CN109558304A - A kind of component liaison analysis method, device and electronic equipment - Google Patents

A kind of component liaison analysis method, device and electronic equipment Download PDF

Info

Publication number
CN109558304A
CN109558304A CN201710892309.XA CN201710892309A CN109558304A CN 109558304 A CN109558304 A CN 109558304A CN 201710892309 A CN201710892309 A CN 201710892309A CN 109558304 A CN109558304 A CN 109558304A
Authority
CN
China
Prior art keywords
related network
function
component
file
file destination
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710892309.XA
Other languages
Chinese (zh)
Other versions
CN109558304B (en
Inventor
郭燕慧
於剑波
徐国爱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN201710892309.XA priority Critical patent/CN109558304B/en
Publication of CN109558304A publication Critical patent/CN109558304A/en
Application granted granted Critical
Publication of CN109558304B publication Critical patent/CN109558304B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3452Performance evaluation by statistical analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Probability & Statistics with Applications (AREA)
  • Quality & Reliability (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the invention provides a kind of component liaison analysis method, device and electronic equipment, the above method includes: the Android installation kit APK file for obtaining destination application, carries out decompiling to APK file and obtains file destination;Static analysis is carried out to file destination, generates the first related network;According to the call relation of the function in file destination, the second related network is determined, obtain third related network in conjunction with the first related network and the second related network;During running the destination application, dynamic monitoring is carried out to user behavior based on third related network, obtains the 4th related network between the component of user behavior triggering.Using component liaison analysis method provided by the invention, the 4th related network between the component of user behavior triggering can be obtained, the 4th related network can reflect out the use habit of the user using application program.

Description

A kind of component liaison analysis method, device and electronic equipment
Technical field
The present invention relates to Internet technical fields, set more particularly to a kind of component liaison analysis method, device and electronics It is standby.
Background technique
Android application program is made of some scattered associated components, each component by the component function It constitutes, by function call between component, matches jointly and user's offer service is provided.With the perfect and peace of Android system mechanism Tall and erect function of application is enriched, and the demand of user also constantly complicates, and the single independent work of Android application program can not The certain demands for meeting user need the component of the Android application program and the component of other Android application programs to pass through function It calls mutually and (is alternatively referred to as associated with), the communication between realizing constitutes related network to meet the needs of users.To Android The component liaison of application program is analyzed, and the association of the association approach between the component for indicating Android application program can be obtained Network, this has the use habit for analyzing the permission of Android application program, ensureing the safety of Android system and understanding user Significance.
Existing Android component liaison analysis is usually static analysis method, in the APK (Android for obtaining application program Package, Android installation kit) after file, APK file is scanned using technological means such as morphological analysis, syntactic analyses, it is raw At the dis-assembling code of application program, the related network between the component of dis-assembling code acquisition application program is then analyzed.It is existing There is technology due to only being analyzed in code layer in face of application program itself, obtained related network can only be in objectively expression group Existing association between part, the related network can not reflect the use habit of the user using application program.
Summary of the invention
The embodiment of the present invention is designed to provide a kind of component liaison analysis method, device and electronic equipment, to obtain Related network between the component of user behavior triggering, the related network can reflect out the use of the user using application program Habit.Specific technical solution is as follows:
In a first aspect, in order to achieve the above object, it is described the embodiment of the invention discloses a kind of component liaison analysis method Method includes:
The Android installation kit APK file for obtaining destination application carries out decompiling to the APK file and obtains target text Part;
Static analysis is carried out to the file destination, generates the first related network, first related network includes described The incidence relation between each component that file destination is included;
According to the call relation of the function in the file destination, the second related network is determined, in conjunction with first association Network and second related network obtain third related network, and the third related network includes that the file destination is included Each component between incidence relation and the function in the file destination call relation;
During running the destination application, dynamic is carried out to user behavior based on the third related network Monitoring obtains the 4th related network between the component of the user behavior triggering.
Optionally, the Android installation kit APK file for obtaining destination application includes:
Obtain the APK file and all mounted third-party application journeys of all system applications in terminal to be analyzed The APK file of sequence.
Optionally, the call relation according to the function in the file destination, determines the second related network, comprising:
The corresponding file destination of APK file for parsing each third party application, obtains in the file destination Function;
For each function of acquisition, its cofunction in file destination belonging to the function and the function is determined Call relation;
Using the call relation of the function in each file destination determined as the second related network.
Optionally, described that dynamic monitoring is carried out to user behavior based on the third related network, obtain user's row The 4th related network between the component of triggering, comprising:
It is inserted into detection function in the objective function in the third related network, according to the output knot of the detection function Fruit determines the call relation of the incidence relation between the component of the user behavior triggering and the function of user behavior triggering; Wherein, the objective function includes: the life cycle function, the target element and the association of target element and associated component The function of component internal;The target element is the component of user behavior effect;The associated component be and the target The associated component of component;
The calling of the incidence relation between component that the user behavior is triggered and the function of user behavior triggering The 4th related network between the component that relationship is triggered as the user behavior.
Second aspect, in order to achieve the above object, the embodiment of the invention also discloses a kind of component liaison analytical equipment, institutes Stating device includes:
File destination obtains module, for obtaining the Android installation kit APK file of destination application, to the APK text Part carries out decompiling and obtains file destination;
First related network generation module, for generating the first related network to file destination progress static analysis, First related network includes the incidence relation between each component that the file destination is included;
Third related network obtains module and determines second for the call relation according to the function in the file destination Related network obtains third related network, the third association in conjunction with first related network and second related network Network includes the calling of the incidence relation between each component that the file destination is included and the function in the file destination Relationship;
4th related network obtains module, for being based on the third during running the destination application Related network carries out dynamic monitoring to user behavior, obtains the 4th related network between the component of the user behavior triggering.
Optionally, it includes: that APK acquisition submodule and file destination obtain submodule that the file destination, which obtains module,;
The APK acquisition submodule, for obtaining APK file and the institute of all system applications in terminal to be analyzed There is the APK file of mounted third party application;
The file destination obtains submodule, obtains file destination for carrying out decompiling to the APK file.
Optionally, it includes: that function obtains submodule, call relation determines submodule that the third related network, which obtains module, Block, the second related network determine that submodule and third related network obtain submodule;
The function obtains submodule, for parsing the corresponding target of APK file of each third party application File obtains the function in the file destination;
The call relation determines submodule, for determining the function and the function for each function obtained The call relation of its cofunction in affiliated file destination;
Second related network determines submodule, for by the call relation of the function in each file destination determined As the second related network;
The third related network obtains submodule, in conjunction with first related network and second related network Third related network is obtained, the third related network includes the incidence relation between each component that the file destination is included With the call relation of the function in the file destination.
Optionally, it includes: that relationship determines that submodule and the 4th related network obtain that the 4th related network, which obtains module, Submodule;
The relationship determines submodule, for being inserted into detection function in the objective function in the third related network, The incidence relation between the component of the user behavior triggering and the user are determined according to the output result of the detection function The call relation of the function of behavior triggering;Wherein, the objective function includes: the life cycle letter of target element and associated component Function inside several, the described target element and the associated component;The target element is the component of user behavior effect; The associated component is component associated with the target element;
4th related network obtains submodule, the incidence relation between component for triggering the user behavior The 4th between the component that trigger as the user behavior of the call relation of the function of user behavior triggering is associated with net Network.
The third aspect, in order to achieve the above object, the embodiment of the invention also discloses a kind of electronic equipment, the electronics is set Standby includes processor, communication interface, memory and communication bus, wherein processor, communication interface, memory are total by communication Line completes mutual communication;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any of the above-described component liaison analysis Method.
A kind of component liaison analysis method provided in an embodiment of the present invention and device, can be obtained in conjunction with static analysis the The call relation of one related network and the function of component internal obtains third related network, based on third related network to user's row To carry out dynamic monitoring, the 4th related network between the component of user behavior triggering can be obtained, the 4th related network can To reflect the use habit for the user for using application program.Certainly, it implements any of the products of the present invention or method must be not necessarily It needs to reach all the above advantage simultaneously.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is component liaison schematic diagram provided in an embodiment of the present invention;
Fig. 2 is a kind of flow diagram of component liaison analysis method provided in an embodiment of the present invention;
Fig. 3 is a kind of flow diagram provided in an embodiment of the present invention for obtaining file destination;
Fig. 4 is a kind of flow diagram provided in an embodiment of the present invention for obtaining third related network;
Fig. 5 is a kind of flow diagram provided in an embodiment of the present invention for obtaining the 4th related network;
Fig. 6 is a kind of structural schematic diagram of component liaison analytical equipment provided in an embodiment of the present invention;
Fig. 7 is a kind of structural schematic diagram that file destination provided in an embodiment of the present invention obtains module;
Fig. 8 is a kind of structural schematic diagram that third related network provided in an embodiment of the present invention obtains module;
Fig. 9 is a kind of structural schematic diagram that the 4th related network provided in an embodiment of the present invention obtains module;
Figure 10 is a kind of structural schematic diagram of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
Nowadays the life that Android mobile phone and application program are increasingly close to the users, become in people's life and work can not Or scarce a part.Android application program is mainly made of some scattered associated components, including display interface Activity, service Service, broadcast Broadcast Receive and the big component of data communication Content Provider tetra-. This four big component is each responsible for different work, is combined with and provides service for user.With function of application enrich constantly with And Android system mechanism constantly improve, the demand of user also constantly complicates, and single application program has been unable to satisfy certain of user A little demands, therefore single application program needs to rely on the component of other applications, passes through the function of component internal between component Calling work in coordination, to meet user demand.This dependence between component can indicate with related network, analysis group Related network between part is of great significance for understanding the use habit of user.
Currently, usually will be installed multiple application programs in terminal, each application program may include multiple components, each component Between can be realized and call by function, that is, component can be called separately by the calling of one or more functions One component, this call relation can be described as incidence relation.Referring to Fig. 1, Fig. 1 is that component liaison provided in an embodiment of the present invention shows It is intended to.Component A exists with component B and is associated in Fig. 1, and component B exists with component C to be associated with, wherein component A and component B can pass through Function 1 is called to realize association, it can also be by calling function 2 to be associated with the realization of function 3, component B and component C are by calling function 4 are associated with the realization of function 5.Existing Android application component related analysis technology obtains target text by decompiling application program Part parses file destination, can obtain the related network between component.However existing component liaison technology can only obtain component Between A and component B can by function 1 with can by function 3 realize be associated with, specific component A how to call function 1 and how Call function 3 that can not but obtain.The information content that the related network between component that the prior art obtains includes is few, can not be by this The use habit of related network acquisition user.
It is considered as desirable by the inventor to be based on existing component liaison analytical technology, pass through the abundant association net of the static analysis more refined Network, namely the call relation (i.e. component A- function 1 and component A- function 2- function 3) of the function of component internal is obtained, so that closing Network of networking is more detailed, then by dynamic analysis technology, is monitored to user behavior, between the component for obtaining user behavior triggering More detailed related network.
Based on above-mentioned consideration, the present invention provides a kind of component liaison analysis method, this method can be applied to terminal, should Terminal can be the terminal for being equipped with the application program for carrying out component liaison analysis, such as the movement such as mobile phone or tablet computer Terminal, or other smart machines equipped with Android simulator;Alternatively, this method also can be applied to some application in terminal In program (such as some plug-in unit).The present embodiment is applied to be illustrated for plug-in unit in this way, other situations are similar therewith. The plug-in unit can obtain third in conjunction with the call relation of the first obtained related network of static analysis and the function of component internal and close Networking network carries out dynamic monitoring to user behavior timing based on third related network, obtains between the component that user behavior triggers The 4th related network.After obtaining the 4th related network, associated data therein can be sent to plug-in unit backstage or other It can be analyzed according to the module that associated data analyzes user behavior, to obtain the use habit of user.
It is described in detail again by specific embodiment to the present invention below.
Fig. 2 is a kind of flow diagram for the component liaison analysis method that present invention implementation provides, comprising:
S201: obtaining the Android installation kit APK file of destination application, carries out decompiling to APK file and obtains target File.
Wherein, destination application can be system application, be also possible to third party application.
When obtaining APK file, the configuration based on technical staff can be, obtain preset application program to be analyzed APK file is also possible to obtain system application and installed whole third-party applications in the terminal that user uses The APK file of program.
APK (Android Package, Android installation kit) file is that one kind can be directly in Android simulator or Android The program file of installation is executed in mobile phone.
Decompiling is to carry out decompiling, available source file and resource to APK file by using APK decompiling instrument File.And then the source code in obtained source file and resource file can be analyzed and counted, can also to source file and It is compiled again after resource file processing, to reach the purpose of personalized customization APK file.Wherein, source file can be smali File.
User can download the application program of oneself needs, intelligence by the download platform of application program in an intelligent terminal Energy terminal can then obtain the APK file of the application program from download platform, and intelligent terminal can be created for each application program A file is built, by the APK file storage of the application program into this document folder, and then this is installed based on the APK file and is answered Use program.
In embodiments of the present invention, intelligent terminal can be installed to using the plug-in unit of invention components association analysis method On, plug-in unit in the process of running, can the user behavior periodically to the user for using the intelligent terminal be monitored, can also To be monitored according to the instruction of plug-in unit backstage instruction to user behavior.When being monitored to user behavior, plug-in unit can be read The file of above-mentioned storage application program APK file obtains APK file, carries out decompiling to APK file, obtains smali file (i.e. file destination) analyzes the source code in smali file, obtains the pass between the component and these components that file destination includes Connection relationship, i.e. a kind of related network between acquisition component.
Wherein, the third-party application journey of all system applications on the available intelligent terminal of plug-in unit and user installation The APK file of sequence.Optionally, referring to Fig. 3, the treatment process of S201 may include:
S2011: obtain all system applications in terminal to be analyzed APK file and all mounted third parties The APK file of application program.
In a kind of implementation, all system applications on intelligent terminal that the above-mentioned available user of plug-in unit uses APK file and the mounted third party application of all users APK file.
Specifically, plug-in unit can obtain the APK text of all system applications by reading system/app file Part reads data/app file, obtains the APK file of all mounted third party applications.
Plug-in unit obtains the APK file of all system applications on the intelligent terminal that uses of user and all mounted The APK file of third party application can obtain the related network for the maximum magnitude that user behavior can trigger.
S2012: decompiling is carried out to APK file and obtains file destination.
After above-mentioned plug-in unit obtains the APK file of destination application, the integrated decompiling instrument of therein can use Decompiling is carried out to APK file, obtains file destination.The process for carrying out decompiling to APK file is referred to above-mentioned steps The related description of S201, details are not described herein.
S202: static analysis is carried out to file destination, generates the first related network.
Wherein, first related network includes the incidence relation between each component that the file destination is included.
It in the present embodiment, can be for each function in file destination, building after above-mentioned plug-in unit obtains file destination Abstract syntax tree can obtain the controlling stream graph of each function by the abstract syntax tree of each function, can using controlling stream graph To obtain the crucial API (Application Programming Interface, application programming interface) of component liaison (such as start Activity (), bind Service ()), divides the parameter of the intent in the crucial API of acquisition Analysis, obtains inter-related component, namely obtain component A- function 1- component B and component A- as shown in Figure 1 for component A Function 3- component B.
Wherein, abstract syntax tree is omitted some thin according to the syntactic structure of each function source code in file destination Section (such as: bracket does not generate node), it is abstracted into a kind of structure of tree-like expression.Abstract syntax tree can make function source code Level is more clear.
Intent is the tie that is mutually related between different components, is Correlation Criteria between an in store different components Intent object, one purpose of an intent object representation or expectation have comprising its desired service or movement, with movement The data etc. of pass.Android system is then responsible for pairing according to the content that this intent object includes, and finds out associated component, then Intent object is passed to found component.
For example, being directed to component A, incidence relation (the component A- function between above-mentioned inter-related component and these components 1- component B and component A- function 3- component B) it that is to say the first related network.
S203: according to the call relation of the function in file destination, the second related network is determined, in conjunction with the first related network Third related network is obtained with the second related network.
Wherein, third related network includes in the incidence relation and file destination between each component that file destination is included Function call relation.
In the present embodiment, for component A, above-mentioned plug-in unit can obtain file destination by parsing to file destination In function call relation namely the second related network (component A- function 1 and component A- function 2- function 3).The first pass (component A- function 1- component B is associated with net with component A- function 3- component B) with second to incidence relation in networking network between component The call relation (component A- function 1 and component A- function 2- function 3) of function is combined in network, obtains third related network (component A- function 1- component B and component A- function 2- function 3- component B).Third related network can not only embody between component Association, and the call relation between component by function can be embodied.
Optionally, it can be analyzed for third party application, determine the second related network, referring to fig. 4, for the The number of tripartite's application program is multiple situation, and the treatment process of S203 may comprise steps of:
S2031: the corresponding file destination of APK file of each third party application is parsed, is obtained in the file destination Function.
In a kind of implementation, above-mentioned plug-in unit can be directed to the corresponding target of APK file of each third party application File, identification obtain all functions in these file destinations.
Specifically, above-mentioned function may include the member function and static function of inner classes in file destination.
S2032: for each function of acquisition, its cofunction in file destination belonging to the function and the function is determined Call relation.
In a kind of implementation, above-mentioned plug-in unit can divide for each function obtained what is instructed in the function Analysis, determines the call relation of function.
Specifically, due to being all to utilize unified API, and system API will not generate the pass of component when component is interrelated Connection, therefore it is directed to each function, it can be determined that whether the objective function of the invoke instruction of the function is system API, if should The objective function of the invoke instruction of function is not system API, it is determined that is application program between the function and its objective function The call relation of internal function.
Illustratively, for component A, which can determine that component A calls directly function 1 and component A passes through function 2 call function 3 in turn.
S2033: using the call relation of the function in each file destination determined as the second related network.
The call relation of function in each file destination includes the concrete ways that each component and function realizes calling, for example, For component A, available component A- function 1 and component A- function 2- function 3, for component B, available component B- function 4- function 5.The call relation namely the second related network of the above-mentioned function obtained for each component.
S2034: third related network is obtained in conjunction with the first related network and the second related network.
Wherein, third related network includes in the incidence relation and file destination between each component that file destination is included Function call relation.
Third related network process, which is obtained, here in connection with the first related network and the second related network is referred to above-mentioned step The related description of rapid S203, details are not described herein.
Will for the function that each function of file destination obtains call relation as the second related network, in combination with First related network obtains third related network, and obtained third related network can either embody the association between component, and energy Enough embody the call relation of the function between component.Therefore user behavior is analyzed based on third related network, can be obtained To more specific analysis result.
S204: during operational objective application program, dynamic prison is carried out to user behavior based on third related network Control obtains the 4th related network between the component of user behavior triggering.
Wherein, dynamic monitoring is a kind of real-time monitoring user behavior to realize the means of testing of component liaison analysis, this reality It applies in example, detection function can be added in source program, after target program operation, according to the output of detection function as a result, reality Now situations such as variation of the execution of source program sentence, variable, is checked.
It, can preset position insertion detection function (can be in third in third related network in a kind of implementation The inlet insertion of function in related network counts sentence), when user operates in certain application program, terminal can be with Corresponding operation instruction is received, and then corresponding application program is run according to the operational order and (calls the group of application program Part).During calling the component of application program, the calling of the function inside meeting trigger assembly, terminal be may be performed simultaneously Detection function.It, can be by checking the output result of detection function (according to the output knot for counting sentence after preset time Fruit), the call relation namely the 4th related network of the function between the component and component triggered by user behavior are obtained, is utilized 4th related network analyzes user behavior, can obtain the use habit of user.
Wherein it is possible in the function of component and associated component that the user behavior in third related network is acted on It is inserted into the monitoring that detection function carries out user behavior.Optionally, referring to Fig. 5, the treatment process of S204 may include:
S2041: being inserted into detection function in the objective function in third related network, according to the output result of detection function Determine the call relation of the incidence relation between the component of user behavior triggering and the function of user behavior triggering.
Wherein, objective function includes: life cycle function, target element and the associated component of target element and associated component Internal function;Target element is the component of user behavior effect;Associated component is component associated with target element.
In a kind of implementation, for user behavior, it is first determined the component namely target group that user behavior is acted on Part, while obtaining all components namely associated component with target element direct correlation and indirect association.When two components are direct It is associated by the call relation of function, then claim two components to be directly linked, when two components are associated by third component, Then claim two component indirect associations, referring to Fig. 1, in Fig. 1, component A and component B are directly linked, component A and component C indirect association.
Illustratively, when obtaining target element, it can be determined and be used by layout extensible markup language xml document first Activity component belonging to the control that family behavior is acted on.Then letter is adjusted back in the response of positioning user behavior in the application Number, such as the on Click () of the monitoring event of button, can usually be found on Create () function of Activity by Button clicks the setting of event, to position on Click () function and affiliated class.
User behavior is monitored, can be realized based on Xposed module.Specifically, user behavior is monitored Process can be with are as follows: during operational objective program, plug-in unit can be in the mesh in third related network using Xposed module It marks and is inserted into detection function (can be inserted into the inlet of function and count sentence) in component and the life cycle function of associated component, When user operates in certain application program, terminal can receive corresponding operation instruction, and then be referred to according to the operation It enables and runs corresponding application program (calling the component of application program).During calling the component of application program, it can touch The calling of the function of component internal is sent out, terminal may be performed simultaneously counting sentence.After preset time, plug-in unit is according to counting language The output of sentence is as a result, determine the component being called in target element and associated component, namely obtain in this time by user's row For the component (i.e. component A- component B) of triggering.Plug-in unit can be inserted into inspection in the function of the calling in third related network simultaneously Function (can be inserted into the inlet of function and count sentence) is surveyed, when user operates in certain application program, terminal can To receive corresponding operation instruction, and then corresponding application program is run according to the operational order and (calls application program Component).During calling the component of application program, the calling of the function inside meeting trigger assembly, terminal can be held simultaneously Row counts sentence.After preset time, plug-in unit is performed according to the output for counting sentence as a result, determining in third related network Function call relation (i.e. execution function 1 or executing function 2- function 3), namely obtain and touched by user behavior in this time The call relation of function between the component of hair.
S2042: the calling of the function of incidence relation and user behavior triggering between the component of user behavior triggering is closed It is the 4th related network between the component triggered as user behavior.
In a kind of implementation, for component A, it can be component A- component B between the component of user behavior triggering, use The call relation of the function of family behavior triggering can be function 2- function 3, therefore both comprehensive available user behavior triggering Related network be component A- function 2- function 3- component B namely the 4th related network.As can be seen that the 4th related network is The network portion of a part of third related network, the part namely user behavior triggering.
The 4th related network is obtained by being pointedly inserted into detection function in objective function.The result energy of detection function Clearly show that the call relation of the component triggered by user behavior and function, the 4th obtained related network being capable of comprehensive, tools Body accurately reflects that user uses the use habit of application program.
Corresponding with above method embodiment, referring to Fig. 6, Fig. 6 is the component liaison analytical equipment that present invention implementation provides A kind of structural schematic diagram, comprising: file destination obtain module 601, the first related network generation module 602, third be associated with net Network obtains module 603 and the 4th related network obtains module 604.
Wherein, the file destination obtains module 601, for obtaining the Android installation kit APK file of destination application, Decompiling is carried out to the APK file and obtains file destination;
The first related network generation module 602 generates first and closes for carrying out static analysis to the file destination Networking network, first related network includes the incidence relation between each component that the file destination is included;
The third related network obtains module 603, for the call relation according to the function in the file destination, really Fixed second related network obtains third related network in conjunction with first related network and second related network, and described the Three related networks include the function in incidence relation and the file destination between each component that the file destination is included Call relation;
4th related network obtains module 604, for being based on institute during running the destination application It states third related network and dynamic monitoring is carried out to user behavior, obtain the 4th association between the component of the user behavior triggering Network.
As seen from the above, in scheme provided in this embodiment, the first related network for being obtained in conjunction with static analysis and according to The second related network that the call relation of function in file destination obtains obtains third related network, is associated with net based on third Network carries out dynamic monitoring to user behavior, obtains the 4th related network between the component of user behavior triggering.4th association Network contains the call relation of the function between the component and component of user behavior triggering, analyzes the 4th related network The use habit of user can be obtained.
It in one particular embodiment of the present invention, is that the file destination that present invention implementation provides obtains referring to Fig. 7, Fig. 7 A kind of structural schematic diagram of module, wherein the file destination obtains module 601, comprising: APK acquisition submodule 6011 and mesh It marks file and obtains submodule 6012.
Wherein, the APK acquisition submodule 6011, for obtaining all system applications in terminal to be analyzed The APK file of APK file and all mounted third party applications;
The file destination obtains submodule 6012, obtains file destination for carrying out decompiling to the APK file.
As seen from the above, in scheme provided in this embodiment, the APK file of destination application uses terminal to be analyzed On all system applications APK file and all mounted third party applications APK file, therefore can obtain The related network for the maximum magnitude that user behavior can trigger is obtained, more fully to analyze the use habit of user.
It in one particular embodiment of the present invention, is that the present invention implements the third related network provided referring to Fig. 8, Fig. 8 Obtain a kind of structural schematic diagram of module;Wherein, the third related network obtains module 603, comprising: function obtains submodule 6031, call relation determines that submodule 6032, the second related network determine that submodule 6033 and third related network obtain submodule Block 6034.
Wherein, the function obtains submodule 6031, for parsing the APK file pair of each third party application The file destination answered obtains the function in the file destination;
The call relation determines submodule 6032, for determining the function and being somebody's turn to do for each function obtained The call relation of its cofunction in file destination belonging to function;
Second related network determines submodule 6033, for by the calling of the function in each file destination determined Relationship is as the second related network;
The third related network obtains submodule 6034, for being associated in conjunction with first related network with described second Network obtains third related network, and the third related network includes the association between each component that the file destination is included The call relation of relationship and the function in the file destination.
As seen from the above, in scheme provided in this embodiment, function that each function for file destination is obtained Call relation obtains third related network as the second related network, in conjunction with the first related network, obtained third related network The association between component can either be embodied, and the call relation of the function between component can be embodied.Based on third related network User behavior is analyzed, can obtain more specifically analyzing result.
It in one particular embodiment of the present invention, is that the present invention implements the 4th related network provided referring to Fig. 9, Fig. 9 Obtain a kind of structural schematic diagram of module;Wherein, the 4th related network obtains module 604, comprising: relationship determines submodule 6041 and the 4th related network obtain submodule 6042.
Wherein, the relationship determines submodule 6041, for being inserted into the objective function in the third related network Detection function, determined according to the output result of the detection function incidence relation between the component of user behavior triggering and The call relation of the function of the user behavior triggering;Wherein, the objective function includes: the life of target element and associated component Order the function inside periodic function, the target element and the associated component;The target element is user behavior work Component;The associated component is component associated with the target element.
4th related network obtains submodule 6042, the association between component for triggering the user behavior The 4th between component that the call relation of relationship and the function of user behavior triggering is triggered as the user behavior is closed Networking network.
As seen from the above, in scheme provided in this embodiment, by being pointedly inserted into detection function in objective function Obtain the 4th related network.The result of detection function can clearly show that the calling of the component triggered by user behavior and function is closed System, the 4th obtained related network can comprehensively, specifically reflect that user uses the use habit of application program.
The embodiment of the invention also provides a kind of electronic equipment, as shown in Figure 10, including processor 701, communication interface 702, memory 703 and communication bus 704, wherein processor 701, communication interface 702, memory 703 pass through communication bus 704 complete mutual communication,
Memory 703, for storing computer program;
Processor 701 when for executing the program stored on memory 703, realizes following steps:
The Android installation kit APK file for obtaining destination application carries out decompiling to the APK file and obtains target text Part;
Static analysis is carried out to the file destination, generates the first related network, first related network includes described The incidence relation between each component that file destination is included;
According to the call relation of the function in the file destination, the second related network is determined, in conjunction with first association Network and second related network obtain third related network, and the third related network includes that the file destination is included Each component between incidence relation and the function in the file destination call relation;
During running the destination application, dynamic is carried out to user behavior based on the third related network Monitoring obtains the 4th related network between the component of the user behavior triggering.
The communication bus that above-mentioned electronic equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component Interconnect, abbreviation PCI) bus or expanding the industrial standard structure (Extended Industry Standard Architecture, abbreviation EISA) bus etc..The communication bus can be divided into address bus, data/address bus, control bus etc.. Only to be indicated with a thick line in figure, it is not intended that an only bus or a type of bus convenient for indicating.
Communication interface is for the communication between above-mentioned electronic equipment and other equipment.
Memory may include random access memory (Random Access Memory, abbreviation RAM), also may include Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.Optionally, memory may be used also To be storage device that at least one is located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit, Abbreviation CPU), network processing unit (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal Processing, abbreviation DSP), specific integrated circuit (Application Specific Integrated Circuit, abbreviation ASIC), field programmable gate array (Field-Programmable Gate Array, Abbreviation FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hardware components.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device/ For electronic equipment embodiment, since it is substantially similar to the method embodiment, so be described relatively simple, related place referring to The part of embodiment of the method illustrates.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention It is interior.

Claims (9)

1. a kind of component liaison analysis method, which is characterized in that the described method includes:
The Android installation kit APK file for obtaining destination application carries out decompiling to the APK file and obtains file destination;
Static analysis is carried out to the file destination, generates the first related network, first related network includes the target The incidence relation between each component that file is included;
According to the call relation of the function in the file destination, the second related network is determined, in conjunction with first related network With second related network obtain third related network, the third related network include the file destination included it is each The call relation of incidence relation between component and the function in the file destination;
During running the destination application, dynamic prison is carried out to user behavior based on the third related network Control obtains the 4th related network between the component of the user behavior triggering.
2. the method according to claim 1, wherein the Android installation kit APK for obtaining destination application File includes:
Obtain all system applications in terminal to be analyzed APK file and all mounted third party applications APK file.
3. according to the method described in claim 2, it is characterized in that, described close according to the calling of the function in the file destination System, determines the second related network, comprising:
The corresponding file destination of APK file for parsing each third party application, obtains the function in the file destination;
For each function of acquisition, the calling of its cofunction in file destination belonging to the function and the function is determined Relationship;
Using the call relation of the function in each file destination determined as the second related network.
4. the method according to claim 1, wherein it is described based on the third related network to user behavior into Mobile state monitoring obtains the 4th related network between the component of the user behavior triggering, comprising:
It is inserted into detection function in the objective function in the third related network, it is true according to the output result of the detection function The call relation of the function of incidence relation and user behavior triggering between the component of the fixed user behavior triggering;Its In, the objective function includes: the life cycle function, the target element and the associated group of target element and associated component Function inside part;The target element is the component of user behavior effect;The associated component be and the target group The associated component of part;
The call relation of the incidence relation between component that the user behavior is triggered and the function of user behavior triggering As the 4th related network between the component of user behavior triggering.
5. a kind of component liaison analytical equipment, which is characterized in that described device includes:
File destination obtain module, for obtaining the Android installation kit APK file of destination application, to the APK file into Row decompiling obtains file destination;
First related network generation module, for carrying out static analysis to the file destination, the first related network of generation is described First related network includes the incidence relation between each component that the file destination is included;
Third related network obtains module and determines the second association for the call relation according to the function in the file destination Network obtains third related network, the third related network in conjunction with first related network and second related network The call relation for the function in the incidence relation and the file destination between each component for being included including the file destination;
4th related network obtains module, for being associated with during running the destination application based on the third Network carries out dynamic monitoring to user behavior, obtains the 4th related network between the component of the user behavior triggering.
6. device according to claim 5, which is characterized in that it includes: that APK obtains submodule that the file destination, which obtains module, Block and file destination obtain submodule;
The APK acquisition submodule, for obtain all system applications in terminal to be analyzed APK file and it is all The APK file of the third party application of installation;
The file destination obtains submodule, obtains file destination for carrying out decompiling to the APK file.
7. device according to claim 6, which is characterized in that it includes: that function obtains that the third related network, which obtains module, Obtain submodule, call relation determines that submodule, the second related network determine that submodule and third related network obtain submodule;
The function obtains submodule, for parsing the corresponding file destination of APK file of each third party application, Obtain the function in the file destination;
The call relation determines submodule, for determining belonging to the function and the function for each function obtained File destination in its cofunction call relation;
Second related network determines submodule, for using the call relation of the function in each file destination determined as Second related network;
The third related network obtains submodule, for obtaining in conjunction with first related network and second related network Third related network, the third related network include the incidence relation and institute between each component that the file destination is included State the call relation of the function in file destination.
8. device according to claim 5, which is characterized in that it includes: that relationship is true that the 4th related network, which obtains module, Stator modules and the 4th related network obtain submodule;
The relationship determines submodule, for being inserted into detection function in the objective function in the third related network, according to The output result of the detection function determines the incidence relation and the user behavior between the component of the user behavior triggering The call relation of the function of triggering;Wherein, the objective function include: target element and associated component life cycle function, Function inside the target element and the associated component;The target element is the component of user behavior effect;Institute Stating associated component is component associated with the target element;
4th related network obtains submodule, incidence relation between component and institute for triggering the user behavior State the 4th related network between the component that triggers as the user behavior of call relation of the function of user behavior triggering.
9. a kind of electronic equipment, which is characterized in that including processor, communication interface, memory and communication bus, wherein processing Device, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any method and step of claim 1-4.
CN201710892309.XA 2017-09-27 2017-09-27 Component association analysis method and device and electronic equipment Active CN109558304B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710892309.XA CN109558304B (en) 2017-09-27 2017-09-27 Component association analysis method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710892309.XA CN109558304B (en) 2017-09-27 2017-09-27 Component association analysis method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN109558304A true CN109558304A (en) 2019-04-02
CN109558304B CN109558304B (en) 2020-10-30

Family

ID=65864000

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710892309.XA Active CN109558304B (en) 2017-09-27 2017-09-27 Component association analysis method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN109558304B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110378126A (en) * 2019-07-26 2019-10-25 北京中科微澜科技有限公司 A kind of leak detection method and system
CN111400197A (en) * 2020-05-29 2020-07-10 支付宝(杭州)信息技术有限公司 Application package analysis method and device and computer readable storage medium
CN111966421A (en) * 2020-06-29 2020-11-20 北京百度网讯科技有限公司 Page component operation monitoring method, device, equipment and storage medium
CN112068871A (en) * 2020-08-12 2020-12-11 海信集团有限公司 Electronic device and application management method
CN112560035A (en) * 2020-12-15 2021-03-26 深圳市和讯华谷信息技术有限公司 Application detection method, device, equipment and storage medium
CN113051954A (en) * 2021-04-19 2021-06-29 杭州拼便宜网络科技有限公司 Code scanning login method and device, electronic equipment and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104217164B (en) * 2014-09-11 2018-02-02 工业和信息化部电子第五研究所 The detection method and device of intelligent mobile terminal Malware
CN104598809B (en) * 2015-02-13 2017-04-19 北京奇虎科技有限公司 Program monitoring method and defending method thereof, as well as relevant device
CN105335655A (en) * 2015-09-22 2016-02-17 南京大学 Android application safety analysis method based on sensitive behavior identification
CN106845234A (en) * 2017-01-05 2017-06-13 中国电子科技网络信息安全有限公司 A kind of Android malware detection method based on the monitoring of function flow key point
CN107180192B (en) * 2017-05-09 2020-05-29 北京理工大学 Android malicious application detection method and system based on multi-feature fusion

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110378126A (en) * 2019-07-26 2019-10-25 北京中科微澜科技有限公司 A kind of leak detection method and system
CN111400197A (en) * 2020-05-29 2020-07-10 支付宝(杭州)信息技术有限公司 Application package analysis method and device and computer readable storage medium
CN111966421A (en) * 2020-06-29 2020-11-20 北京百度网讯科技有限公司 Page component operation monitoring method, device, equipment and storage medium
CN111966421B (en) * 2020-06-29 2024-01-09 北京百度网讯科技有限公司 Page component operation monitoring method, device, equipment and storage medium
CN112068871A (en) * 2020-08-12 2020-12-11 海信集团有限公司 Electronic device and application management method
CN112560035A (en) * 2020-12-15 2021-03-26 深圳市和讯华谷信息技术有限公司 Application detection method, device, equipment and storage medium
CN112560035B (en) * 2020-12-15 2024-04-02 深圳市和讯华谷信息技术有限公司 Application detection method, device, equipment and storage medium
CN113051954A (en) * 2021-04-19 2021-06-29 杭州拼便宜网络科技有限公司 Code scanning login method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN109558304B (en) 2020-10-30

Similar Documents

Publication Publication Date Title
CN109558304A (en) A kind of component liaison analysis method, device and electronic equipment
Zaeem et al. Automated generation of oracles for testing user-interaction features of mobile apps
CN107870933B (en) Method, device and system for counting android application page browsing behaviors
US9503505B2 (en) Monadic evaluation of injected query compositions
CN106203113A (en) The privacy leakage monitoring method of Android application file
CN107133174A (en) Test case code automatically generating device and method
CN108108288A (en) A kind of daily record data analytic method, device and equipment
US20170124325A1 (en) Decision forest compilation
CN110007920A (en) A kind of method, apparatus and electronic equipment obtaining code dependence
CN101185116A (en) Using strong data types to express speech recognition grammars in software programs
CN110069259A (en) Analytic method, device, electronic equipment and storage medium based on idl file
CN110084042A (en) A kind of application heap Static Analysis Method and system
Miculan et al. GSOS for non-deterministic processes with quantitative aspects
CN109902487A (en) Android based on application behavior applies malicious detection method
van Glabbeek Justness: A completeness criterion for capturing liveness properties
CN106649110A (en) Software test method and system
Ciancia et al. Families of symmetries as efficient models of resource binding
CN105893462A (en) User network behavior analysis method and device
CN106383869A (en) User behavior information acquisition method and device
CN116069324A (en) Dynamic form construction method and device based on Vue
Ameur-Boulifa et al. Behavioural models for group communications
CN103399752A (en) Mobile phone application chain reaction system and method based on Internet service
Woodside et al. Capabilities of the uml profile for schedulability performance and time (spt)
Weijie et al. A context-aware services development model
Bhattacharjee et al. An efficient data compression hardware based on cellular automata

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant