 2012-05-29 | 3C Interactive LLC | System and method for authorizing and monetizing collect cellular telephone calls |
-
2015
- 2015-05-27 CN CN201510279225.XA patent/CN105050091B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101820367A (en) * | 2010-03-05 | 2010-09-01 | 成都市华为赛门铁克科技有限公司 | Spam over internet telephony monitoring method, device and system |
| CN102223431A (en) * | 2011-06-27 | 2011-10-19 | 杨子江 | Method and system for preventing harassment call |
| CN102957781A (en) * | 2012-11-16 | 2013-03-06 | 广东欧珀移动通信有限公司 | Do not disturb control method for mobile terminal |
| CN103002145A (en) * | 2012-11-28 | 2013-03-27 | 广东欧珀移动通信有限公司 | Phone answering method and device based on mobile terminal |
| CN104217164A (en) * | 2014-09-11 | 2014-12-17 | 工业和信息化部电子第五研究所 | Method and device for detecting malicious software of intelligent mobile terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105050091A (en) | 2015-11-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105049592B (en) | Mobile intelligent terminal voice safety protection method and system | |
| US11539729B2 (en) | Protecting network devices from suspicious communications | |
| Saracino et al. | Madam: Effective and efficient behavior-based android malware detection and prevention | |
| Wang et al. | Quantitative security risk assessment of android permissions and applications | |
| CN110460594A (en) | Threaten information data acquiring and processing method, device and storage medium | |
| CN105825129B (en) | Malware discrimination method and system in a kind of converged communication | |
| CN103136472B (en) | A kind of anti-application program steals method and the mobile device of privacy | |
| CN103716313B (en) | A kind of user privacy information guard method and system | |
| CN102209326B (en) | Malicious behavior detection method and system based on smartphone radio interface layer | |
| KR101431596B1 (en) | Apparatus and method for preventing voice phishing and user terminal for the same | |
| EP2728918B1 (en) | Method for detecting interception behaviour and terminal device | |
| KR20100007944A (en) | Application logging interface for a mobile device | |
| CN104462973B (en) | The dynamic malicious act detecting system and method for application program in mobile terminal | |
| CN105050091B (en) | Eavesdropping behavior detection method and device | |
| WO2016197646A1 (en) | Method and device for monitoring crank call | |
| CN103679028A (en) | Software behavior monitoring method and terminal | |
| CN105868625B (en) | Method and device for intercepting restart deletion of file | |
| CN109918909A (en) | User's smart machine and its privacy of user guard method based on operation exception | |
| CN106127034B (en) | A kind of method, apparatus that anti-locking system is maliciously closed and electronic equipment | |
| CN106203098A (en) | Application layer eavesdropping means of defence and device | |
| US11451962B2 (en) | Network-based protection against scam applications | |
| CN106203119B (en) | Hide processing method, device and the electronic equipment of cursor | |
| CN112073371A (en) | Malicious behavior detection method for weak supervision routing equipment | |
| CN107169354A (en) | Multi-layer android system malicious act monitoring method | |
| CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |