CN108509796B - Method for detecting risk and server - Google Patents

Method for detecting risk and server Download PDF

Info

Publication number
CN108509796B
CN108509796B CN201710104591.0A CN201710104591A CN108509796B CN 108509796 B CN108509796 B CN 108509796B CN 201710104591 A CN201710104591 A CN 201710104591A CN 108509796 B CN108509796 B CN 108509796B
Authority
CN
China
Prior art keywords
risk
application
data
preset
gray value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710104591.0A
Other languages
Chinese (zh)
Other versions
CN108509796A (en
Inventor
邱勤
张滨
赵刚
徐达
袁捷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201710104591.0A priority Critical patent/CN108509796B/en
Publication of CN108509796A publication Critical patent/CN108509796A/en
Application granted granted Critical
Publication of CN108509796B publication Critical patent/CN108509796B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the invention discloses a risk detection method and a server, wherein an application code corresponding to a first application on a terminal is obtained, and a risk characteristic vector set between different file types corresponding to the first application is established according to the application code and the file type of a preset application code; when the first application is in an operating state, acquiring operating data of the first application, and establishing a risk characteristic data set corresponding to the first application according to the operating data and a preset boundary strategy; the preset boundary strategy is used for judging risk characteristic data; acquiring current user behavior data acting on the first application, and establishing a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model; the preset risk model is used for judging risk characteristic behaviors; and judging the risk of the first application based on the multi-dimensional polymorphism according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set.

Description

Method for detecting risk and server
Technical Field
The invention relates to the field of mobile application security, in particular to a risk detection method and a server.
Background
With the development of mobile communication technology and the continuous improvement of the software and hardware capabilities of the terminal, the service range and service capability of the mobile application bearer are increasingly wide and rich, which become the main entrance of mobile internet information, so that the security problem of the terminal is more and more concerned. According to the statistics of security mechanisms, more than 90% of mobile applications have security vulnerabilities of different types and different risk levels, and can be utilized by attackers, which poses a significant threat to enterprise operation and user rights and interests, so that the establishment of mobile application vulnerability analysis capability and means is urgently needed to prevent mobile application security risks, so as to ensure the safe operation of enterprise mobile applications.
At present, the existing technical means mainly performs vulnerability analysis of mobile application by several methods, such as a static feature code extraction technology, a risk feature matching technology, a combination of the static feature code extraction technology and the risk feature matching technology, and the like.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art:
when the vulnerability analysis of the mobile application is carried out by adopting a static feature code extraction technology, a feature recognition model and a feature matching model need to be established in advance according to empirical data, so that the risk recognition range is limited to be in the known field; meanwhile, the static feature code extraction technology and the risk feature matching technology are both acquired from the static code features of the mobile application, so that dynamic behavior features and data flow feature acquisition of the mobile application are lacked, and the vulnerability of a risk identification range in a static state is limited, thereby causing the defects of limitation and singleness when the risk detection is carried out on the mobile application.
Disclosure of Invention
In order to solve the above technical problems, embodiments of the present invention are expected to provide a risk detection method and a server, which can construct a risk feature identification path and a risk decision tree by defining a risk feature mapping relationship in a multi-dimensional and multi-state of a first application, thereby overcoming the defects of limitation and singleness when performing risk detection on a mobile application.
In order to achieve the above purpose, the technical solution of the embodiment of the present invention is realized as follows:
the embodiment of the invention provides a method for detecting risk, which comprises the following steps:
acquiring an application code corresponding to a first application on a terminal, and establishing a risk characteristic vector set between different file types corresponding to the first application according to the application code and a file type of a preset application code;
when the first application is in a running state, obtaining running data of the first application, and establishing a risk characteristic data set corresponding to the first application according to the running data and a preset boundary strategy; the preset boundary strategy is used for judging risk characteristic data;
acquiring current user behavior data acting on the first application, and establishing a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model; the preset risk model is used for judging risk characteristic behaviors;
and judging the risk of the first application based on the multi-dimensional polymorphism according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set.
In the foregoing solution, the establishing a risk feature vector set between different file types corresponding to the first application according to the application code and a file type of a preset application code includes:
extracting an application sample of the first application, and acquiring the application code of the application sample;
extracting each risk characteristic vector from application codes corresponding to different file types;
and establishing the risk characteristic vector set corresponding to the first application according to the risk characteristic vectors.
In the foregoing scheme, the establishing a risk feature data set corresponding to the first application according to the operating data and a preset boundary policy includes:
monitoring the operating data, and acquiring a calling parameter corresponding to the operating data;
when the calling parameter does not belong to a preset calling parameter range, determining the running data corresponding to the calling parameter as risk data;
and establishing the risk characteristic data set corresponding to the first application according to the risk data.
In the above scheme, the establishing a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model includes:
obtaining a current gray value corresponding to the current user behavior data according to a preset multi-vector comprehensive algorithm;
determining a behavior risk result of the current user behavior data according to the current gray value and the preset risk model;
and establishing the risk characteristic behavior set corresponding to the first application according to the behavior risk result.
In the foregoing solution, before establishing the risk feature behavior set corresponding to the first application according to the user behavior data and a preset risk model, the method for establishing the preset risk model includes:
obtaining a first gray value interval corresponding to a positive sample and a second gray value interval corresponding to a negative sample according to existing historical behavior data, a preset training model and a preset multi-vector comprehensive algorithm; wherein the positive sample is a behavior data sample without risk in the historical behavior data, and the negative sample is a behavior data sample with risk in the historical behavior data;
determining the corresponding relation between the risk and the gray value according to a first gray value interval corresponding to the positive sample and a second gray value interval corresponding to the negative sample and the negative sample;
and establishing the preset risk model according to the corresponding relation between the risk and the gray value.
In the above scheme, the determining, according to the risk feature vector set, the risk feature data set, and the risk feature behavior set, the risk of the first application based on a multi-dimensional polymorphism includes:
determining a multi-dimensional polymorphic risk characteristic mapping relation corresponding to the first application according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set;
establishing a risk judgment rule corresponding to the first application according to the multi-dimensional polymorphic risk feature mapping relation;
and judging the risk of the first application based on the multi-dimensional polymorphism according to the risk judgment rule.
In the above scheme, the file type of the preset application code includes: configuration files, code files, resource files.
The embodiment of the invention provides a server, which comprises an establishing unit and a judging unit,
the establishing unit is used for acquiring an application code corresponding to a first application on a terminal, and establishing a risk characteristic vector set between different file types corresponding to the first application according to the application code and a file type of a preset application code; when the first application is in a running state, obtaining running data of the first application, and establishing a risk characteristic data set corresponding to the first application according to the running data and a preset boundary strategy; the preset boundary strategy is used for judging risk characteristic data; acquiring current user behavior data acting on the first application, and establishing a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model; wherein the preset risk model is used for determining the risk characteristic behavior;
the judging unit is used for judging the risk of the first application based on the multi-dimensional polymorphism according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set.
In the foregoing solution, the establishing unit is specifically configured to extract an application sample of the first application, and obtain the application code of the application sample; extracting each risk characteristic vector from application codes corresponding to different file types; and establishing the risk characteristic vector set according to the risk characteristic vectors.
In the above scheme, the establishing unit is further specifically configured to monitor the operation data and obtain a call parameter corresponding to the operation data; when the calling parameter does not belong to a preset calling parameter range, determining the running data corresponding to the calling parameter as the risk characteristic data; and establishing the risk characteristic data set corresponding to the first application according to the risk data.
In the above scheme, the establishing unit specifically obtains a current gray value corresponding to the current user behavior data according to a preset multi-vector comprehensive algorithm; determining a behavior risk result of the current user behavior data according to the current gray value and the preset risk model; and establishing the risk characteristic behavior set corresponding to the first application according to the behavior risk result.
In the above scheme, the server further comprises an obtaining unit and a determining unit,
the acquisition unit is used for acquiring a first gray value interval corresponding to the positive sample and a second gray value interval corresponding to the negative sample according to the existing historical behavior data, a preset training model and a preset multi-vector comprehensive algorithm; wherein the positive sample is a behavior data sample without risk in the historical behavior data, and the negative sample is a behavior data sample with risk in the historical behavior data;
the determining unit is used for determining the corresponding relation between the risk and the gray value according to a first gray value interval corresponding to the positive sample and a second gray value interval corresponding to the negative sample and the negative sample;
the establishing unit is further configured to establish the preset risk model according to the corresponding relationship between the risk and the gray value.
In the foregoing solution, the determining unit is specifically configured to determine a multi-dimensional polymorphic risk feature mapping relationship corresponding to the first application according to the risk feature vector set, the risk feature data set, and the risk feature behavior set; establishing a risk judgment rule corresponding to the first application according to the multi-dimensional polymorphic risk feature mapping relation; and judging the risk of the first application based on the multi-dimensional polymorphism according to the risk judgment rule.
In the above scheme, the file type of the preset application code includes: configuration files, code files, resource files.
Therefore, in the technical scheme of the embodiment of the invention, the application code corresponding to the first application on the terminal is obtained, and the risk characteristic vector set between different file types corresponding to the first application is established according to the application code and the file type of the preset application code; when the first application is in an operating state, acquiring operating data of the first application, and establishing a risk characteristic data set corresponding to the first application according to the operating data and a preset boundary strategy; the preset boundary strategy is used for judging risk characteristic data; acquiring current user behavior data acting on the first application, and establishing a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model; the preset risk model is used for judging risk characteristic behaviors; and judging the risk of the first application based on the multi-dimensional polymorphism according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set. Therefore, the risk detection method and the server provided by the embodiment of the invention can construct the risk feature identification path and the risk decision tree by defining the risk feature mapping relation under the multi-dimensional state of the mobile application, thereby overcoming the defects of limitation and singleness when the risk detection is carried out on the mobile application; moreover, the method is simple and convenient to realize, convenient to popularize and wide in application range.
Drawings
Fig. 1 is a schematic flow chart of an implementation of a risk detection method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart illustrating an implementation process of a risk detection method according to an embodiment of the present invention;
fig. 3 is a schematic flow chart illustrating an implementation of a risk detection method according to an embodiment of the present invention;
fig. 4 is a schematic flow chart illustrating an implementation of a risk detection method according to an embodiment of the present invention;
fig. 5 is a schematic flow chart illustrating an implementation of a risk detection method according to an embodiment of the present invention;
fig. 6 is a schematic flow chart illustrating a sixth implementation process of a risk detection method according to an embodiment of the present invention;
fig. 7 is a first schematic structural diagram of a server according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a composition structure of a server according to an embodiment of the present invention.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
Example one
Fig. 1 is a schematic flow chart illustrating an implementation process of a risk detection method according to an embodiment of the present invention, as shown in fig. 1, in an embodiment of the present invention, a method for a server to detect a risk of a first application on a terminal mainly includes the following steps:
step 101, acquiring an application code corresponding to a first application on a terminal, and establishing a risk characteristic vector set between different file types corresponding to the first application according to the application code and a file type of a preset application code.
In a specific embodiment of the present invention, a server obtains an application code corresponding to a first application on a terminal, and then establishes a risk feature vector set between application codes of different file types corresponding to the first application according to the application code and a file type of a preset application code, where the first application may be a mobile application installed on the terminal; the server may be a detection device, such as a computer, capable of performing risk detection on the first application on the terminal.
Further, in a specific embodiment of the present invention, before the server acquires the application code corresponding to the first application on the terminal, the server needs to be connected to the terminal to be detected, where the server may be connected to the device to be detected through a plurality of methods, for example, the server may be connected to the device to be detected through using a standard USB data line or WIFI or other methods.
Further, in the specific embodiment of the present invention, after the server is connected to the terminal to be detected, the server may extract an installation file of the application to be detected in the terminal to be detected, that is, an installation file of the first application, and then obtain the application code corresponding to the first application by multiple means.
It should be noted that, in an embodiment of the present invention, the server may decompile and disassemble the application code corresponding to the first application by using a reverse technique.
It should be noted that, in the specific embodiment of the present invention, the application code may be a high-level language code or an assembly code.
In an embodiment of the present invention, further, the file types of the preset application code include, but are not limited to: configuration files, code files, resource files, and the like.
It should be noted that, in an embodiment of the present invention, a precondition that the server obtains an application code corresponding to a first application on the terminal, and then establishes a set of risk feature vectors between application codes of different file types corresponding to the first application is based on that the first application is in a static state.
102, when the first application is in an operating state, acquiring operating data of the first application, and establishing a risk characteristic data set corresponding to the first application according to the operating data and a preset boundary strategy; and the preset boundary strategy is used for judging the risk characteristic data.
In a specific embodiment of the present invention, when the first application is in an operating state, the server obtains operating data of the first application, and then may establish a risk feature data set corresponding to the first application according to the operating data and a preset boundary policy; the preset boundary strategy is used for judging risk characteristic data.
Further, in the specific embodiment of the present invention, after the server obtains the running data of the first application, the running data may be implicitly marked, so as to ensure that the first application is completely transparent and the normal running of the first application is not affected, and then a risk feature data set corresponding to the first application may be established through the running data and a preset boundary policy.
It should be noted that, in an embodiment of the present invention, the operation data may include operation data in the terminal and operation data in the server-side system.
103, acquiring current user behavior data acting on the first application, and establishing a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model; and the preset risk model is used for judging the risk characteristic behaviors.
In a specific embodiment of the invention, when a user performs behavior operation on the first application, the server acquires current user behavior data acting on the first application, and then establishes a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model; and the preset risk model is used for judging the risk characteristic behaviors.
And step 104, judging the risk of the first application based on the multi-dimensional polymorphism according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set.
In an embodiment of the present invention, after the risk feature vector set, the risk feature data set, and the risk feature behavior set of the first application are respectively established, the server may determine, according to the risk feature vector set, the risk feature data set, and the risk feature behavior set, a risk of the first application based on the multi-dimensional polymorphism.
Further, in an embodiment of the present invention, since the server establishes the set of risk feature vectors characterizing the first application of the code dimension when the first application is in a static state; when the first application is in the running state, a risk feature data set of the first application representing the data dimension and a risk feature behavior set of the first application representing the behavior dimension are respectively established, so that the server can define the mapping relation among the risk features among the code dimension, the data dimension and the behavior dimension in the static state and the running state according to the risk feature vector set, the risk feature data set and the risk feature behavior set. For example: for the privacy disclosure security risk, code dimension has the configuration of the privacy data access authority, behavior dimension has the behavior characteristic data of accessing the privacy data, data dimension has the characteristic data of transferring the privacy data across the application boundary by mobile application, and the three jointly establish the privacy relationship with the privacy disclosure security risk.
The method for detecting the risk, provided by the embodiment of the invention, comprises the steps of acquiring an application code corresponding to a first application on a terminal, and establishing a risk characteristic vector set between different file types corresponding to the first application according to the application code and a file type of a preset application code; when the first application is in an operating state, acquiring operating data of the first application, and establishing a risk characteristic data set corresponding to the first application according to the operating data and a preset boundary strategy; the preset boundary strategy is used for judging risk characteristic data; acquiring current user behavior data acting on the first application, and establishing a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model; the preset risk model is used for judging risk characteristic behaviors; and judging the risk of the first application based on the multi-dimensional polymorphism according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set. Therefore, the risk detection method provided by the embodiment of the invention can construct the risk feature identification path and the risk decision tree by defining the risk feature mapping relation under the multi-dimensional state of the mobile application, thereby overcoming the defects of limitation and singleness when the risk detection is carried out on the mobile application; moreover, the method is simple and convenient to realize, convenient to popularize and wide in application range.
Example two
Based on the first embodiment, fig. 2 is a schematic flow chart illustrating an implementation process of a risk detection method according to an embodiment of the present invention, as shown in fig. 2, in a specific embodiment of the present invention, a method for a server to establish a risk feature vector set between different file types corresponding to a first application on a terminal mainly includes the following steps:
step 101a, extracting an application sample of the first application, and obtaining an application code of the application sample.
In a specific embodiment of the present invention, the server may extract an application sample of the first application and then obtain the application code of the application sample.
Further, in the specific embodiment of the present invention, after the server is connected to the terminal to be detected, the server may extract an installation file of the application to be detected in the terminal to be detected, that is, an installation file of the first application, and then, by using a reverse technique, perform decompiling and disassembling to obtain a high-level language code or an assembly code corresponding to the first application, that is, an application code corresponding to the first application.
And 101b, extracting each risk characteristic vector from the application codes corresponding to different file types.
In a specific embodiment of the present invention, after extracting the application sample of the first application and obtaining the application code of the application sample, the server may extract each risk feature vector from the application codes corresponding to different file types. The file types of the application code include, but are not limited to: configuration files, code files, resource files, and the like.
Further, in embodiments of the present invention, the server may review the configuration file, identify and extract various types of feature vectors for known risks. It should be noted that, in the specific embodiment of the present invention, the server audits the configuration file, and performs configuration rationality audit on configuration items in the configuration file, where the configuration rationality audit includes configuration rationality checks of security configuration items of each component, configuration items of a data backup switch, configuration items of a debug switch, configuration items of each sensitive authority, and the like, and determines whether there is a security risk.
Further, in the specific embodiment of the present invention, the server may further audit the resource file, identify and extract various feature vectors of known risks; the server may also review the code files, identify and extract various types of feature vectors for known risks.
And step 101c, establishing a risk characteristic vector set corresponding to the first application according to each risk characteristic vector.
In an embodiment of the present invention, after extracting each risk feature vector from the application codes corresponding to different file types, the server may establish a risk feature vector set corresponding to the first application according to each risk feature vector.
Further, in an embodiment of the present invention, the server may construct a vector relationship between the risk feature vectors according to the risk feature vectors, and form a risk feature vector set corresponding to the first application of the code dimension. Specifically, a vector expression mode including feature items and feature values is established for endogenous incidence relations among different feature indexes in various checking fields (configuration files, resource files and code files) of code dimensions, and then a vector relation describing feature data is formed. I.e. the vector relation between the feature indicators of different dimensions within the mobile application code.
In summary, in the embodiment of the present invention, through the above steps 101a to 101c, the server may extract the application sample of the first application, obtain the application code of the application sample, extract each risk feature vector from the application codes corresponding to different file types, and finally establish the risk feature vector set corresponding to the first application according to each risk feature vector.
EXAMPLE III
Based on the first embodiment, fig. 3 is a schematic flow chart of an implementation of a risk detection method according to an embodiment of the present invention, and as shown in fig. 3, in a specific embodiment of the present invention, a method for a server to establish a risk feature data set corresponding to a first application on a terminal mainly includes the following steps:
step 102a, monitoring the operation data, and obtaining a calling parameter corresponding to the operation data.
In a specific embodiment of the present invention, after the operation data of the first application is acquired, the server monitors the operation data, and then acquires a call parameter corresponding to the operation data. The calling parameter may be that when the first application is in a running state, all the running environments may be called by the first application for the I/O capability.
It should be noted that, in the embodiment of the present invention, various behaviors of the mobile application in the running state are substantially represented as I/O calls to various capabilities of its running environment, and these I/O capabilities are managed and controlled, that is, the data exchange of the mobile application can be managed and controlled, so as to form a data boundary barrier. When the mobile application attempts to transfer data out of the application, it can be monitored by the hypervisor.
And 102b, when the calling parameter does not belong to the preset calling parameter range, determining the running data corresponding to the calling parameter as risk data.
In a specific embodiment of the present invention, after obtaining the call parameter corresponding to the running data, the server may determine the running data according to the call parameter, and specifically, when the call parameter does not belong to a preset call parameter range, the server determines the running data corresponding to the call parameter as risk data.
Further, in particular embodiments of the present invention, the server may establish governance of all I/O calls when the first application attempts to pass data outside the application boundaries by invoking an I/O call, such as: the server monitors the file writing, the short message sending and the data generation to the far end through the network.
Further, in particular embodiments of the present invention, when implicitly marked operational data attempts to leak outside the first application boundary by invoking a custody-managed I/O capability across the first application boundary, the server triggers a boundary violation event identifying the operational data as risk data for the first application.
And 102c, establishing a risk characteristic data set corresponding to the first application according to the risk data.
In an embodiment of the present invention, after determining the risk data of the first application, the service area may establish a risk feature data set corresponding to the first application according to the risk data.
In summary, in the specific embodiment of the present invention, through the steps 102a to 102c, the server may obtain the call parameter corresponding to the operation data by monitoring the operation data, and if the call parameter does not belong to the preset call parameter range, the server determines the operation data corresponding to the call parameter as the risk data, and then establishes the risk feature data set corresponding to the first application according to the risk data.
Example four
Based on the first embodiment, fig. 4 is a schematic flow chart of an implementation process of a risk detection method provided by the embodiment of the present invention, as shown in fig. 4, in a specific embodiment of the present invention, a method for a server to establish a risk feature behavior set corresponding to a first application on a terminal mainly includes the following steps:
step 103a, obtaining a current gray value corresponding to the current user behavior data according to a preset multi-vector integrated algorithm.
In a specific embodiment of the present invention, after obtaining the current user behavior data acting on the first application, the server may obtain a current gray value corresponding to the current user behavior data according to a preset multi-vector comprehensive algorithm.
Further, in an embodiment of the present invention, when the server calculates the current gray-level value corresponding to the current user behavior data according to a multi-vector comprehensive algorithm, the server calculates the current gray-level value by adopting a multi-vector weighted average method.
It should be noted that, in the specific embodiment of the present invention, in the process that the server calculates the current grayscale value by using a multi-vector weighted average method, the multi-vector may be data of each vector of different user behavior data of a behavior dimension; the size of the authority value is determined by the risk influence size corresponding to the behavior data represented by each vector, the high-risk corresponds to a larger weight, and otherwise, the authority is smaller.
And 103b, determining a behavior risk result of the current user behavior data according to the current gray value and a preset risk model.
In a specific embodiment of the present invention, after obtaining the current gray value corresponding to the current user behavior data, the server may determine the behavior risk result of the current user behavior data according to the current gray value and the preset risk model.
Further, in an embodiment of the present invention, the preset risk model may be a model with high accuracy obtained by calculating a gray value of data generated by historical behaviors, performing machine learning, and then training with a positive sample (no risk) or a negative sample (at risk). Specifically, the model may be a mapping relationship between a risk feature and a behavior feature, or a mapping relationship between a gray value interval and a risk feature, where the gray value interval corresponding to the positive sample is a first gray value interval, and the gray value interval corresponding to the negative sample is a second gray value interval.
Further, in a specific embodiment of the present invention, if the current grayscale value is within the first grayscale value interval, it is determined that the behavior risk result of the current user behavior data is low; if the current gray value is within the second gray value interval, judging that the behavior risk result of the current user behavior data is high; otherwise, the current gray value is judged not to be in the first gray value interval or the second gray value interval, and the server needs to assist the feature data of other dimensions to perform further judgment.
And 103c, establishing a risk characteristic behavior set corresponding to the first application according to the behavior risk result.
In a specific embodiment of the present invention, after determining a behavior risk result of current user behavior data according to a current gray value and a preset risk model, a server may establish a risk feature behavior set corresponding to a first application according to the behavior risk result.
In summary, in the specific embodiment of the present invention, through the steps 103a to 103c, the server may obtain the current gray value corresponding to the current user behavior data according to the preset multi-vector comprehensive algorithm, then determine the behavior risk result of the current user behavior data according to the current gray value and the preset risk model, and establish the risk characteristic behavior set corresponding to the first application.
EXAMPLE five
Based on the first embodiment, fig. 5 is a schematic flow chart of an implementation process of the risk detection method provided by the embodiment of the present invention, as shown in fig. 5, in a specific embodiment of the present invention, a method for establishing a preset risk model by a server mainly includes the following steps:
step 201, obtaining a first gray value interval corresponding to a positive sample and a second gray value interval corresponding to a negative sample according to existing historical behavior data, a preset training model and a preset multi-vector comprehensive algorithm.
In a specific embodiment of the present invention, the server may obtain a first gray value interval corresponding to the positive sample and a second gray value interval corresponding to the negative sample according to the existing historical behavior data, the preset training model and the preset multi-vector integrated algorithm. The positive samples are behavior data samples without risks in historical behavior data, and the negative samples are behavior data samples with risks in the historical behavior data.
Step 202, determining a corresponding relation between the risk and the gray value according to the first gray value interval corresponding to the positive sample and the second gray value interval corresponding to the negative sample and the negative sample.
In a specific embodiment of the present invention, after obtaining the first gray value interval corresponding to the positive sample and the second gray value interval corresponding to the negative sample, the server may determine the correspondence between the risk and the gray value according to the first gray value interval corresponding to the positive sample and the second gray value interval corresponding to the negative sample and the negative sample.
Further, in a specific embodiment of the present invention, the gray scale value corresponding to the risk-free behavior data in the historical behavior data may be divided into the first gray scale value interval, and the gray scale value corresponding to the risk-free behavior data in the historical behavior data may be divided into the second gray scale value interval, so as to determine the correspondence between the risk and the gray scale value.
And step 203, establishing a preset risk model according to the corresponding relation between the risk and the gray value.
In a specific embodiment of the present invention, after determining the corresponding relationship between the risk and the gray scale value, the server may establish a preset risk model according to the corresponding relationship between the risk and the gray scale value.
Further, in an embodiment of the present invention, when the grayscale value corresponding to one behavior data in the historical behavior data does not belong to the first grayscale value interval and the second grayscale value interval, the grayscale value corresponding to the behavior data may be divided into a third grayscale value interval.
Further, in an embodiment of the present invention, the server may establish the preset risk model according to the first gray scale interval and the behavior data corresponding to the first gray scale interval, the second gray scale interval and the behavior data corresponding to the second gray scale interval, and the third gray scale interval and the behavior data corresponding to the third gray scale interval.
Therefore, the risk detection method provided by the embodiment of the invention can construct the risk feature identification path and the risk decision tree by defining the risk feature mapping relation under the multi-dimensional state of the mobile application, thereby overcoming the defects of limitation and singleness when the risk detection is carried out on the mobile application; moreover, the method is simple and convenient to realize, convenient to popularize and wide in application range.
EXAMPLE six
Based on the first embodiment, fig. 6 is a sixth schematic flow chart illustrating an implementation process of a risk detection method according to an embodiment of the present invention, as shown in fig. 6, in a specific embodiment of the present invention, a method for a server to determine a risk of a first application on a terminal based on multi-dimensional polymorphism mainly includes the following steps:
and 104a, determining a multi-dimensional polymorphic risk characteristic mapping relation corresponding to the first application according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set.
In a specific embodiment of the present invention, after the risk feature vector set, the risk feature data set, and the risk feature behavior set of the first application are respectively established, the server may determine the multi-dimensional polymorphic risk feature mapping relationship corresponding to the first application according to the risk feature vector set, the risk feature data set, and the risk feature behavior set.
Further, in an embodiment of the present invention, the server may establish a mapping relationship between the code dimension, the data dimension, and the risk feature between the behavior dimensions in the static state and the operating state according to the risk feature vector set, the risk feature data set, and the risk feature behavior set. For example: for the privacy disclosure security risk, code dimension has the configuration of the privacy data access authority, behavior dimension has the behavior characteristic data of accessing the privacy data, data dimension has the characteristic data of transferring the privacy data across the application boundary by mobile application, and the three jointly establish the privacy relationship with the privacy disclosure security risk.
And 104b, establishing a risk judgment rule corresponding to the first application according to the multi-dimensional multi-state risk characteristic mapping relation.
In a specific embodiment of the present invention, after determining the multi-dimensional polymorphic risk feature mapping relationship corresponding to the first application, the server may establish a risk judgment rule corresponding to the first application according to the multi-dimensional polymorphic risk feature mapping relationship, where the risk judgment rule corresponding to the first application may be an identification path and a corresponding decision tree for performing risk judgment on each risk feature.
And 104c, judging the risk of the first application based on the multi-dimensional polymorphism according to the risk judgment rule.
In a specific embodiment of the present invention, after establishing the risk judgment rule corresponding to the first application according to the multi-dimensional polymorphic risk feature mapping relationship, the service area may judge the risk of the first application based on the multi-dimensional polymorphic state according to the risk judgment rule.
Further, in the specific embodiment of the present invention, when the risk determination is performed on the first application, the risk characteristics of each dimension corresponding to the first application may be comprehensively analyzed according to the risk determination rule.
In summary, in the embodiment of the present invention, through the above steps 104a to 104c, the server may determine the multi-dimensional polymorphic risk feature mapping relationship corresponding to the first application according to the risk feature vector set, the risk feature data set, and the risk feature behavior set, then establish the risk determination rule corresponding to the first application according to the multi-dimensional polymorphic risk feature mapping relationship, and finally determine the multi-dimensional polymorphic risk based on the first application according to the risk determination rule.
EXAMPLE seven
Fig. 7 is a schematic diagram of a composition structure of a server according to an embodiment of the present invention, as shown in fig. 7, in an embodiment of the present invention, a server 1 for performing risk detection on a first application on a terminal includes a setup unit 11 and a determination unit 12, wherein,
the establishing unit 11 is configured to acquire an application code corresponding to a first application on a terminal, and establish a risk feature vector set between different file types corresponding to the first application according to the application code and a file type of a preset application code; when the first application is in an operating state, acquiring operating data of the first application, and establishing a risk characteristic data set corresponding to the first application according to the operating data and a preset boundary strategy; the preset boundary strategy is used for judging risk characteristic data; acquiring current user behavior data acting on the first application, and establishing a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model; and the preset risk model is used for judging the risk characteristic behaviors.
And the judging unit 12 is used for judging the risk of the first application based on the multi-dimensional polymorphism according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set.
In an embodiment of the present invention, further, the establishing unit 11 is specifically configured to extract an application sample of the first application, and obtain an application code of the application sample; extracting each risk characteristic vector from application codes corresponding to different file types; and establishing a risk characteristic vector set according to the risk characteristic vectors.
In a specific embodiment of the present invention, further, the establishing unit 11 is further specifically configured to monitor the operation data, and obtain a call parameter corresponding to the operation data; when the calling parameter does not belong to the preset calling parameter range, determining the running data corresponding to the calling parameter as risk characteristic data; and establishing a risk characteristic data set corresponding to the first application according to the risk data.
In a specific embodiment of the present invention, further, the establishing unit 11 is specifically further configured to obtain a current gray value corresponding to current user behavior data according to a preset multi-vector comprehensive algorithm; determining a behavior risk result of the current user behavior data according to the current gray value and a preset risk model; and establishing a risk characteristic behavior set corresponding to the first application according to the behavior risk result.
Based on fig. 7, fig. 8 is a schematic diagram of a second configuration of the server according to the embodiment of the present invention, as shown in fig. 8, in the embodiment of the present invention, the server 1 further includes an obtaining unit 13 and a determining unit 14, wherein,
the acquiring unit 13 is configured to acquire a first gray value interval corresponding to the positive sample and a second gray value interval corresponding to the negative sample according to existing historical behavior data, a preset training model and a preset multi-vector comprehensive algorithm; wherein, the positive sample is the behavior data sample without risk in the historical behavior data, and the negative sample is the behavior data sample with risk in the historical behavior data.
The determining unit 14 is configured to determine a corresponding relationship between the risk and the gray value according to the first gray value interval corresponding to the positive sample and the positive sample, and the second gray value interval corresponding to the negative sample and the negative sample.
The establishing unit 11 is further configured to establish a preset risk model according to the corresponding relationship between the risk and the gray value.
In a specific embodiment of the present invention, further, the determining unit is specifically configured to determine a multi-dimensional polymorphic risk feature mapping relationship corresponding to the first application according to the risk feature vector set, the risk feature data set, and the risk feature behavior set; establishing a risk judgment rule corresponding to the first application according to the multi-dimensional polymorphic risk feature mapping relation; and judging the risk of the first application based on the multi-dimensional polymorphism according to a risk judgment rule.
The establishing unit 11, the determining unit 12, the obtaining unit 13 and the determining unit 14 provided by the embodiment of the present invention can be implemented in the form of program codes by executing corresponding functions by a processor in the mobile terminal; of course, the implementation can also be realized through a specific logic circuit; in the course of a particular embodiment, the processor may be a Central Processing Unit (CPU), a Microprocessor (MPU), a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), or the like; the server further includes: the memory can be a memory device with a physical form, such as a memory bank and a TF card, or a circuit with a memory function, such as a Random Access Memory (RAM), a FIFO memory and the like.
The server provided by the embodiment of the invention acquires an application code corresponding to a first application on a terminal, and establishes a risk characteristic vector set between different file types corresponding to the first application according to the application code and a file type of a preset application code; when the first application is in an operating state, acquiring operating data of the first application, and establishing a risk characteristic data set corresponding to the first application according to the operating data and a preset boundary strategy; the preset boundary strategy is used for judging risk characteristic data; acquiring current user behavior data acting on the first application, and establishing a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model; the preset risk model is used for judging risk characteristic behaviors; and judging the risk of the first application based on the multi-dimensional polymorphism according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set. Therefore, the server provided by the embodiment of the invention can construct the risk feature identification path and the risk decision tree by defining the risk feature mapping relation of the mobile application in a multi-dimensional state, so that the defects of limitation and singleness when the risk detection is carried out on the mobile application are overcome; moreover, the method is simple and convenient to realize, convenient to popularize and wide in application range.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (13)

1. A method of risk detection, the method comprising:
acquiring an application code corresponding to a first application on a terminal, and extracting each risk characteristic vector from the application codes corresponding to different file types;
establishing a risk characteristic vector set corresponding to the first application according to the risk characteristic vectors;
when the first application is in a running state, obtaining running data of the first application, monitoring the running data, and obtaining a calling parameter corresponding to the running data;
when the calling parameter does not belong to a preset calling parameter range, determining the running data corresponding to the calling parameter as risk data;
establishing the risk characteristic data set corresponding to the first application according to the risk data;
acquiring current user behavior data acting on the first application, and establishing a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model; the preset risk model is used for judging risk characteristic behaviors;
and judging the risk of the first application based on the multi-dimensional polymorphism according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set.
2. The method of claim 1, wherein the obtaining an application code corresponding to a first application on a terminal comprises:
extracting an application sample of the first application, and obtaining the application code of the application sample.
3. The method according to claim 1, wherein the establishing a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model comprises:
obtaining a current gray value corresponding to the current user behavior data according to a preset multi-vector comprehensive algorithm;
determining a behavior risk result of the current user behavior data according to the current gray value and the preset risk model;
and establishing the risk characteristic behavior set corresponding to the first application according to the behavior risk result.
4. The method according to claim 1, wherein before establishing the risk feature behavior set corresponding to the first application according to the current user behavior data and a preset risk model, the method for establishing the preset risk model comprises:
obtaining a first gray value interval corresponding to a positive sample and a second gray value interval corresponding to a negative sample according to existing historical behavior data, a preset training model and a preset multi-vector comprehensive algorithm; wherein the positive sample is a behavior data sample without risk in the historical behavior data, and the negative sample is a behavior data sample with risk in the historical behavior data;
determining the corresponding relation between the risk and the gray value according to a first gray value interval corresponding to the positive sample and a second gray value interval corresponding to the negative sample and the negative sample;
and establishing a preset risk model according to the first gray value interval and the behavior data corresponding to the first gray value interval, the second gray value interval and the behavior data corresponding to the second gray value interval, and the third gray value interval and the behavior data corresponding to the third gray value interval.
5. The method of claim 1, wherein determining the risk of the first application based on the multi-dimensional polymorphism from the set of risk profile vectors, the set of risk profile data, and the set of risk profile behaviors comprises:
determining a multi-dimensional polymorphic risk characteristic mapping relation corresponding to the first application according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set;
establishing a risk judgment rule corresponding to the first application according to the multi-dimensional polymorphic risk feature mapping relation;
and judging the risk of the first application based on the multi-dimensional polymorphism according to the risk judgment rule.
6. The method of claim 1, wherein the file type comprises: configuration files, code files, resource files.
7. A server, characterized in that the server comprises a setup unit and a decision unit,
the establishing unit is used for acquiring an application code corresponding to a first application on the terminal and extracting each risk characteristic vector from the application codes corresponding to different file types; establishing a risk characteristic vector set corresponding to the first application according to the risk characteristic vectors; when the first application is in a running state, obtaining running data of the first application, monitoring the running data, and obtaining a calling parameter corresponding to the running data; when the calling parameter does not belong to a preset calling parameter range, determining the running data corresponding to the calling parameter as risk data; establishing the risk characteristic data set corresponding to the first application according to the risk data; acquiring current user behavior data acting on the first application, and establishing a risk characteristic behavior set corresponding to the first application according to the current user behavior data and a preset risk model; wherein the preset risk model is used for determining the risk characteristic behavior;
the judging unit is used for judging the risk of the first application based on the multi-dimensional polymorphism according to the risk characteristic vector set, the risk characteristic data set and the risk characteristic behavior set.
8. The server according to claim 7, wherein the establishing unit is specifically configured to extract an application sample of the first application and obtain the application code of the application sample; extracting each risk characteristic vector from application codes corresponding to different file types; and establishing the risk characteristic vector set according to the risk characteristic vectors.
9. The server according to claim 7, wherein the establishing unit is further configured to monitor the operation data, and obtain a call parameter corresponding to the operation data; when the calling parameter does not belong to a preset calling parameter range, determining the running data corresponding to the calling parameter as the risk characteristic data; and establishing the risk characteristic data set corresponding to the first application according to the risk data.
10. The server according to claim 7, wherein the establishing unit is further configured to obtain a current gray value corresponding to the current user behavior data according to a preset multi-vector comprehensive algorithm; determining a behavior risk result of the current user behavior data according to the current gray value and the preset risk model; and establishing the risk characteristic behavior set corresponding to the first application according to the behavior risk result.
11. The server according to claim 7, wherein the server further comprises an acquisition unit and a determination unit,
the acquisition unit is used for acquiring a first gray value interval corresponding to the positive sample and a second gray value interval corresponding to the negative sample according to the existing historical behavior data, a preset training model and a preset multi-vector comprehensive algorithm; wherein the positive sample is a behavior data sample without risk in the historical behavior data, and the negative sample is a behavior data sample with risk in the historical behavior data;
the determining unit is used for determining the corresponding relation between the risk and the gray value according to a first gray value interval corresponding to the positive sample and a second gray value interval corresponding to the negative sample and the negative sample;
the establishing unit is further configured to establish a preset risk model according to the first gray value interval and the behavior data corresponding to the first gray value interval, the second gray value interval and the behavior data corresponding to the second gray value interval, and the third gray value interval and the behavior data corresponding to the third gray value interval.
12. The server according to claim 7, wherein the determining unit is specifically configured to determine a multi-dimensional polymorphic risk feature mapping relationship corresponding to the first application according to the risk feature vector set, the risk feature data set, and the risk feature behavior set; establishing a risk judgment rule corresponding to the first application according to the multi-dimensional polymorphic risk feature mapping relation; and judging the risk of the first application based on the multi-dimensional polymorphism according to the risk judgment rule.
13. The server according to claim 7, wherein the file types include: configuration files, code files, resource files.
CN201710104591.0A 2017-02-24 2017-02-24 Method for detecting risk and server Active CN108509796B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710104591.0A CN108509796B (en) 2017-02-24 2017-02-24 Method for detecting risk and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710104591.0A CN108509796B (en) 2017-02-24 2017-02-24 Method for detecting risk and server

Publications (2)

Publication Number Publication Date
CN108509796A CN108509796A (en) 2018-09-07
CN108509796B true CN108509796B (en) 2022-02-11

Family

ID=63372755

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710104591.0A Active CN108509796B (en) 2017-02-24 2017-02-24 Method for detecting risk and server

Country Status (1)

Country Link
CN (1) CN108509796B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110390198B (en) * 2019-07-31 2023-09-29 创新先进技术有限公司 Risk inspection method and device for small program and electronic equipment
CN113254932B (en) * 2021-06-16 2024-02-27 百度在线网络技术(北京)有限公司 Application risk detection method and device, electronic equipment and medium
CN113934632A (en) * 2021-10-14 2022-01-14 上海哔哩哔哩科技有限公司 Code detection method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103927483A (en) * 2014-04-04 2014-07-16 西安电子科技大学 Decision model used for detecting malicious programs and detecting method of malicious programs
CN104376258A (en) * 2014-11-20 2015-02-25 工业和信息化部电信研究院 Safety risk detecting method and device for Android application program
CN104866763A (en) * 2015-05-28 2015-08-26 天津大学 Permission-based Android malicious software hybrid detection method
CN105205396A (en) * 2015-10-15 2015-12-30 上海交通大学 Detecting system for Android malicious code based on deep learning and method thereof
CN105893848A (en) * 2016-04-27 2016-08-24 南京邮电大学 Precaution method for Android malicious application program based on code behavior similarity matching

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103927483A (en) * 2014-04-04 2014-07-16 西安电子科技大学 Decision model used for detecting malicious programs and detecting method of malicious programs
CN104376258A (en) * 2014-11-20 2015-02-25 工业和信息化部电信研究院 Safety risk detecting method and device for Android application program
CN104866763A (en) * 2015-05-28 2015-08-26 天津大学 Permission-based Android malicious software hybrid detection method
CN105205396A (en) * 2015-10-15 2015-12-30 上海交通大学 Detecting system for Android malicious code based on deep learning and method thereof
CN105893848A (en) * 2016-04-27 2016-08-24 南京邮电大学 Precaution method for Android malicious application program based on code behavior similarity matching

Also Published As

Publication number Publication date
CN108509796A (en) 2018-09-07

Similar Documents

Publication Publication Date Title
CN110417778B (en) Access request processing method and device
US20160352763A1 (en) Method And System For Detecting Malicious Code
CN111600880A (en) Method, system, storage medium and terminal for detecting abnormal access behavior
CN108280348B (en) Android malicious software identification method based on RGB image mapping
CN104462962B (en) A kind of method for detecting unknown malicious code and binary vulnerability
CN108509796B (en) Method for detecting risk and server
KR101803888B1 (en) Method and apparatus for detecting malicious application based on similarity
CN107180190A (en) A kind of Android malware detection method and system based on composite character
CN114553523A (en) Attack detection method and device based on attack detection model, medium and equipment
CN107103237A (en) A kind of detection method and device of malicious file
US20230418943A1 (en) Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same
CN112966264A (en) XSS attack detection method, device, equipment and machine-readable storage medium
CN111049828B (en) Network attack detection and response method and system
CN114024761B (en) Network threat data detection method and device, storage medium and electronic equipment
CN117579395B (en) Method and system for scanning network security vulnerabilities by applying artificial intelligence
CN111800427B (en) Internet of things equipment evaluation method, device and system
CN110691090B (en) Website detection method, device, equipment and storage medium
CN113190847A (en) Confusion detection method, device, equipment and storage medium for script file
US10931693B2 (en) Computation apparatus and method for identifying attacks on a technical system on the basis of events of an event sequence
CN104966019B (en) A kind of heuristic document threat detection method and system
CN115296895B (en) Request response method and device, storage medium and electronic equipment
CN109840417B (en) Malicious software detection method and device
CN115643044A (en) Data processing method, device, server and storage medium
CN112367336B (en) Webshell interception detection method, device, equipment and readable storage medium
CN115766090A (en) Multi-feature fusion neural network security detection method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant