CN108415815A - A kind of APP running softwares data exception judgment method - Google Patents

A kind of APP running softwares data exception judgment method Download PDF

Info

Publication number
CN108415815A
CN108415815A CN201810077200.5A CN201810077200A CN108415815A CN 108415815 A CN108415815 A CN 108415815A CN 201810077200 A CN201810077200 A CN 201810077200A CN 108415815 A CN108415815 A CN 108415815A
Authority
CN
China
Prior art keywords
data
indicate
app
max
acc
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810077200.5A
Other languages
Chinese (zh)
Other versions
CN108415815B (en
Inventor
姜瑛
徐玉强
李凌宇
刘英莉
丁家满
汪海涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kunming University of Science and Technology
Original Assignee
Kunming University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kunming University of Science and Technology filed Critical Kunming University of Science and Technology
Priority to CN201810077200.5A priority Critical patent/CN108415815B/en
Publication of CN108415815A publication Critical patent/CN108415815A/en
Application granted granted Critical
Publication of CN108415815B publication Critical patent/CN108415815B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3452Performance evaluation by statistical analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/865Monitoring of software

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Probability & Statistics with Applications (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to a kind of APP running softwares data exception judgment methods, belong to APP running software detection fields.The method of the present invention is:Using APP running softwares data set as input, APP running software data sets are marked based on system log, data exception judges in the APP running software data sets based on SVM, exports judging result.Mobile phone log information is combined by the present invention with SVM algorithm, helps more accurately to judge APP application data information with the presence or absence of abnormal;The present invention carries out the relevant parameter of SVM preferably, to help to improve the accuracy rate of judgement;The present invention expands the training dataset of SVM, helps to improve the accuracy rate of judgement.

Description

A kind of APP running softwares data exception judgment method
Technical field
The present invention relates to a kind of APP running softwares data exception judgment methods, belong to APP running software detection fields.
Background technology
APP software anomalies judgment method mainly uses machine learning method to build training data model under Android platform, Judge whether software is abnormal finally by the model of structure.For example, Sun Min et al. is carried out using characteristic weighing K arest neighbors methods The structure of SVM training sets simplified with grader.Liu Xiao is bright et al. to be proposed only to regard optimum sample as training set, rear using recently Adjacent (KNN) machine learning algorithm is established benign realizes the method judged extremely APP softwares using behavior model.
Currently, realizing lightweight judgment method primarily directed to great amount of samples for APP software anomalies judgment method, substantially Data training pattern is established using machine learning method, then APP running software data are judged, there is no the systems of combining Log information, system resources consumption state and APP software resource consumption states, and the update of training sample is not prompt enough, by shadow Ring the accuracy rate of judgment method identification.
Invention content
In view of the above-mentioned problems, the present invention provides a kind of APP running softwares data exception judgment method, for helping to use Family finds whether APP softwares exception occur in use.
The technical scheme is that:A kind of APP running softwares data exception judgment method, the specific steps of the method It is as follows:
S1, using APP running softwares data set as input;Wherein, APP running softwares data set U={ u1,u2,..., un, ux=(UTimex,UPidx,Rcpux,Rmemx,ProNumx,SerNumx,Smemx,Scpux,U_flagx) indicate xth item APP software data information, UTimexIndicate the current time in system in xth APP software data information;UPidxIndicate xth APP The APP software process number run in software data information;RcpuxIndicate that APP softwares occupy in xth APP software data information CPU sizes;RmemxIndicate APP software committed memory sizes in xth APP software data information;ProNumxIndicate xth APP System process quantity in software data information;SerNumxIndicate system service quantity in xth APP software data information;Smemx Indicate that system has used memory size, Scpu in xth APP software data informationxIt indicates in xth APP software data information System has used CPU sizes, U_flagxIndicate the label of xth APP software data information;X=1,2 ... n;
S2, APP running software data sets are marked based on system log:
S2.1, initialization i=1, j=1, execute step S2.2;
If S2.2, i≤n traverse journal file D, and hold step S2.3 and judge j≤m;Otherwise the number after label is preserved According to collection U, terminate;
If S2.3, j≤m, thens follow the steps S2.4 and judge whether i=1 is true;Otherwise U_flag is markedi=1, i=i+ 1, and execute step S2.2;
If S2.4, i=1 are true, then follow the steps S2.6 and judge DTimej<UTimeiWhether it is true;It is no to then follow the steps S2.5 judges DTimej>UTimei-1Whether it is true;
If S2.5, DTimej>UTimei-1It is true, thens follow the steps S2.6 and judge DTimej<UTimeiWhether it is true;It is no Then j=j+1, and execute step S2.3;
If S2.6, DTimej<UTimeiIt is true, thens follow the steps S2.7 and judge DPidj=UPidiWhether it is true;Otherwise Mark U_flagi=1, i=i+1, and execute step S2.2;
If S2.7, DPidj=UPidiIt is true, thens follow the steps S2.8 and judge TypejWhether=" E " is true, otherwise j= J+1, and execute step S2.3;
If S2.8, Typej=" E " is true, then marks U_flagi=-1, i=i+1, and execute step S2.2;Otherwise it holds Row step S2.9 judges MessagejWhether include application programming interfaces character string;Wherein application programming interfaces string representation APP softwares are executing certain function names that operates and must call;
If S2.9, MessagejIncluding application programming interfaces character string, then mark U_flagi=-1, i=i+1, and hold Row step S2.2;The no S2.10 that thens follow the steps judges MessagejWhether include " Start " or " delete ";
If S2.10, MessagejIncluding " Start " or " delete ", thens follow the steps S2.11 and judges MessagejIt is No includes application package name;Otherwise j=j+1, and execute step S2.3;Wherein application package name indicates each APP softwares A unique character string can be generated after system;
If S2.11, MessagejIncluding application package name, then mark U_flagi=-1, i=i+1, and execute step S2.2;Otherwise j=j+1, and execute step S2.3;
Wherein, syslog file D={ d1,d2,...,dm, dy=(DTimey,Typey,DPidy,Tagy, Messagey) indicate y row system log messages, DTimeyIndicate the time that y row system log messages generate;TypeyIt indicates The type of y row system log messages, DPidyIndicate the process number of the APP softwares run in y row system log messages, Tagy Indicate the title or class name of the Activity of the APP softwares run in y row system log messages;MessageyIndicate y rows The associated detailed information of APP running softwares in system log message;Y=1,2 ... m;
Data exception judges in S3, the APP running software data sets based on SVM:
S3.1, initialization data:C=2-8, g=2-8, g_cur=0, c_max=23, g_max=23, v=0, acc_max =0, great_c=0, great_g=0, k=10, b=0, Lagrange are sky, execute step S3.2;Wherein, c indicates punishment The factor, g indicate that Radial basis kernel function parameter, g_cur indicate that temporary variable, c_max indicate that the maximum value of c, g_max indicate g's Maximum value, v indicate that the number of iteration, maximum iteration are indicated with v_max, and acc_max indicates SVM algorithm App running softwares The accuracy rate of the maximum value of the accuracy rate of training dataset T, SVM algorithm App running software training datasets T indicates with acc, k Indicate that the increment of each iteration of c and g, b indicate that a constant value of svm classifier surface function, Lagrange indicate App running softwares The set of Lagrange multiplier in training dataset T per data;
If S3.2, v<V_max thens follow the steps S3.6 and judges c<Whether c_max+k is true;Otherwise c=great_c, g =great_g, and based on the Lagrange multiplier and parameter b of SVM algorithm calculating App running software training datasets T, by glug Bright day multiplier deposit Lagrange and initialization data, obtain the data set U={ u after label1,u2,...,un, i=1 is executed Step S3.3 judges whether i≤n is true;
If S3.3, i≤n are true, then follow the steps S3.4 and judge U_flagiWhether=1 be true;Otherwise terminate;
If S3.4, U_flagi=1 is true, thens follow the steps S3.5 and judges svm classifier surface function result of calculation>0 whether It is true;Otherwise u is exportediData are abnormal, i=i+1, and execute step S3.3;
If S3.5, svm classifier surface function result of calculation>0 is true, then exports uiData are normal, by uiData are added In App running software training datasets T, i=i+1, and execute step S3.3;Otherwise update mark U_flagi=-1 exports ui Data are abnormal, by uiData are added in App running software training datasets T, i=i+1, and execute step S3.3;
If S3.6, c<C_max+k is true, thens follow the steps S3.7 and judges g<Whether g_max+k is true;Otherwise g_cur =great_g-k, c_max=great_c+k, g_max=great_g+k, g=g_cur, c=great_c-k, k=k/10, v =v+1, acc_max=0 executes step S3.2;
If S3.7, g<G_max+k is true, then calculates the T classification of App running software training datasets based on SVM algorithm Accuracy rate acc simultaneously executes step 3.8 and judges acc>Whether acc_max is true;It is no then follow the steps S3.10 judge v=0 whether be Very;
If S3.8, acc>Acc_max is true, thens follow the steps 3.9 and judges whether acc=1 is true;Otherwise g=g+k, And execute step 3.7;
If S3.9, acc=1 are true, great_c=c, great_g=g, g_cur=great_g-k, c_max= Great_c+k, g_max=great_g+k, g=g_cur, c=great_c-k, k=k/10, v=v+1, acc_max=0 are held Row step S3.2;Otherwise, acc_max=acc, great_c=c, great_g=g, g=g+k, and execute step 3.7;
If S3.10, v=0 are true, c=c+k, g=2-8, and execute step S3.6;Otherwise c=c+k, g=g_cur, And execute step S3.6;
Wherein, App running softwares training dataset is indicated with T, T={ t1,t2,…,tp, tp=(Rcpup,Rmemp, ProNump,SerNump,Smemp,Scpup,T_flagp), RcpupIndicate that it is big to occupy CPU for APP softwares in pth training data It is small, RmempIndicate APP software committed memory sizes in pth training data, ProNumpIndicate system in pth training data Number of processes, SerNumpIndicate system service quantity in pth training data, SmempIndicate that system is in pth training data Use memory size, ScpupIndicate that system has used CPU sizes, T_flag in pth training datapIndicate that pth item trains number According to being normal data or abnormal data;
S4, output judging result:According to step S3's as a result, output U_flagx=-1 APP software data information uxMake For abnormal data, U_flag is exportedx=1 APP software data information uxAs normal data;Wherein x=1,2 ... n.
By App running software training dataset T and the APP running software numbers being added in App running software training datasets T Sentence for data exception in the APP running software data sets based on SVM next time according to as new APP running software data sets It is disconnected.
The beneficial effects of the invention are as follows:
(1) mobile phone log information is combined by the present invention with SVM algorithm, helps more accurately to judge APP application programs Data information is with the presence or absence of abnormal;
(2) present invention carries out the relevant parameter of SVM preferred, helps to improve the accuracy rate of judgement.
(3) present invention expands the training dataset of SVM, helps to improve the accuracy rate of judgement.
Description of the drawings
Fig. 1 is flow chart of the method for the present invention;
Fig. 2 is the flow chart of the data exception judgment method of cell phone system daily record of the present invention;
Fig. 3 is that the present invention is based on the flow charts of data exception judgment method in the APP running software data sets of SVM.
Specific implementation mode
Embodiment 1:As shown in Figs. 1-3, a kind of APP running softwares data exception judgment method, the method specific steps It is as follows:
APP running softwares data set U is made of 7 datas in the present embodiment, as shown in table 1, U={ u1,u2,...,un, Wherein ui=(UTimei,UPidi,Rcpui,Rmemi,ProNumi,SerNumi,Smemi,Scpui,U_flagi) (i=1, 2 ..., n) indicate i-th APP software data information, UTimeiWhen indicating that system is current in i-th APP software data information Between;UPidiIndicate the APP software process number run in i-th APP software data information;RcpuiIndicate i-th APP software number It is believed that APP softwares occupy CPU sizes in breath;RmemiIndicate that APP software committed memories are big in i-th APP software data information It is small;ProNumiIndicate system process quantity in i-th APP software data information;SerNumiIndicate i-th APP software datas letter System service quantity in breath;SmemiIndicate that system has used memory size, Scpu in i-th APP software data informationiIndicate the System has used CPU sizes, U_flag in i APP software data informationiIndicate the label of i-th APP software data information.
Table 1APP running software data sets U
APP running softwares training dataset T is made of 10 datas in this example, as shown in table 2, T={ t1,t2,…, tp, wherein tp=(Rcpup,Rmemp,ProNump,SerNump,Smemp,Scpup,T_flagp) (i=1,2 ..., p), Rcpup Indicate that APP softwares occupy CPU sizes in pth training data;RmempIndicate APP software committed memories in pth training data Size;ProNumpIndicate system process quantity in pth training data;SerNumpIndicate system service in pth training data Quantity;SmempIndicate that system has used memory size, Scpu in pth training datapIndicate that system is in pth training data Use CPU sizes, T_flagpIndicate that pth training data is that (- 1 indicates abnormal, and 1 indicates just for normal data or abnormal data Often).
Table 2APP running software training datasets T
Syslog file D is made of 6 datas in this example, as shown in table 3, D={ d1,d2,...,dm, wherein dj =(DTimej,Typej,DPidj,Tagj,Messagej) (j=1,2 ..., m) indicate jth row system log message, DTimej Indicate the time that jth row system log message generates;TypejIndicate the type of jth row system log message;DPidjIndicate jth The process number of the APP softwares run in row system log message;TagjIndicate that the APP run in jth row system log message is soft The title or class name of the Activity of part;MessagejIndicate the correlation of APP running softwares in jth row system log message in detail Information.
3 syslog file D of table
APP running software data exception judgment methods are as follows:
Step1:Input APP running software data sets U;APP running softwares data share 7 in this example, U={ u1,u2, u3,u4,u5,u6,u7,
u1=[UTime1,UPid1,Rcpu1,Rmem1,ProNum1,SerNum1,Smem1,Scpu1,U_flag1]= [20170921113814,7691,12.84,0.26,29,41,409,21.76, NULL],
u2=[UTime2,UPid2,Rcpu2,Rmem2,ProNum2,SerNum2,Smem2,Scpu2,U_flag2]= [20170921114115,7691,13.77,0.49,28,38,413,22.69, NULL],
u3=[UTime3,UPid3,Rcpu3,Rmem3,ProNum3,SerNum3,Smem3,Scpu3,U_flag3]= [20170921114549,7691,12.99,0.32,30 41,412,21.15, NULL],
u4=[UTime4,UPid4,Rcpu4,Rmem4,ProNum4,SerNum4,Smem4,Scpu4,U_flag4]= [20170921115052,7691,13.21,0.27,29,41,425,14.91, NULL],
u5=[UTime5,UPid5,Rcpu5,Rmem5,ProNum5,SerNum5,Smem5,Scpu5,U_flag5]= [20170921115224,7691,12.93,0.00,28,40,409,12.20, NULL],
u6=[UTime6,UPid6,Rcpu6,Rmem6,ProNum6,SerNum6,Smem6,Scpu6,U_flag6]= [20170921115346,7691,12.77,0.31,29 41,422,35.13, NULL],
u7=[UTime7,UPid7,Rcpu7,Rmem7,ProNum7,SerNum7,Smem7,Scpu7,U_flag7]= [20170921115457,7691,12.93,0.00,28,40,409,13.19,NULL];
Step2:APP running software data sets are marked based on system log:Syslog file D is total in this example There are 6 datas, D={ d1,d2,d3,d4,d5,d6, d1=[DTime1,Type1,DPid1,Tag1,Message1]=
[20170921113714, E, 7691, qjqx, java.lang.NullPointerException],
d2=[DTime2,Type2,DPid2,Tag2,Message2]=
[20170921113818, D, 24379, Trace, java.net.InetAddress.lookupHostByName],
d3=[DTime3,Type3,DPid3,Tag3,Message3]=
[20170921113954,D,7691,qjqx,Unexpected value from nativeGetEnabledTags:0],
d4=[DTime4,Type4,DPid4,Tag4,Message4]=
[20170921114024,D,7691,qjqx,Start proc com.hzl.flashlight6for Activity],
d5=[DTim5,Type5,DPid5,Tag5,Message5]=
[20170921114345,D,7691,qjqx,action:ACTION_MAIN_CIRCLESERVICE],
d6=[DTime6,Type6,DPid6,Tag6,Message6]=
[20170921114555, D, 7691, qjqx, query () begin uri=content://sms];
Specific method:
1) it initializes:I=1, j=1;
2) judge whether i is less than or equal to n:1<7, journal file is traversed, is executed 3);
3) judge whether j is less than or equal to m:1<6, judge whether i is equal to 1:4) 1==1 is executed;
4) judge DTime1Whether UTime is less than1:20170921113714<20170921113814, it executes 5);
5) judge DPid1Whether UPid is equal to1:6) 7691==7691 is executed;
6) judge Type1Whether " E " is equal to:" E "==" E ", mark U_flag12)=- 1, i++ executes
2) judge whether i is less than or equal to n:2<7, journal file is traversed, is executed 3);
3) judge whether j is less than or equal to m:1<6, judge whether i is equal to 1:2!=1, it executes 7);
7) judge DTime1Whether UTime is more than2-1:20170921113714<20170921113814, j++, it executes 3);
3) judge whether j is less than or equal to m:2<6, judge whether i is equal to 1:2!=1, it executes 7);
7) judge DTime2Whether UTime is more than2-1:20170921113818>20170921113814, it executes 4);
4) judge DTime2Whether UTime is less than2:20170921113818<20170921114115, it executes 5);
5) judge DPid2Whether UPid is equal to2:24379!3)=7691, j++ are executed;
3) judge whether j is less than or equal to m:3<6, judge whether i is equal to 1:3!=1, it executes 7);
7) judge DTime3Whether UTime is more than2-1:20170921113954>20170921113814, it executes 4);
4) judge DTime3Whether UTime is less than2:20170921113954<20170921114115, it executes 5);
5) judge DPid3Whether UPid is equal to2:6) 7691==7691 is executed;
6) judge Type3Whether " E " is equal to:“D”!8)=" E " is executed;
8) judge Message3Whether include application programming interfaces character string:“Unexpected value from nativeGetEnabledTags:0 " does not include application programming interfaces character string, executes 9);
9) judge Message3Whether include " Start " or " delete ":“Unexpected value from nativeGetEnabledTags:0 " does not include " Start " or " delete ";3) j++ is executed;
3) judge whether j is less than or equal to m:4<6, judge whether i is equal to 1:2!=1, it executes 7);
7) judge DTime4Whether UTime is more than2-1:20170921114024>20170921113814, it executes 4);
4) judge DTime4Whether UTime is less than2:20170921114024<20170921114115, it executes 5);
5) judge DPid4Whether UPid is equal to2:6) 7691==7691 is executed;
6) judge Type4Whether " E " is equal to:“D”!8)=" E " is executed;
8) judge Message4Whether include application programming interfaces character string:“Start proc Com.hzl.flashlight6 for activity " do not include application programming interfaces character string, execute 9);
9) judge Message4Whether include " Start " or " delete ":“Start proc Com.hzl.flashlight6 for activity " include " Start ", are executed 10);
10) judge Message4Whether include application package name:“Start proc com.hzl.flashlight6 For activity " include " com.hzl.flashlight6 ", mark U_flag22)=- 1, i++ executes;
2) judge whether i is less than or equal to n:3<7, journal file is traversed, is executed 3);
3) judge whether j is less than or equal to m:4<6, judge whether i is equal to 1:3!=1, it executes 7);
7) judge DTime4Whether UTime is more than3-1:20170921114024<20170921114115, j++, it executes 3);
3) judge whether j is less than or equal to m:5<6, judge whether i is equal to 1:3!=1, it executes 7);
7) judge DTime5Whether UTime is more than3-1:20170921114345>20170921114115, it executes 4);
4) judge DTime5Whether UTime is less than3:20170921114345<20170921114549, it executes 5);
5) judge DPid5Whether UPid is equal to3:6) 7691==7691 is executed;
6) judge Type5Whether " E " is equal to:“D”!8)=" E " is executed;
8) judge Message4Whether include application programming interfaces character string:“action:ACTION_MAIN_ CIRCLESERVICE " does not include application programming interfaces character string, executes 9);
9) judge Message4Whether include " Start " or " delete ":“action:ACTION_MAIN_ CIRCLESERVICE " does not include " Start " or " delete ", j++, executes 3);
3) judge whether j is less than or equal to m:6==6, judges whether i is equal to 1:3!=1, it executes 7);
7) judge DTime6Whether UTime is more than3-1:20170921114555>20170921114115, it executes 4);
4) judge DTime6Whether UTime is less than3:20170921114555>20170921114549, it executes 11);
11) U_flag is marked32)=1, i++ are executed;
2) judge whether i is less than or equal to n:4<7, journal file is traversed, is executed 3);
3) judge whether j is less than or equal to m:6==6, judges whether i is equal to 1:4!=1, it executes 7);
7) judge DTime6Whether UTime is more than4-1:20170921114555>20170921114549, it executes 4);
4) judge DTime6Whether UTime is less than4:20170921114555<20170921115052, it executes 5);
5) judge DPid6Whether UPid is equal to4:6) 7691==7691 is executed;
6) judge Type6Whether " E " is equal to:“D”!8)=" E " is executed;
8) judge Message6Whether include application programming interfaces character string:" query () begin uri= content://sms " includes application programming interfaces character string, marks U_flag42)=- 1, i++ executes;
2) judge whether i is less than or equal to n:5<7, journal file is traversed, is executed 3);
3) judge whether j is less than or equal to m:6==6, judges whether i is equal to 1:5!=1, it executes 7);
7) judge DTime6Whether UTime is more than5-1:20170921114555<20170921115052, j++, it executes 3);
3) judge whether j is less than or equal to m:7>6, mark U_flag52)=1, i++ are executed;
2) judge whether i is less than or equal to n:6<7, journal file is traversed, is executed 3);
3) judge whether j is less than or equal to m:7>6, mark U_flag62)=1, i++ are executed;
2) judge whether i is less than or equal to n:7==7 traverses journal file, executes 3);
3) judge whether j is less than or equal to m:7>6, mark U_flag72)=1, i++ are executed;
2) judge whether i is less than or equal to n:8>7, the data set U after label is preserved, is terminated;
Data set U={ u after wherein marking1,u2,u3,u4,u5,u6,u7,
u1=[UTime1,UPid1,Rcpu1,Rmem1,ProNum1,SerNum1,Smem1,Scpu1,U_flag1]= [20170921113814,7691,12.84,0.26,29,41,409,21.76, -1],
u2=[UTime2,UPid2,Rcpu2,Rmem2,ProNum2,SerNum2,Smem2,Scpu2,U_flag2]= [20170921114115,7691,13.77,0.49,28,38,413,22.69, -1],
u3=[UTime3,UPid3,Rcpu3,Rmem3,ProNum3,SerNum3,Smem3,Scpu3,U_flag3]= [20170921114549,7691,12.99,0.32,30 41,412,21.15,1],
u4=[UTime4,UPid4,Rcpu4,Rmem4,ProNum4,SerNum4,Smem4,Scpu4,U_flag4]= [20170921115052,7691,13.21,0.27,29,41,425,14.91, -1],
u5=[UTime5,UPid5,Rcpu5,Rmem5,ProNum5,SerNum5,Smem5,Scpu5,U_flag5]= [20170921115224,7691,12.93,0.00,28,40,409,12.20,1],
u6=[UTime6,UPid6,Rcpu6,Rmem6,ProNum6,SerNum6,Smem6,Scpu6,U_flag6]= [20170921115346,7691,12.77,0.31,29 41,422,35.13,1],
u7=[UTime7,UPid7,Rcpu7,Rmem7,ProNum7,SerNum7,Smem7,Scpu7,U_flag7]= [20170921115457,7691,12.93,0.00,28,40,409,13.19,1];
Step3:Data exception judges in APP running software data sets based on SVM:
Initialization data:C=2-8, g=2-8, g_cur=0, c_max=23, g_max=23, v=0, acc_max=0, Great_c=0, great_g=0, k=10, b=0, Lagrange are sky, execute step S3.2;Wherein, c indicate punishment because Son, g indicate that Radial basis kernel function parameter, g_cur indicate that temporary variable, c_max indicate that the maximum value of c, g_max indicate g most Big value, v indicate that the number of iteration, maximum iteration are indicated with v_max, and acc_max indicates SVM algorithm App running softwares instruction Practice the maximum value of the accuracy rate of data set T, the accuracy rate of SVM algorithm App running software training datasets T is indicated with acc, k tables Show that the increment of each iteration of c and g, Lagrange indicate that the Lagrange in App running software training datasets T per data multiplies The set of son;B indicates a constant value of svm classifier surface function, i.e.,Its Middle LzIndicate the Lagrange multiplier of z-th of data in Lagrange, yzIndicate the T_ of z-th of training data in training dataset T flagz, tzIndicate z-th of training data in training dataset T, uiIndicate that i-th of data in running software data set U, K indicate Radial basis kernel function, i.e.,G indicates that the parameter of kernel function, x1, x2 indicate the change of kernel function Amount.
Obtain APP software training dataset T={ t1,t2,t3,t4,t5,t6,t7,t8,t9,t10},
t1=[Rcpu1,Rmem1,ProNum1,SerNum1,Smem1,Scpu1,T_flag1]=[13.25,0.01,28, 38,407,14.14,1],
t2=[Rcpu2,Rmem2,ProNum2,SerNum2,Smem2,Scpu2,T_flag2]=[12.68,0.03,28, 37,408,11.55,1],
t3=[Rcpu3,Rmem3,ProNum3,SerNum3,Smem3,Scpu3,T_flag3]=[12.7,0.03,28,40, 412,12.74,1],
t4=[Rcpu4,Rmem4,ProNum4,SerNum4,Smem4,Scpu4,T_flag4]=[12.66,0.06,29, 39,409,13.26,1],
t5=[Rcpu5,Rmem5,ProNum5,SerNum5,Smem5,Scpu5,T_flag5]=[13.77,0.00,28, 38,405,11.92,1],
t6=[Rcpu6,Rmem6,ProNum6,SerNum6,Smem6,Scpu6,T_flag6]=[16.93,1.70,28, 40,424,33.44, -1],
t7=[Rcpu7,Rmem7,ProNum7,SerNum7,Smem7,Scpu7,T_flag7]=[12.93,1.06,29, 40,418,15.75, -1],
t8=[Rcpu8,Rmem8,ProNum8,SerNum8,Smem8,Scpu8,T_flag8]=[15.39,1.46,30, 41,416,21.91, -1],
t9=[Rcpu9,Rmem9,ProNum9,SerNum9,Smem9,Scpu9,T_flag9]=[17.46,1.09,31, 42,419,26.01, -1],
t10=[Rcpu10,Rmem10,ProNum10,SerNum10,Smem10,Scpu10,T_flag10]=[12.9,0.71, 30,41,417,24.96,-1];
Specific method:
1) judge whether v is less than 3:0<3, it executes 2);
2) judge whether c is less than c_max+k:2-8<23+ 10, it executes 3);
3) judge whether g is less than g_max+k:2-8<23+ 10, it executes 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:0=0, g=g+k:G=10.00390625;It executes 3);
3) judge whether g is less than g_max+k:10.00390625<23+ 10, it executes 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:0>0, g=g+k:G=20.00390625;It executes 3);
3) judge whether g is less than g_max+k:20.00390625<23+ 10, it executes 6);
6) judge whether v is equal to 0:0==0, c=c+k:C=10.00390625, g=2-8, execute 2);
2) judge whether c is less than c_max+k:10.00390625<18, it executes 3);
3) judge whether g is less than g_max+k:2-8<23+ 10, it executes 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:Acc=0.800000011920929 is executed 5);
5) judge whether acc is more than acc_max:0.800000011920929>0, it executes 7);
7) judge whether acc is equal to 1:0.800000011920929==1, acc_max=acc= 0.800000011920929, great_c=c=10.00390625, great_g=g=0.00390625, g=g+k= 10.00390625 executing 3);
3) judge whether g is less than g_max+k:10.00390625<23+10:10.00390625<18, it executes 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=1 is executed;
5) judge whether acc is more than acc_max:1>0.800000011920929, it executes 7);
7) judge whether acc is equal to 1:1==1, great_c=c=10.00390625, great_g=g= 10.00390625 g_cur=great_g-k=0.00390625, c_max=great_c+k=20.00390625, g_max =great_g+k=20.00390625, g=g_cur=0.00390625, c=great_c-k=0.00390625, k=k/ 10=1, v=v+1=1, acc_max=0;It executes 1);
1) judge whether v is less than 3:1<3, it executes 2);
2) judge whether c is less than c_max+k:0.00390625<21.00390625 executing 3);
3) judge whether g is less than g_max+k:0.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=1.00390625 are executed;
3) judge whether g is less than g_max+k:1.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=2.00390625 are executed;
3) judge whether g is less than g_max+k:2.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=3.00390625 are executed;
3) judge whether g is less than g_max+k:3.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=4.00390625 are executed;
3) judge whether g is less than g_max+k:4.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=5.00390625 are executed;
3) judge whether g is less than g_max+k:5.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=6.00390625 are executed;
3) judge whether g is less than g_max+k:6.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=7.00390625 are executed;
3) judge whether g is less than g_max+k:7.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=8.00390625 are executed;
3) judge whether g is less than g_max+k:8.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=9.00390625 are executed;
3) judge whether g is less than g_max+k:9.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=10.00390625 are executed;
3) judge whether g is less than g_max+k:10.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=11.00390625 are executed;
3) judge whether g is less than g_max+k:11.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=12.00390625 are executed;
3) judge whether g is less than g_max+k:12.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=13.00390625 are executed;
3) judge whether g is less than g_max+k:13.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=14.00390625 are executed;
3) judge whether g is less than g_max+k:14.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=15.00390625 are executed;
3) judge whether g is less than g_max+k:15.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=16.00390625 are executed;
3) judge whether g is less than g_max+k:16.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=17.00390625 are executed;
3) judge whether g is less than g_max+k:17.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=18.00390625 are executed;
3) judge whether g is less than g_max+k:19.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=20.00390625 are executed;
3) judge whether g is less than g_max+k:20.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=21.00390625 are executed;
3) judge whether g is less than g_max+k:21.00390625<21.00390625 executing 6);
6) judge whether v is equal to 0:1!=0, c=c+k:C=1.00390625, g=g_cur=0.00390625 are executed 2);
2) judge whether c is less than c_max+k:1.00390625<21.00390625 executing 3);
3) judge whether g is less than g_max+k:0.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:Acc=0.800000011920929 is executed 5);
5) judge whether acc is more than acc_max:0.800000011920929>0, it executes 7);
7) judge whether acc is equal to 1:0.800000011920929==1, acc_max=acc= 0.800000011920929, great_c=c=1.00390625, great_g=g=0.00390625, g=g+k= 1.00390625 executing 3);
3) judge whether g is less than g_max+k:1.00390625<21.00390625 executing 4);
4) the classification accuracy acc of data set T is calculated based on SVM algorithm:5) acc=1 is executed;
5) judge whether acc is more than acc_max:1>0.800000011920929, great_c=c=1.00390625, Great_g=g=1.00390625, g_cur=great_g-k=0.00390625, c_max=great_c+k= 2.00390625 g_max=great_g+k=2.00390625, g=g_cur=0.00390625, c=great_c-k= 0.00390625, k=k/10=0.1, v=v+1=2, acc_max=0;It executes 1);
1) judge whether v is less than 3:2<3, it executes 2);
2) judge whether c is less than c_max+k:0.00390625<2.10390625 executing 3);
3) judge whether g is less than g_max+k:0.00390625<2.10390625 executing 4);
4) it is based on SVM algorithm and calculates data set T classification accuracies acc:5) acc=0 is executed;
5) judge whether acc is more than acc_max:3) 0=0, g=g+k=0.10390625 are executed;
Continuous iteration 3), 4), 5) and, 6) until great_c=0.50390625, great_g=0.40390625, acc= 1, v=v+1=3, it executes 1);
1) judge whether v is less than 3:8) 3=3 is executed;
8) c=great_c=0.50390625, g=great_g=0.40390625 calculate data set based on SVM algorithm Lagrange multiplier is stored in Lagrange by the Lagrange multiplier and constant value b of T, is executed 9);Wherein Lagrange= {L1,L2,L3,L4,L5,L6,L7,L8,L9,L10, L1=0.50390625, L2=0.50390625, L3=0.50390625, L4= 0.50390625, L5=0.50390625, L6=-0.50390625, L7=-0.50390625, L8=-0.50390625, L9=- 0.50390625, L10=-0.50390625, b=0.019498957054381982;
9) the data set U after label is obtained, wherein the data set U={ u after label1,u2,u3,u4,u5,u6,u7,
u1=[UTime1,UPid1,Rcpu1,Rmem1,ProNum1,SerNum1,Smem1,Scpu1,U_flag1]= [20170921113814,7691,12.84,0.26,29,41,409,21.76, -1],
u2=[UTime2,UPid2,Rcpu2,Rmem2,ProNum2,SerNum2,Smem2,Scpu2,U_flag2]= [20170921114115,7691,13.77,0.49,28,38,413,22.69, -1],
u3=[UTime3,UPid3,Rcpu3,Rmem3,ProNum3,SerNum3,Smem3,Scpu3,U_flag3]= [20170921114549,7691,12.99,0.32,30 41,412,21.15,1],
u4=[UTime4,UPid4,Rcpu4,Rmem4,ProNum4,SerNum4,Smem4,Scpu4,U_flag4]= [20170921115052,7691,13.21,0.27,29,41,425,14.91, -1],
u5=[UTime5,UPid5,Rcpu5,Rmem5,ProNum5,SerNum5,Smem5,Scpu5,U_flag5]= [20170921115224,7691,12.93,0.00,28,40,409,12.20,1],
u6=[UTime6,UPid6,Rcpu6,Rmem6,ProNum6,SerNum6,Smem6,Scpu6,U_flag6]= [20170921115346,7691,12.77,0.31,29 41,422,35.13,1],
u7=[UTime7,UPid7,Rcpu7,Rmem7,ProNum7,SerNum7,Smem7,Scpu7,U_flag7]= [20170921115457,7691,12.93,0.00,28,40,409,13.19,1] initialize i=1, execute 10);
10) judge whether i is less than or equal to n:1<7, it executes 11);
11) judge U_flag1Whether 1 is equal to:-1!=1, export u1Data are abnormal, 10) i++ is executed;
10) judge whether i is less than or equal to n:2<7, it executes 11);
11) judge U_flag2Whether 1 is equal to:-1!=1, export u2Data are abnormal, 10) i++ is executed;
10) judge whether i is less than or equal to n:3<7, it executes 11);
11) judge U_flag3Whether 1 is equal to:12) 1==1 is executed;
12) judge whether svm classifier surface function result of calculation is more than 0:-0.019534993059670814<0, update mark Remember U_flag3=-1 exports u3Data are abnormal, u3It is added in training set T, i++, executes 10);WhereinWherein LzIndicate the Lagrange multiplier of z-th of data in Lagrange, yzIndicate the T_flag of z-th of training data in training dataset Tz, tzIndicate z-th of training data in training dataset T, ui Indicate that i-th of data in running software data set U, K indicate Radial basis kernel function, i.e.,G tables Show that the parameter of kernel function, x1, x2 indicate the variable of kernel function;
10) judge whether i is less than or equal to n:4<7, it executes 11);
11) judge U_flag4Whether 1 is equal to:-1!=1, export u4Data are abnormal, 10) i++ is executed;
10) judge whether i is less than or equal to n:5<7, it executes 11);
11) judge U_flag5Whether 1 is equal to:12) 1==1 is executed;
12) judge whether svm classifier surface function result of calculation is more than 0:0.21098085145849513>0, export u5Number According to be normal, u5It is added in training set T, i++, executes 10);
10) judge whether i is less than or equal to n:6<7, it executes 11);
11) judge U_flag6Whether 1 is equal to:12) 1==1 is executed;
12) judge whether svm classifier surface function result of calculation is more than 0:-0.019498957054381982<0, update mark Remember U_flag6=-1 exports u6Data are abnormal, u6It is added in training set T, i++, executes 10);
10) judge whether i is less than or equal to n:11) 7==7 is executed;
11) judge U_flag7Whether 1 is equal to:12) 1==1 is executed;
12) judge whether svm classifier surface function result of calculation is more than 0:0.14069106720247276>0, export u7Number According to be normal, u7It is added in training set T, i++, executes 10);
10) judge whether i is less than or equal to n:8<7, terminate, completes all iteration;
Step4, output judging result:
The final result of data set U:
u1=[UTime1,UPid1,Rcpu1,Rmem1,ProNum1,SerNum1,Smem1,Scpu1,U_flag1]= [20170921113814,7691,12.84,0.26,29,41,409,21.76, -1],
u2=[UTime2,UPid2,Rcpu2,Rmem2,ProNum2,SerNum2,Smem2,Scpu2,U_flag2]= [20170921114115,7691,13.77,0.49,28,38,413,22.69, -1],
u3=[UTime3,UPid3,Rcpu3,Rmem3,ProNum3,SerNum3,Smem3,Scpu3,U_flag3]= [20170921114549,7691,12.99,0.32,30 41,412,21.15, -1],
u4=[UTime4,UPid4,Rcpu4,Rmem4,ProNum4,SerNum4,Smem4,Scpu4,U_flag4]= [20170921115052,7691,13.21,0.27,29,41,425,14.91, -1],
u5=[UTime5,UPid5,Rcpu5,Rmem5,ProNum5,SerNum5,Smem5,Scpu5,U_flag5]= [20170921115224,7691,12.93,0.00,28,40,409,12.20,1],
u6=[UTime6,UPid6,Rcpu6,Rmem6,ProNum6,SerNum6,Smem6,Scpu6,U_flag6]= [20170921115346,7691,12.77,0.31,29 41,422,35.13, -1],
u7=[UTime7,UPid7,Rcpu7,Rmem7,ProNum7,SerNum7,Smem7,Scpu7,U_flag7]= [20170921115457,7691,12.93,0.00,28,40,409,13.19,1];
Export u1、u2、u3、u4、u6For abnormal data, u5、u7For normal data
The final result of training set T, the u in wherein data set U3, u5, u6, u7, 4 datas are added in training set T, instruct Practice data set T={ t1,t2,t3,t4,t5,t6,t7,t8,t9,t10,t14,t14,t14,t14},
t1=[Rcpu1,Rmem1,ProNum1,SerNum1,Smem1,Scpu1,T_flag1]=[13.25,0.01,28, 38,407,14.14,1],
t2=[Rcpu2,Rmem2,ProNum2,SerNum2,Smem2,Scpu2,T_flag2]=[12.68,0.03,28, 37,408,11.55,1],
t3=[Rcpu3,Rmem3,ProNum3,SerNum3,Smem3,Scpu3,T_flag3]=[12.7,0.03,28,40, 412,12.74,1],
t4=[Rcpu4,Rmem4,ProNum4,SerNum4,Smem4,Scpu4,T_flag4]=[12.66,0.06,29, 39,409,13.26,1],
t5=[Rcpu5,Rmem5,ProNum5,SerNum5,Smem5,Scpu5,T_flag5]=[13.77,0.00,28, 38,405,11.92,1],
t6=[Rcpu6,Rmem6,ProNum6,SerNum6,Smem6,Scpu6,T_flag6]=[16.93,1.70,28, 40,424,33.44, -1],
t7=[Rcpu7,Rmem7,ProNum7,SerNum7,Smem7,Scpu7,T_flag7]=[12.93,1.06,29, 40,418,15.75, -1],
t8=[Rcpu8,Rmem8,ProNum8,SerNum8,Smem8,Scpu8,T_flag8]=[15.39,1.46,30, 41,416,21.91, -1],
t9=[Rcpu9,Rmem9,ProNum9,SerNum9,Smem9,Scpu9,T_flag9]=[17.46,1.09,31, 42,419,26.01, -1],
t10=[Rcpu10,Rmem10,ProNum10,SerNum10,Smem10,Scpu10,T_flag10]=[12.9,0.71, 30,41,417,24.96, -1],
t11=[Rcpu11,Rmem11,ProNum11,SerNum11,Smem11,Scpu11,T_flag11]=[12.99, 0.32,30,41,412,21.15, -1],
t12=[Rcpu12,Rmem12,ProNum12,SerNum12,Smem12,Scpu12,T_flag12]=[12.93, 0.00,28,40,409,12.20,1],
t13=[Rcpu13,Rmem13,ProNum13,SerNum13,Smem13,Scpu13,T_flag13]=[12.77, 0.31,29,41,422,35.13, -1],
t14=[Rcpu14,Rmem14,ProNum14,SerNum14,Smem14,Scpu14,T_flag14]=[12.93, 0.00,28,40,409,13.19,1];
By App running software training dataset T and the APP running software numbers being added in App running software training datasets T Sentence for data exception in the APP running software data sets based on SVM next time according to as new APP running software data sets It is disconnected.
The specific implementation mode of the present invention is explained in detail above in conjunction with attached drawing, but the present invention is not limited to above-mentioned Embodiment within the knowledge of a person skilled in the art can also be before not departing from present inventive concept It puts and makes a variety of changes.

Claims (2)

1. a kind of APP running softwares data exception judgment method, it is characterised in that:The method is as follows:
S1, using APP running softwares data set as input;Wherein, APP running softwares data set U={ u1,u2,...,un, ux= (UTimex,UPidx,Rcpux,Rmemx,ProNumx,SerNumx,Smemx,Scpux,U_flagx) indicate xth APP software numbers It is believed that breath, UTimexIndicate the current time in system in xth APP software data information;UPidxIndicate xth APP software datas The APP software process number run in information;RcpuxIndicate that APP softwares occupy CPU sizes in xth APP software data information; RmemxIndicate APP software committed memory sizes in xth APP software data information;ProNumxIndicate xth APP software datas System process quantity in information;SerNumxIndicate system service quantity in xth APP software data information;SmemxIndicate xth System has used memory size, Scpu in APP software data informationxIndicate that system has made in xth APP software data information With CPU sizes, U_flagxIndicate the label of xth APP software data information;X=1,2 ... n;
S2, APP running software data sets are marked based on system log:
S2.1, initialization i=1, j=1, execute step S2.2;
If S2.2, i≤n traverse journal file D, and hold step S2.3 and judge j≤m;Otherwise the data set after label is preserved U terminates;
If S2.3, j≤m, thens follow the steps S2.4 and judge whether i=1 is true;Otherwise U_flag is markedi=1, i=i+1, and Execute step S2.2;
If S2.4, i=1 are true, then follow the steps S2.6 and judge DTimej<UTimeiWhether it is true;It is no to then follow the steps S2.5 Judge DTimej>UTimei-1Whether it is true;
If S2.5, DTimej>UTimei-1It is true, thens follow the steps S2.6 and judge DTimej<UTimeiWhether it is true;Otherwise j =j+1, and execute step S2.3;
If S2.6, DTimej<UTimeiIt is true, thens follow the steps S2.7 and judge DPidj=UPidiWhether it is true;Otherwise it marks U_flagi=1, i=i+1, and execute step S2.2;
If S2.7, DPidj=UPidiIt is true, thens follow the steps S2.8 and judge TypejWhether=" E " is true, otherwise j=j+1, And execute step S2.3;
If S2.8, Typej=" E " is true, then marks U_flagi=-1, i=i+1, and execute step S2.2;Otherwise step is executed Rapid S2.9 judges MessagejWhether include application programming interfaces character string;Wherein application programming interfaces string representation APP is soft Part is executing certain function names that operates and must call;
If S2.9, MessagejIncluding application programming interfaces character string, then mark U_flagi=-1, i=i+1, and execute step Rapid S2.2;The no S2.10 that thens follow the steps judges MessagejWhether include " Start " or " delete ";
If S2.10, MessagejIncluding " Start " or " delete ", thens follow the steps S2.11 and judges MessagejWhether wrap Name containing application package;Otherwise j=j+1, and execute step S2.3;Wherein application package name indicates each APP software installations A unique character string can be generated after system;
If S2.11, MessagejIncluding application package name, then mark U_flagi=-1, i=i+1, and execute step S2.2;Otherwise j=j+1, and execute step S2.3;
Wherein, syslog file D={ d1,d2,...,dm, dy=(DTimey,Typey,DPidy,Tagy,Messagey) table Show y row system log messages, DTimeyIndicate the time that y row system log messages generate;TypeyIndicate y row system days The type of will information, DPidyIndicate the process number of the APP softwares run in y row system log messages, TagyIndicate y rows system The title or class name of the Activity of the APP softwares run in system log information;MessageyIndicate y row system log messages The associated detailed information of middle APP running softwares;Y=1,2 ... m;
Data exception judges in S3, the APP running software data sets based on SVM:
S3.1, initialization data:C=2-8, g=2-8, g_cur=0, c_max=23, g_max=23, v=0, acc_max=0, Great_c=0, great_g=0, k=10, b=0, Lagrange are sky, execute step S3.2;Wherein, c indicate punishment because Son, g indicate that Radial basis kernel function parameter, g_cur indicate that temporary variable, c_max indicate that the maximum value of c, g_max indicate g most Big value, v indicate that the number of iteration, maximum iteration are indicated with v_max, and acc_max indicates SVM algorithm App running softwares instruction Practice the maximum value of the accuracy rate of data set T, the accuracy rate of SVM algorithm App running software training datasets T is indicated with acc, k tables Show that the increment of each iteration of c and g, b indicate that a constant value of svm classifier surface function, Lagrange indicate App running softwares instruction Practice the set of the Lagrange multiplier in data set T per data;
If S3.2, v<V_max thens follow the steps S3.6 and judges c<Whether c_max+k is true;Otherwise c=great_c, g= Great_g, and the Lagrange multiplier and parameter b of App running software training datasets T are calculated based on SVM algorithm, glug is bright Day multiplier deposit Lagrange and initialization data, obtain the data set U={ u after label1,u2,...,un, i=1 executes step Rapid S3.3 judges whether i≤n is true;
If S3.3, i≤n are true, then follow the steps S3.4 and judge U_flagiWhether=1 be true;Otherwise terminate;
If S3.4, U_flagi=1 is true, thens follow the steps S3.5 and judges svm classifier surface function result of calculation>Whether 0 be true; Otherwise u is exportediData are abnormal, i=i+1, and execute step S3.3;
If S3.5, svm classifier surface function result of calculation>0 is true, then exports uiData are normal, by uiIt is soft that App is added in data Part is run in training dataset T, i=i+1, and executes step S3.3;Otherwise update mark U_flagi=-1 exports uiData are It is abnormal, by uiData are added in App running software training datasets T, i=i+1, and execute step S3.3;
If S3.6, c<C_max+k is true, thens follow the steps S3.7 and judges g<Whether g_max+k is true;Otherwise g_cur= Great_g-k, c_max=great_c+k, g_max=great_g+k, g=g_cur, c=great_c-k, k=k/10, v= V+1, acc_max=0 execute step S3.2;
If S3.7, g<G_max+k is true, then calculates the accurate of App running software training datasets T classification based on SVM algorithm Rate acc simultaneously executes step 3.8 and judges acc>Whether acc_max is true;The no S3.10 that thens follow the steps judges whether v=0 is true;
If S3.8, acc>Acc_max is true, thens follow the steps 3.9 and judges whether acc=1 is true;Otherwise g=g+k, and hold Row step 3.7;
If S3.9, acc=1 are true, great_c=c, great_g=g, g_cur=great_g-k, c_max= Great_c+k, g_max=great_g+k, g=g_cur, c=great_c-k, k=k/10, v=v+1, acc_max=0 are held Row step S3.2;Otherwise, acc_max=acc, great_c=c, great_g=g, g=g+k, and execute step 3.7;
If S3.10, v=0 are true, c=c+k, g=2-8, and execute step S3.6;Otherwise c=c+k, g=g_cur, and hold Row step S3.6;
Wherein, App running softwares training dataset is indicated with T, T={ t1,t2,…,tp, tp=(Rcpup,Rmemp,ProNump, SerNump,Smemp,Scpup,T_flagp), RcpupIndicate that APP softwares occupy CPU sizes, Rmem in pth training datapTable Show APP softwares committed memory size, ProNum in pth training datapIndicate system process quantity in pth training data, SerNumpIndicate system service quantity in pth training data, SmempIndicate that system has used memory in pth training data Size, ScpupIndicate that system has used CPU sizes, T_flag in pth training datapIndicate that pth training data is normal Data or abnormal data;
S4, output judging result:According to step S3's as a result, output U_flagx=-1 APP software data information uxAs different Regular data exports U_flagx=1 APP software data information uxAs normal data;Wherein x=1,2 ... n.
2. APP running softwares data exception judgment method according to claim 1, it is characterised in that:By App running softwares APP running softwares data in training dataset T and addition App running software training datasets T are as new APP running softwares Data set judges for data exception in the APP running software data sets based on SVM next time.
CN201810077200.5A 2018-01-26 2018-01-26 APP software operation data abnormity judgment method Active CN108415815B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810077200.5A CN108415815B (en) 2018-01-26 2018-01-26 APP software operation data abnormity judgment method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810077200.5A CN108415815B (en) 2018-01-26 2018-01-26 APP software operation data abnormity judgment method

Publications (2)

Publication Number Publication Date
CN108415815A true CN108415815A (en) 2018-08-17
CN108415815B CN108415815B (en) 2021-03-02

Family

ID=63126302

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810077200.5A Active CN108415815B (en) 2018-01-26 2018-01-26 APP software operation data abnormity judgment method

Country Status (1)

Country Link
CN (1) CN108415815B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130166962A1 (en) * 2011-12-22 2013-06-27 International Business Machines Corporation Detecting and resolving errors within an application
CN104462979A (en) * 2014-12-26 2015-03-25 深圳数字电视国家工程实验室股份有限公司 Automatic dynamic detection method and device of application program
CN107045607A (en) * 2016-12-13 2017-08-15 全球能源互联网研究院 Using abnormal behaviour identification model method for building up and device, recognition methods and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130166962A1 (en) * 2011-12-22 2013-06-27 International Business Machines Corporation Detecting and resolving errors within an application
CN104462979A (en) * 2014-12-26 2015-03-25 深圳数字电视国家工程实验室股份有限公司 Automatic dynamic detection method and device of application program
CN107045607A (en) * 2016-12-13 2017-08-15 全球能源互联网研究院 Using abnormal behaviour identification model method for building up and device, recognition methods and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张京: "Android软件行为分析系统的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
汪海涛等: "一种远程访问UPnP网络方法的研究与实现", 《计算机与数字工程》 *

Also Published As

Publication number Publication date
CN108415815B (en) 2021-03-02

Similar Documents

Publication Publication Date Title
CN109697162A (en) A kind of software defect automatic testing method based on Open Source Code library
CN106951848B (en) The method and system of picture recognition
CN106951499B (en) A kind of knowledge mapping representation method based on translation model
CN106095928A (en) A kind of event type recognition methods and device
CN106776538A (en) The information extracting method of enterprise&#39;s noncanonical format document
CN107657008A (en) Across media training and search method based on depth discrimination sequence study
CN110232280A (en) A kind of software security flaw detection method based on tree construction convolutional neural networks
CN106817248A (en) A kind of APT attack detection methods
CN109886021A (en) A kind of malicious code detecting method based on API overall situation term vector and layered circulation neural network
CN110264274A (en) Objective group&#39;s division methods, model generating method, device, equipment and storage medium
CN110442523A (en) A kind of spanned item mesh Software Defects Predict Methods
CN110275966A (en) A kind of Knowledge Extraction Method and device
CN109784488A (en) A kind of construction method of the binaryzation convolutional neural networks suitable for embedded platform
CN107545038A (en) A kind of file classification method and equipment
CN108664986A (en) Based on lpThe multi-task learning image classification method and system of norm regularization
CN110378389A (en) A kind of Adaboost classifier calculated machine creating device
CN111160526B (en) Online testing method and device for deep learning system based on MAPE-D annular structure
CN114491082A (en) Plan matching method based on network security emergency response knowledge graph feature extraction
CN109325513A (en) A kind of image classification network training method based on magnanimity list class single image
CN109961129A (en) A kind of Ocean stationary targets search scheme generation method based on improvement population
CN111522736A (en) Software defect prediction method and device, electronic equipment and computer storage medium
CN109447158A (en) A kind of Adaboost Favorable Reservoir development area prediction technique based on unbalanced data
CN101187913A (en) Multi-kernel support vector machine classification method
CN116306321B (en) Particle swarm-based adsorbed water treatment scheme optimization method, device and equipment
CN105590167A (en) Method and device for analyzing electric field multivariate operating data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant