CN110213200A - A kind of risk behavior hold-up interception method and relevant device - Google Patents
A kind of risk behavior hold-up interception method and relevant device Download PDFInfo
- Publication number
- CN110213200A CN110213200A CN201810169751.4A CN201810169751A CN110213200A CN 110213200 A CN110213200 A CN 110213200A CN 201810169751 A CN201810169751 A CN 201810169751A CN 110213200 A CN110213200 A CN 110213200A
- Authority
- CN
- China
- Prior art keywords
- behavior
- calling
- risk
- log information
- target application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The embodiment of the invention discloses a kind of risk behavior hold-up interception method and relevant devices, comprising: extracts the log information of the calling behavior recorded when target application operation;Behavior vector is generated according to the log information of the calling behavior;Call instruction is issued to risk behavior prediction model, is handled with carrying out the prediction of risk behavior to the behavior vector;The behavior vector is transferred in the risk behavior prediction model, whether is risk behavior with the calling behavior of the determination target application;The prediction result for receiving the risk behavior prediction model feedback carries out intercept process to the calling behavior of the target application when the calling behavior is confirmed as the risk behavior.Using the embodiment of the present invention, the intercepting efficiency of accuracy and safety and risk behavior that risk behavior detects can be improved.
Description
Technical field
The present invention relates to information security field more particularly to a kind of risk behavior hold-up interception methods and relevant device.
Background technique
As the whole people of smart phone are universal, emerge one after another for the application program of smart phone, wherein being no lack of some answer
With program at runtime malice carry out allow to obtain privately without user user information, destroy custom system, privately installation answer
It is deducted fees the risk behaviors such as short message with transmission.Risk behavior will cause the privacy leakage and property loss of user.Currently, to risk
The detection of behavior and processing mode include: that all critical behaviors in the behavior called to application program detect, and are such as sent out
Short message and installation application are sent, then prompts user by playing frame, is decided whether to intercept the critical behavior detected by user.It is this
Mode needs the safety of user's manually identifying behavior, not only reduces the efficiency of interception, but also user is difficult to judge sometimes
Whether critical behavior is risk behavior.Another processing mode is further to detect the key row after detecting critical behavior
For entrained content, such as short message content, if it is determined that content entrained by the critical behavior is malice, then intercepts the key
Behavior.This mode needs the content according to entrained by single behavior to be detected, based on information be not enough to determine the row
Whether to be risk behavior, the accuracy of risk behavior detection is low, and when the content entrained by detection behavior, will be related to using
The privacy at family causes safety low.
Summary of the invention
The embodiment of the present invention provides a kind of risk behavior hold-up interception method and relevant device, improves the standard of risk behavior detection
The intercepting efficiency of true property and safety and risk behavior.
In a first aspect, the embodiment of the invention provides a kind of risk behavior hold-up interception methods, comprising:
Extract the log information of the calling behavior recorded when target application operation;
Behavior vector is generated according to the log information of the calling behavior;
Call instruction is issued to risk behavior prediction model, at the prediction to carry out risk behavior to the behavior vector
Reason;
The behavior vector is transferred in the risk behavior prediction model, with the tune of the determination target application
It whether is risk behavior with behavior;
The prediction result for receiving the risk behavior prediction model feedback, when the calling behavior is confirmed to be the risk
When behavior, intercept process is carried out to the calling behavior of the target application.
Second aspect, the embodiment of the invention provides a kind of risk behavior blocking apparatus, comprising:
Extraction module, for extracting the log information of the calling behavior recorded when target application operation;
Generation module, for generating behavior vector according to the log information of the calling behavior;
Calling module, for issuing call instruction to risk behavior prediction model, to carry out risk to the behavior vector
The prediction of behavior is handled;
Detection module, for the behavior vector to be transferred in the risk behavior prediction model, with the determination mesh
Whether the calling behavior of mark application is risk behavior;
Blocking module, for receiving the prediction result of the risk behavior prediction model feedback, when the calling behavior quilt
When being confirmed as the risk behavior, intercept process is carried out to the calling behavior of the target application.
The third aspect, the embodiment of the invention provides a kind of risk behavior intercept equipment, comprising: processor, memory and
Communication bus, wherein for realizing connection communication between processor and memory, processor executes to be deposited communication bus in memory
The step in a kind of risk behavior hold-up interception method that the program of storage provides for realizing above-mentioned first aspect.
In a possible design, risk behavior provided in an embodiment of the present invention intercepts equipment and may include for executing
The corresponding module of behavior in the above method.Module can be software and/or be hardware.
The another aspect of the embodiment of the present invention provides a kind of computer readable storage medium, the computer-readable storage medium
A plurality of instruction is stored in matter, described instruction is suitable for being loaded as processor and executing method described in above-mentioned various aspects.
The another aspect of the embodiment of the present invention provides a kind of computer program product comprising instruction, when its on computers
When operation, so that computer executes method described in above-mentioned various aspects.
Implement the embodiment of the present invention, behavior vector is generated according to the log information of the behavior of calling first, and by the behavior
Vector is transferred in risk behavior prediction model, to determine whether the calling behavior of the target application is risk row
It is pre- by risk behavior since risk behavior prediction model is formed according to the sample training of a large amount of known risk behavior
The further feature that model excavates calling behavior is surveyed, the calling behavior of which kind of unknown risk behavior is predicted, without very important person
To participate in, therefore improve the accuracy and efficiency of risk behavior prediction.Finally when intercepting to risk behavior, risk is improved
The accuracy and intercepting efficiency that behavior intercepts.
Detailed description of the invention
Technical solution in order to illustrate the embodiments of the present invention more clearly or in background technique below will be implemented the present invention
Attached drawing needed in example or background technique is illustrated.
Fig. 1 is a kind of structural schematic diagram of risk behavior intercepting system provided in an embodiment of the present invention;
Fig. 2 is a kind of flow diagram of risk behavior hold-up interception method provided in an embodiment of the present invention;
Fig. 3 be another embodiment of the present invention provides a kind of risk behavior hold-up interception method flow diagram;
Fig. 4 is a kind of flow diagram of the training method of risk behavior prediction model provided in an embodiment of the present invention;
Fig. 5 is a kind of schematic diagram of display reminding information in the display interface provided in an embodiment of the present invention;
Fig. 6 is that one kind provided in an embodiment of the present invention shows the schematic diagram for intercepting result in the display interface;
Fig. 7 is a kind of structural schematic diagram of risk behavior blocking apparatus provided in an embodiment of the present invention;
Fig. 8 is the structural schematic diagram that a kind of risk behavior that the embodiment of the present invention proposes intercepts equipment.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on this hair
Embodiment in bright, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, shall fall within the protection scope of the present invention.
Referring to Figure 1, Fig. 1 is a kind of structural schematic diagram of risk behavior intercepting system provided in an embodiment of the present invention, should
Risk behavior intercepting system includes cloud and user terminal.Wherein, cloud can be using the soft of application program virtualization technology
Part platform.User terminal can be mobile phone, be also possible to tablet computer or personal computer, including application layer, system layer and hard
Part layer.Wherein, application layer may include the application such as application program, user interface, and system layer may include event monitor, vector
The system softwares such as generator, hardware layer can provide hardware supported for system layer and application layer, and hardware layer may include centre
Manage device (Central Processing Unit, CPU) or artificial intelligence (Artificial Intelligence, AI) operation list
The integrated circuits such as member.Specifically, in the risk behavior intercepting system, cloud for training risk behavior prediction model, and to
User terminal issues trained risk behavior prediction model.Meanwhile the update to risk behavior prediction model is also supported in cloud.
User terminal receives the risk behavior prediction model that cloud issues, by risk behavior prediction model to the calling row of target application
To be predicted determine whether the calling behavior is risk behavior, if the calling behavior is confirmed to be risk behavior, to mesh
The calling behavior of mark application is intercepted.It should be noted that training risk behavior prediction model can also be by user's end
End is completed, and then locally completes prediction, both the above mode sheet by the risk behavior prediction model of training by user terminal
Inventive embodiments are without limitation.Based on above-mentioned risk behavior intercepting system, the embodiment of the invention provides following solutions.
Fig. 2 is referred to, Fig. 2 is a kind of flow diagram of risk behavior hold-up interception method provided in an embodiment of the present invention, should
Method includes but is not limited to following steps:
S201 extracts the log information of the calling behavior recorded when target application operation.
In the specific implementation, corresponding application programming interfaces (the Application Programmin-g of each calling behavior
Interface,API).When target application, which triggers some, calls behavior, need by triggering the corresponding API of the calling behavior
To execute the calling behavior.User terminal can pass through the mode of customized read-only memory (Read Only Memory, ROM)
One section of customized code is written in pitching pile at each API in an operating system that is, in the code of each API, which can
With referred to as pitching pile code.Wherein, when target application triggers some in the process of running calls behavior, the calling behavior can be triggered
The pitching pile code of corresponding API, pitching pile code can recorde the touching of behavior the mark ID, the API of the corresponding calling behavior of the API
It sends out the time and triggers the application identities UID of the application of the API, and generate a log information.Log information may include
At least one of UID, ID and triggered time.Wherein, UID and Apply Names, ID and calling behavior have corresponding relationship.It calls
Behavior may include sending short message, installation application and short message reading etc..
It should be noted that since the API in operating system is more, if corresponding to the API when each API is triggered
Calling behavior is detected, it will causes large effect to the performance of user terminal.Performance is influenced in order to reduce, Ke Yipei
Inspection policies are set, which may include following optional way:
The first optional way: the calling recorded when target application operation is extracted according to preset interval time
The log information of behavior.For example, starting timer immediately when application 1 brings into operation and carrying out timing.When timing duration arrives
When up to 30 seconds (s), if triggering some calling behavior using 1 at this time, the log information using 1 is extracted.If at this time simultaneously using 1
Do not trigger any calling behavior, then etc. 1 triggering to be applied some when calling behavior, extract apply 1 log information.
Second of optional way: determine whether the calling behavior triggered when target application operation is crucial row
To extract the target when calling behavior triggered when target application operation is confirmed to be the critical behavior
The log information of the calling behavior recorded when using operation.
Wherein, critical behavior can be the behavior that may cause the risk that user compares concern, such as: user compares concern
Short message of maliciously deducting fees is sent, then can will send short message and be set as critical behavior.Specifically, user can preset critical behavior ID
List matches the ID of the calling behavior with critical behavior ID list when target application, which triggers some, calls behavior, if
Critical behavior ID list includes the ID of the calling behavior, it is determined that the calling behavior is critical behavior, if critical behavior ID list
It does not include the ID of the calling behavior, it is determined that the calling behavior is not critical behavior.
Such as: as shown in table 1, critical behavior ID list includes " 1 ", " 4 ", " 5 " and " 7 " ID, when 1 triggering transmission of application is short
When the calling behavior of letter, getting from the log information that pitching pile code records and sending the ID of short message is 5, then will be shown in 5 and table 1
Critical behavior ID list matched, determine in critical behavior ID list include 5, it is determined that transmissions short message be critical behavior,
And extract log information using 1.
1. critical behavior ID list of table
| Critical behavior ID |
| 1 |
| 4 |
| 5 |
| 7 |
The third optional way: the accumulation of the log information of the calling behavior recorded when target application operation
When quantity reaches first threshold, the log information of the calling behavior recorded when target application operation is extracted.Its
In, first threshold can be 10.
Such as: the cumulative amount of the log information of current application 1 is 9, when 1 triggering of application sends the calling behavior of short message
When, corresponding pitching pile code records a log information, so that the cumulative amount of log information is added 1, cumulative amount etc. at this time
In 10, therefore extract the log information using 1.Meanwhile resetting the cumulative amount of the log information of application 1, so as to next time
Cumulative amount extracts log information when reaching first threshold.
S202 generates behavior vector according to the log information of the calling behavior.
In the specific implementation, the characteristic information of calling behavior can be extracted first from log information;Then to characteristic information
It is encoded;Then behavior sequence is constructed according to the characteristic information after coding;Behavior sequence is finally mapped to behavior vector.Tool
Body includes the optional implementation of following two:
The first optional implementation: when the log information includes the behavior mark and triggering of the calling behavior
Between.The behavior mark in the log information can be extracted, by the behavior according to the sequencing in the triggered time
Mark is arranged in a string of combination numbers as the behavior vector.Specifically, behavior mark is extracted first from log information;It connects
To behavior mark encode;Then all behavior marks are arranged according to the sequencing in triggered time, is obtained
Behavior sequence;Behavior sequence is finally mapped to behavior vector, wherein can be by the way that the row of i-th bit will be come in behavior sequence
It is mapped to identify as the mode of i-th of element of behavior vector.Wherein, behavior vector includes N number of element, and N is log
The number for the behavior mark that information includes.
Such as: as described in Table 2, a total of 4 log informations, every log information includes UID, ID and triggered time.Its
In, the UID for including in first log information is 1, ID 1, triggered time are 2017-12-27 20:10, Article 2 log letter
The UID for including in breath is 1, ID 2, triggered time are 2018-01-02 14:05, and the UID for including in Article 3 log information is
1, ID 4, triggered time be 2018-01-01 09:23 and Article 4 log information in include UID be 2, ID 3, touching
Send out time 2018-01-013 15:03.If the UID of target application is 1, the log that all UID are 1 in extraction table 2 first is believed
ID 1,2 and 4 in breath;Then ID1 is encoded to 1, ID 2 and is encoded to 2 and ID 4 and be encoded to 4;Then according to 1,2 and 4 pair
The sequencing in the triggered time for the calling behavior answered arranges them, obtains behavior sequence 1,2,4;Finally by 1 conduct
First element of behavior vector, by 2 second element as behavior vector, and by 4 third as behavior vector
Element, so that obtaining behavior vector is (Isosorbide-5-Nitrae, 2).
2. log information -1 of table
| UID | ID | Triggered time |
| 1 | 1 | 2017-12-27 20:10 |
| 1 | 2 | 2018-01-02 14:05 |
| 1 | 4 | 2018-01-01 09:23 |
| 2 | 3 | 2018-01-13 15:03 |
Second of optional implementation: the log information includes the behavior mark of the calling behavior.Distinguish first
Count the number of every kind of behavior mark in the log information;Then the number of every kind of behavior mark is arranged in one
String combination number is used as the behavior vector.Specifically, behavior mark is extracted first from log information;Then every kind of row is counted
For the number of mark;Then the number that obtained every kind of behavior identifies is arranged, obtains behavior sequence;Finally by behavior
Sequence is mapped to behavior vector, wherein can be by identifying the behavior for coming kth position in behavior sequence as behavior vector
The mode of k-th of element is mapped.Wherein, behavior vector includes M element, and M is every kind of behavior mark that log information includes
The quantity of knowledge.
Such as: as shown in table 3, a total of 5 log informations, every log information includes UID and ID.Wherein, first
The UID for including in log information is 1, ID 1, and the UID for including in Article 2 log information is 1, ID 2, Article 3 log letter
The UID for including in breath is 1, ID 2, and the UID for including in Article 4 log information is 1, ID 4 and Article 5 log information
In include UID be 2, ID 3.If the UID of target application is 1, the log information packet that all UID are 1 in table 3 is extracted first
The ID 1,2,2 and 4 included;Then the number for counting every kind of ID, the number for obtaining ID 1 is 1, the number of ID 2 is 2 and ID 4
Number be 1, then number 1,2 and 1 is arranged, obtains behavior sequence 1,2,1;Finally by 1 as behavior vector
One element, by 2 second element as behavior vector, and by the 1 third element as behavior vector, to obtain
Behavior vector is (1,2,1).
3. log information -2 of table
| UID | ID |
| 1 | 1 |
| 1 | 2 |
| 1 | 2 |
| 1 | 4 |
| 2 | 3 |
S203 issues call instruction to risk behavior prediction model, to carry out the pre- of risk behavior to the behavior vector
Survey processing.
In the specific implementation, user terminal can call directly local risk behavior prediction model or user terminal can
To receive the request instruction of user's input, service request is sent to cloud according to request instruction, cloud is according to the service request
Risk behavior prediction model is issued to user.
The behavior vector is transferred in the risk behavior prediction model by S204, with the determination target application
Whether the calling behavior is risk behavior.
In the specific implementation, the behavior vector can be transferred in risk behavior prediction model first, the tune is obtained
With the class probability of behavior.Wherein, risk behavior prediction model can be used for defeated according to the behavior vector of the calling behavior of input
The class probability of the calling behavior out.Wherein, class probability can indicate that calling behavior is the confidence level of risk behavior, call row
To be higher for the confidence level of risk behavior, class probability is bigger.Then it according to the class probability of the calling behavior, determines
Whether the calling behavior is the risk behavior.
Further, when the class probability of the calling behavior is greater than second threshold, the calling behavior is determined
The calling is determined when the class probability of the calling behavior is not more than the second threshold for the risk behavior
Behavior is not the risk behavior.Wherein, second threshold all can be 0.5.For example, row is called in the output of risk behavior prediction model
For class probability be 0.4, due to 0.4 be not more than 0.5, it is determined that the calling behavior is not risk behavior.
S205 receives the prediction result of the risk behavior prediction model feedback, when the calling behavior is confirmed to be institute
When stating risk behavior, intercept process is carried out to the calling behavior of the target application.
In the specific implementation, when determining calling behavior is risk behavior, from the pitching pile code of the corresponding API of the calling behavior
The call address of the API is returned, and terminates the code for executing the API, that is, terminates and executes the calling behavior.And row is called when determining
When or not risk behavior, the call address of the API is returned from the pitching pile code of the corresponding API of the calling behavior, executes the API
Code, that is, continue to execute calling behavior.
Such as: the calling behavior for detecting the transmission short message triggered in the process of running using 2 is risk behavior, and is sent
The entitled XXX of the corresponding API of short message, then return to the call address of XXX from the pitching pile code of XXX, and terminates the generation for executing XXX
Code does not continue to execute the calling behavior for sending short message.
In embodiments of the present invention, behavior vector is generated according to the log information of the behavior of calling first, and by the behavior
Vector is transferred in risk behavior prediction model, to determine whether the calling behavior of the target application is risk row
It is pre- by risk behavior since risk behavior prediction model is formed according to the sample training of a large amount of known risk behavior
The further feature that model excavates calling behavior is surveyed, the calling behavior of which kind of unknown risk behavior is predicted, without very important person
To participate in, therefore improve the accuracy and efficiency of risk behavior prediction.Finally when intercepting to risk behavior, risk is improved
The accuracy and intercepting efficiency that behavior intercepts.
Refer to Fig. 3, Fig. 3 be another embodiment of the present invention provides a kind of risk behavior hold-up interception method process signal
Figure, this method includes but is not limited to following steps:
S301, when detect need to predict the calling behavior of target application when, user terminal to cloud send take
Business request.
In the specific implementation, user terminal can receive the request instruction of user's input, root in target application operational process
Service request is sent to cloud according to request instruction.Alternatively, sending service when detecting that target application starts starting to cloud and asking
It asks.After cloud receives service request, trained risk behavior prediction model is handed down to user terminal.
As shown in figure 4, the process that Fig. 4 is a kind of risk behavior prediction model training method provided in an embodiment of the present invention is shown
It is intended to.It by running training sample in simulator to obtain log information, and extracts log information and generates behavior vector, then
Behavior vector is transferred to and is trained to training pattern, risk behavior prediction model is finally obtained.It specifically includes:
It is possible, firstly, to collect the application of multiple tape labels as training sample.Wherein, the label of each training sample is used for
Indicate which kind of risk behavior the training sample carries.Wherein, label can be the natural numbers such as 1,2 and 3.Risk behavior may include
Send short message of maliciously deducting fees, installation malicious application and the operating system for damaging user terminal.
Secondly, running training sample in simulator, log information is obtained.Specifically, training sample is mounted on first
In simulator (such as Android simulator), then by way of customized ROM at each API of simulator pitching pile, then
It is operated using pressure test software (such as Monkey) stochastic simulation user for the input and click of training sample.When training sample
When this triggers some calling behavior in the process of running, the pitching pile code of the corresponding API of the calling behavior, pitching pile generation are triggered immediately
Code can recorde the triggered time of the ID and the API of the corresponding calling behavior of the API, and generate a log information.Log letter
Breath may include at least one of ID and triggered time.Wherein, simulator is a kind of virtual unit that can run application.
Then, it for each training sample, extracts the log information that training sample records at runtime and generates the training
The corresponding behavior vector of sample.It include: that can extract the institute in the log information according to the sequencing in the triggered time
Behavior mark is stated, behavior mark is arranged in a string of combination numbers as the behavior vector.Alternatively, respectively described in statistics
The number of every kind of behavior mark in log information;Then the number of every kind of behavior mark is arranged in a string of number of combinations
Word is as the behavior vector.
Finally, being directed to each behavior vector, the label of behavior vector sum training sample is transferred to and is carried out to training pattern
Training obtains risk behavior prediction model.Wherein, it can be to training pattern based on shot and long term memory network (Long Short-
Term Memory, LSTM) algorithm AI model.
S302, user terminal receive the risk behavior prediction model that cloud issues.
S303, user terminal extract the log information of the calling behavior recorded when target application operation, and according to the day
Will information generates behavior vector.Wherein, extract target application operation when record calling behavior log information method with it is upper
The S201 of one embodiment is identical, and identical as the S202 of a upper embodiment according to the method that log information generates behavior vector,
This step repeats no more.
The behavior vector is transferred in risk behavior prediction model by S304, user terminal, is answered with the determination target
Whether the calling behavior is risk behavior.If so, S306 is executed, if it is not, then executing S305.
The specific implementation method of this step is identical as the S204 of a upper embodiment, this step repeats no more.
S305 returns to the call address of the calling behavior, executes the calling behavior.
In the specific implementation, the call address of the API can be returned from the pitching pile code of the corresponding API of the calling behavior,
And execute the corresponding code of the API, that is, continue to execute the calling behavior.
S306, user terminal display reminding information, the prompt information is for prompting the user whether to the target application
Calling behavior carry out intercept process.
Such as: it is short to detect that the calling behavior of the transmission short message triggered in the process of running using 2 is deducted fees for transmission malice
The risk behavior of letter.At this point, being got by the UID in log information using 2 Apply Names is ABC.As shown in figure 5, with
Family terminal can " ABC be attempt to send short message of maliciously deducting fees display reminding information, if intercepts this journey in the display interface
For? ", user can click " confirmation " or " abandoning " button and be instructed with input validation.
S307, user terminal receive user's input and instruct for the confirmation of the prompt information.
S308, user terminal are instructed according to the confirmation, are carried out at interception to the calling behavior of the target application
Reason.
In the specific implementation, when confirmation instruction is the calling behavior of determining interception target application, then it is corresponding from the calling behavior
The pitching pile code of API return to the call address of the API, terminate the code for executing the API, that is, terminate and execute callings and go
For.It is the calling behavior for abandoning interception target application when confirmation instructs, then is returned from the pitching pile code of the corresponding API of the calling behavior
The call address for returning the API, executes the code of the API, that is, continues to execute calling behavior.
Optionally, interception can be shown as a result, to mention in the display interface after intercepting to the risk behavior
Show whether user intercepts success.Such as: as shown in fig. 6, being used after being intercepted successfully to the risk behavior for sending short message of maliciously deducting fees
" short message of maliciously deducting fees sends behavior and intercepts successfully display reminding information family terminal in the display interface!"
In embodiments of the present invention, behavior vector is generated according to the log information of the behavior of calling first, and by the behavior
Vector is transferred in risk behavior prediction model, to determine whether the calling behavior of the target application is risk row
It is pre- by risk behavior since risk behavior prediction model is formed according to the sample training of a large amount of known risk behavior
The further feature that model excavates calling behavior is surveyed, the calling behavior of which kind of unknown risk behavior is predicted, without very important person
To participate in, therefore improve the accuracy and efficiency of risk behavior prediction.Finally when intercepting to risk behavior, risk is improved
The accuracy and intercepting efficiency that behavior intercepts.
It is above-mentioned to illustrate the method for the embodiment of the present invention, the device of the embodiment of the present invention is provided below.
Fig. 7 is referred to, Fig. 7 is a kind of structural schematic diagram of risk behavior blocking apparatus provided in an embodiment of the present invention, should
Risk behavior blocking apparatus may include:
Extraction module 701, for extracting the log information of the calling behavior recorded when target application operation.
In the specific implementation, the corresponding API of each calling behavior.When target application calls some to call behavior, need
The calling behavior is executed by triggering the corresponding API of the calling behavior.User terminal can be by way of customized ROM
One section of customized code, the generation is written in pitching pile at each API in an operating system that is, in the corresponding code of each API
Code is properly termed as pitching pile code.Wherein, when target application triggers some in the process of running calls behavior, the calling can be triggered
The pitching pile code of the corresponding API of behavior, pitching pile code can recorde behavior the mark ID, the API of the corresponding calling behavior of the API
Triggered time and trigger the API application application identities UID, and generate a log information.Log information can wrap
Include at least one of UID, ID and triggered time.Wherein, UID and Apply Names, ID and calling behavior have corresponding relationship.It adjusts
It may include sending short message, installation application and short message reading etc. with behavior.
It should be noted that since the API in operating system is more, if corresponding to the API when each API is triggered
Calling behavior is detected, it will causes large effect to the performance of user terminal.Performance is influenced in order to reduce, Ke Yipei
Inspection policies are set, which may include following optional way:
The first optional way: the calling recorded when target application operation is extracted according to preset interval time
The log information of behavior.For example, starting timer immediately when application 1 brings into operation and carrying out timing.When timing duration arrives
When up to 30s, if triggering some calling behavior using 1 at this time, the log information using 1 is extracted.If not touched using 1 at this time
Send out calling behavior any, then etc. 1 triggering to be applied some when calling behavior, extract apply 1 log information.
Second of optional way: determine whether the calling behavior triggered when target application operation is crucial row
To extract the target when calling behavior triggered when target application operation is confirmed to be the critical behavior
The log information of the calling behavior recorded when using operation.
Wherein, critical behavior can be the behavior that may cause the risk that user compares concern, such as: user compares concern
Short message of maliciously deducting fees is sent, then can will send short message and be set as critical behavior.Specifically, user can preset critical behavior ID
List matches the ID of the calling behavior with critical behavior ID list when target application, which triggers some, calls behavior, if
Critical behavior ID list includes the ID of the calling behavior, it is determined that the calling behavior is critical behavior, if critical behavior ID list
It does not include the ID of the calling behavior, it is determined that the calling behavior is not confirmed to be critical behavior.
The third optional way: the accumulation of the log information of the calling behavior recorded when target application operation
When quantity reaches first threshold, the log information of the calling behavior recorded when target application operation is extracted.Its
In, first threshold can be 10.
Generation module 702, for generating behavior vector according to the log information of the calling behavior.
In the specific implementation, the characteristic information of calling behavior can be extracted first from log information;Then to characteristic information
It is encoded;Then behavior sequence is constructed according to the characteristic information after coding;Behavior sequence is finally mapped to behavior vector.Tool
Body includes the optional implementation of following two:
The first optional implementation: when the log information includes the behavior mark and triggering of the calling behavior
Between.The behavior mark in the log information can be extracted, by the behavior according to the sequencing in the triggered time
Mark is arranged in a string of combination numbers as the behavior vector.Specifically, behavior mark is extracted first from log information;It connects
To behavior mark encode;Then all behavior marks are arranged according to the sequencing in triggered time, is obtained
Behavior sequence;Behavior sequence is finally mapped to behavior vector, wherein can be by the way that the row of i-th bit will be come in behavior sequence
It is mapped to identify as the mode of i-th of element of behavior vector.Wherein, behavior vector includes N number of element, and N is log
The number for the behavior mark that information includes.
Second of optional implementation: the log information includes the behavior mark of the calling behavior.Distinguish first
Count the number of every kind of behavior mark in the log information;Then the number of every kind of behavior mark is arranged in one
String combination number is used as the behavior vector.Specifically, behavior mark is extracted first from log information;Then every kind of row is counted
For the number of mark;Then the number that obtained every kind of behavior identifies is arranged, obtains behavior sequence;Finally by behavior
Sequence is mapped to behavior vector, wherein can be by identifying the behavior for coming kth position in behavior sequence as behavior vector
The mode of k-th of element is mapped.Wherein, behavior vector includes M element, and M is every kind of behavior mark that log information includes
The quantity of knowledge.
Calling module 703, for issuing call instruction to risk behavior prediction model, to carry out wind to the behavior vector
The prediction of dangerous behavior is handled.
In the specific implementation, user terminal can call directly local risk behavior prediction model or user terminal can
To receive the request instruction of user's input, service request is sent to cloud according to request instruction, cloud is according to the service request
Risk behavior prediction model is issued to user.
The behavior vector is transferred in the risk behavior prediction model by detection module 704, with the determination target
Whether the calling behavior of application is risk behavior.
In the specific implementation, the behavior vector can be transferred in risk behavior prediction model first, the tune is obtained
With the class probability of behavior.Wherein, risk behavior prediction model can be used for defeated according to the behavior vector of the calling behavior of input
The class probability of the calling behavior out.Wherein, class probability can indicate that calling behavior is the confidence level of risk behavior, call row
To be higher for the confidence level of risk behavior, class probability is bigger.Then it according to the class probability of the calling behavior, determines
Whether the calling behavior is the risk behavior.
Further, when the class probability of the calling behavior is greater than second threshold, the calling behavior is determined
For the risk behavior;When the class probability of the calling behavior is not more than the second threshold, the calling is determined
Behavior is not the risk behavior.Wherein, second threshold all can be 0.5.For example, row is called in the output of risk behavior prediction model
For class probability be 0.4, due to 0.4 be not more than 0.5, then can determine that the calling behavior is not risk behavior.
Blocking module 705, for receiving the prediction result of the risk behavior feedback, when the calling behavior is confirmed to be
When the risk behavior, intercept process is carried out to the calling behavior of the target application.
In the specific implementation, when determining calling behavior is risk behavior, from the pitching pile code of the corresponding API of the calling behavior
The call address of the API is returned, and terminates the code for executing the API, that is, terminates and executes the calling behavior.And row is called when determining
When or not risk behavior, the call address of the API is returned from the pitching pile code of the corresponding API of the calling behavior, executes the API
Code, that is, continue to execute calling behavior.
Optionally, when determining calling behavior is risk behavior, display reminding information, the prompt information are used to mention first
Show whether user carries out intercept process to the calling behavior of the target application;Then user's input is received to mention for described
Show the confirmation instruction of information;It is finally instructed according to the confirmation, the calling behavior of the target application is carried out at interception
Reason.When calling behavior of the confirmation instruction for determining interception target application, intercept process is carried out to the calling behavior, when confirmation refers to
When enabling to abandon the calling behavior of interception target application, the calling behavior is continued to execute.
Optionally, blocking module 705 can be also used for intercepting in the calling behavior to the target application
Afterwards, show interception as a result, to prompt the user whether to intercept successfully in the display interface.
In embodiments of the present invention, behavior vector is generated according to the log information of the behavior of calling first, and by the behavior
Vector is transferred in risk behavior prediction model, to determine whether the calling behavior of the target application is risk row
It is pre- by risk behavior since risk behavior prediction model is formed according to the sample training of a large amount of known risk behavior
The further feature that model excavates calling behavior is surveyed, the calling behavior of which kind of unknown risk behavior is predicted, without very important person
To participate in, therefore improve the accuracy and efficiency of risk behavior prediction.Finally when intercepting to risk behavior, risk is improved
The accuracy and intercepting efficiency that behavior intercepts.
With continued reference to FIG. 8, Fig. 8 is the structural representation that a kind of risk behavior that the embodiment of the present invention proposes intercepts equipment
Figure.The risk behavior, which intercepts equipment, to be above-mentioned user terminal or other calculating equipment, as shown, the risk behavior is blocked
Cutting equipment may include: at least one processor 801, at least one communication interface 802, at least one processor 803 and at least
One communication bus 804.
Wherein, processor 801 can be central processor unit, general processor, digital signal processor, dedicated integrated
Circuit, field programmable gate array or other programmable logic device, transistor logic, hardware component or it is any
Combination.It, which may be implemented or executes, combines various illustrative logic blocks, module and electricity described in the disclosure of invention
Road.The processor is also possible to realize the combination of computing function, such as combines comprising one or more microprocessors, number letter
Number processor and the combination of microprocessor etc..Communication bus 804 can be Peripheral Component Interconnect standard PCI bus or extension work
Industry normal structure eisa bus etc..The bus can be divided into address bus, data/address bus, control bus etc..For convenient for indicate,
It is only indicated with a thick line in Fig. 8, it is not intended that an only bus or a type of bus.Communication bus 804 is used for
Realize the connection communication between these components.Wherein, the communication interface 802 of equipment is used for and other nodes in the embodiment of the present invention
Equipment carries out the communication of signaling or data.Memory 803 may include volatile memory, such as non-volatile dynamic random is deposited
Take memory (Nonvolatile Random Access Memory, NVRAM), phase change random access memory (Phase
Change RAM, PRAM), magnetic-resistance random access memory (Magetoresistive RAM, MRAM) etc., can also include non-
Volatile memory, for example, at least a disk memory, Electrical Erasable programmable read only memory (Electrically
Erasable Programmable Read-Only Memory, EEPROM), flush memory device, such as anti-or flash memory (NOR
Flash memory) or anti-and flash memory (NAND flash memory), semiconductor devices, such as solid state hard disk (Solid
State Disk, SSD) etc..Memory 803 optionally can also be that at least one is located remotely from the storage of aforementioned processor 801
Device.Batch processing code is stored in memory 803, and processor 801 executes the program in memory 803.
Extract the log information of the calling behavior recorded when target application operation;
Behavior vector is generated according to the log information of the calling behavior;
Call instruction is issued to risk behavior prediction model, at the prediction to carry out risk behavior to the behavior vector
Reason;
The behavior vector is transferred in the risk behavior prediction model, with the tune of the determination target application
It whether is risk behavior with behavior;
The prediction result for receiving the risk behavior prediction model feedback, when the calling behavior is confirmed to be the risk
When behavior, intercept process is carried out to the calling behavior of the target application.
Optionally, processor 801 is also used to perform the following operations step:
According to the sequencing in the triggered time, the behavior mark in the log information is extracted;
Behavior mark is arranged in a string of combination numbers as the behavior vector.
Optionally, processor 801 is also used to perform the following operations step:
The number of every kind of behavior mark in the log information is counted respectively;
The number of every kind of behavior mark is arranged in a string of combination numbers as the behavior vector.
Optionally, processor 801 is also used to perform the following operations step:
The log of the calling behavior recorded when target application operation is extracted according to preset interval time
Information.
Optionally, processor 801 is also used to perform the following operations step:
Determine whether the calling behavior triggered when target application operation is critical behavior;
When the calling behavior triggered when target application operation is confirmed to be the critical behavior, described in extraction
The log information for the calling behavior that target application records when running.
Optionally, processor 801 is also used to perform the following operations step:
The cumulative amount of the log information of the calling behavior recorded when target application operation reaches the first threshold
When value, the log information of the calling behavior recorded when target application operation is extracted.
Optionally, processor 801 is also used to perform the following operations step:
The behavior vector is transferred in the risk behavior prediction model, the classification for obtaining the calling behavior is general
Rate;
According to the class probability of the calling behavior, determine whether the calling behavior is the risk behavior.
Optionally, processor 801 is also used to perform the following operations step:
When the class probability of the calling behavior is greater than second threshold, determine that the calling behavior is the risk
Behavior;Or
When the class probability of the calling behavior is not more than the second threshold, determine that the calling behavior is not
The risk behavior.
Optionally, processor 801 is also used to perform the following operations step:
When the calling behavior is confirmed to be the risk behavior, display reminding information, the prompt information is for mentioning
Show whether user carries out intercept process to the calling behavior of the target application;
User's input is received to instruct for the confirmation of the prompt information;
It is instructed according to the confirmation, intercept process is carried out to the calling behavior of the target application.
Optionally, processor 801 is also used to perform the following operations step:
The interception of the risk behavior is shown in the display interface as a result, the interception result is for prompting the user whether to block
It is cut into function.
Further, processor can also be matched with memory and communication interface, execute foregoing invention embodiment apoplexy
The operation of dangerous behavior blocking apparatus.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real
It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program
Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or
It partly generates according to process or function described in the embodiment of the present invention.The computer can be general purpose computer, dedicated meter
Calculation machine, computer network or other programmable devices.The computer instruction can store in computer readable storage medium
In, or from a computer readable storage medium to the transmission of another computer readable storage medium, for example, the computer
Instruction can pass through wired (such as coaxial cable, optical fiber, number from a web-site, computer, server or data center
User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or
Data center is transmitted.The computer readable storage medium can be any usable medium that computer can access or
It is comprising data storage devices such as one or more usable mediums integrated server, data centers.The usable medium can be with
It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk
Solid State Disk (SSD)) etc..
Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects
It is described in detail.All within the spirits and principles of the present invention, any modification, equivalent replacement, improvement and so on should be included in
Within protection scope of the present invention.
Claims (16)
1. a kind of risk behavior hold-up interception method, which is characterized in that the described method includes:
Extract the log information of the calling behavior recorded when target application operation;
Behavior vector is generated according to the log information of the calling behavior;
Call instruction is issued to risk behavior prediction model, is handled with carrying out the prediction of risk behavior to the behavior vector;
The behavior vector is transferred in the risk behavior prediction model, with the calling row of the determination target application
Whether to be risk behavior;
The prediction result for receiving the risk behavior prediction model feedback, when the calling behavior is confirmed as the risk behavior
When, intercept process is carried out to the calling behavior of the target application.
2. the method as described in claim 1, which is characterized in that the log information includes the behavior mark of the calling behavior
And the triggered time;It is described to include: according to the log information of calling behavior generation behavior vector
According to the sequencing in the triggered time, the behavior mark in the log information is extracted;
Behavior mark is arranged in a string of combination numbers as the behavior vector.
3. the method as described in claim 1, which is characterized in that the log information includes the behavior mark of the calling behavior
Know;It is described to include: according to the log information of calling behavior generation behavior vector
The number of every kind of behavior mark in the log information is counted respectively;
The number of every kind of behavior mark is arranged in a string of combination numbers as the behavior vector.
4. the method according to claim 1, which is characterized in that described to extract the tune recorded when target application operation
Include: with the log information of behavior
The log information of the calling behavior recorded when target application operation is extracted according to preset interval time.
5. the method according to claim 1, which is characterized in that described to extract the tune recorded when target application operation
Include: with the log information of behavior
Determine whether the calling behavior triggered when target application operation is critical behavior;
When the calling behavior triggered when target application operation is confirmed to be the critical behavior, the target is extracted
The log information of the calling behavior recorded when using operation.
6. the method according to claim 1, which is characterized in that described to extract the tune recorded when target application operation
Include: with the log information of behavior
When the cumulative amount of the log information of the calling behavior recorded when target application operation reaches first threshold,
Extract the log information of the calling behavior recorded when target application operation.
7. the method as described in claim 1, which is characterized in that described that the behavior vector is transferred to the risk behavior is pre-
It surveys in model, whether is that risk behavior includes: with the calling behavior of the determination target application
The behavior vector is transferred in the risk behavior prediction model, the class probability of the calling behavior is obtained;
According to the class probability of the calling behavior, determine whether the calling behavior is the risk behavior.
8. the method for claim 7, which is characterized in that the class probability according to the calling behavior, really
Whether the fixed calling behavior is that risk behavior includes:
When the class probability of the calling behavior is greater than second threshold, determine that the calling behavior is the risk row
For;Or
When the class probability of the calling behavior is not more than the second threshold, determine that the calling behavior is not described
Risk behavior.
9. the method as described in claim 1, which is characterized in that described when the calling behavior is confirmed to be the risk behavior
When, carrying out intercept process to the calling behavior of the target application includes:
When the calling behavior is confirmed to be the risk behavior, display reminding information, the prompt information is used for prompting
Whether family carries out intercept process to the calling behavior of the target application;
User's input is received to instruct for the confirmation of the prompt information;
It is instructed according to the confirmation, intercept process is carried out to the calling behavior of the target application.
10. such as the described in any item methods of claim 1-9, which is characterized in that the calling to the target application
After behavior carries out intercept process, further includes:
Show the interception of the risk behavior in the display interface as a result, the interception result for prompt the user whether intercept at
Function.
11. a kind of risk behavior blocking apparatus, which is characterized in that described device includes:
Extraction module, for extracting the log information of the calling behavior recorded when target application operation;
Generation module, for generating behavior vector according to the log information of the calling behavior;
Calling module, for issuing call instruction to risk behavior prediction model, to carry out risk behavior to the behavior vector
Prediction processing;
Detection module is answered for the behavior vector to be transferred in the risk behavior prediction model with the determination target
Whether the calling behavior is risk behavior;
Blocking module, for receiving the prediction result of the risk behavior prediction model feedback, when the calling behavior is identified
When for the risk behavior, intercept process is carried out to the calling behavior of the target application.
12. device as claimed in claim 11, which is characterized in that the log information includes the behavior mark of the calling behavior
Knowledge and triggered time;The generation module is specifically used for:
According to the sequencing in the triggered time, the behavior mark in the log information is extracted;
Behavior mark is arranged in a string of combination numbers as the behavior vector.
13. device as claimed in claim 11, which is characterized in that the log information includes the behavior mark of the calling behavior
Know;The generation module is specifically used for:
The number of every kind of behavior mark in the log information is counted respectively;
The number of every kind of behavior mark is arranged in a string of combination numbers as the behavior vector.
14. such as the described in any item devices of claim 11-13, which is characterized in that the extraction module is specifically used for:
The log information of the calling behavior recorded when target application operation is extracted according to preset interval time.
15. such as the described in any item devices of claim 11-13, which is characterized in that the extraction module is specifically used for:
Determine whether the calling behavior triggered when target application operation is critical behavior;
When the calling behavior triggered when target application operation is confirmed to be the critical behavior, the target is extracted
The log information of the calling behavior recorded when using operation.
16. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has a plurality of finger
It enables, described instruction is suitable for being loaded by processor and being executed such as the described in any item methods of claim 1-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810169751.4A CN110213200B (en) | 2018-02-28 | 2018-02-28 | Risk behavior interception method and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810169751.4A CN110213200B (en) | 2018-02-28 | 2018-02-28 | Risk behavior interception method and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110213200A true CN110213200A (en) | 2019-09-06 |
| CN110213200B CN110213200B (en) | 2022-07-01 |
Family
ID=67778803
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810169751.4A Active CN110213200B (en) | 2018-02-28 | 2018-02-28 | Risk behavior interception method and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110213200B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113239065A (en) * | 2021-06-25 | 2021-08-10 | 深圳市合美鑫精密电子有限公司 | Big data based security interception rule updating method and artificial intelligence security system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104715195A (en) * | 2015-03-12 | 2015-06-17 | 广东电网有限责任公司信息中心 | Malicious code detecting system and method based on dynamic instrumentation |
| US20160210840A1 (en) * | 2008-05-14 | 2016-07-21 | International Business Machines Corporation | Comprehensive tsunami alert system via mobile devices |
| CN106874761A (en) * | 2016-12-30 | 2017-06-20 | 北京邮电大学 | A kind of Android system malicious application detection method and system |
| CN107045607A (en) * | 2016-12-13 | 2017-08-15 | 全球能源互联网研究院 | Using abnormal behaviour identification model method for building up and device, recognition methods and device |
| CN107566358A (en) * | 2017-08-25 | 2018-01-09 | 腾讯科技(深圳)有限公司 | A kind of Risk-warning reminding method, device, medium and equipment |
-
2018
- 2018-02-28 CN CN201810169751.4A patent/CN110213200B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160210840A1 (en) * | 2008-05-14 | 2016-07-21 | International Business Machines Corporation | Comprehensive tsunami alert system via mobile devices |
| CN104715195A (en) * | 2015-03-12 | 2015-06-17 | 广东电网有限责任公司信息中心 | Malicious code detecting system and method based on dynamic instrumentation |
| CN107045607A (en) * | 2016-12-13 | 2017-08-15 | 全球能源互联网研究院 | Using abnormal behaviour identification model method for building up and device, recognition methods and device |
| CN106874761A (en) * | 2016-12-30 | 2017-06-20 | 北京邮电大学 | A kind of Android system malicious application detection method and system |
| CN107566358A (en) * | 2017-08-25 | 2018-01-09 | 腾讯科技(深圳)有限公司 | A kind of Risk-warning reminding method, device, medium and equipment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113239065A (en) * | 2021-06-25 | 2021-08-10 | 深圳市合美鑫精密电子有限公司 | Big data based security interception rule updating method and artificial intelligence security system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110213200B (en) | 2022-07-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109034660B (en) | Method and related device for determining risk control strategy based on prediction model | |
| CN112395159B (en) | Log detection method, system, device and medium | |
| WO2020019484A1 (en) | Simulator recognition method, recognition device, and computer readable medium | |
| CN107888554B (en) | Method and device for detecting server attack | |
| CN107391359B (en) | Service testing method and device | |
| CN109492378A (en) | A kind of auth method based on EIC equipment identification code, server and medium | |
| CN110263538B (en) | Malicious code detection method based on system behavior sequence | |
| CN107025165A (en) | Game automated testing method and relevant apparatus | |
| CN109062667B (en) | Simulator identification method, simulator identification equipment and computer readable medium | |
| CN106603327B (en) | Behavioral data analysis method and device | |
| CN104809397A (en) | Android malicious software detection method and system based on dynamic monitoring | |
| CN108322463A (en) | Ddos attack detection method, device, computer equipment and storage medium | |
| CN110933104A (en) | Malicious command detection method, device, equipment and medium | |
| CN107797868A (en) | resource adjusting method and device | |
| CN109224453A (en) | Game monitoring and managing method, system and computer equipment, computer readable storage medium | |
| CN109829300A (en) | APP dynamic depth malicious act detection device, method and system | |
| CN109727027A (en) | Account recognition methods, device, equipment and storage medium | |
| CN108984255A (en) | A kind of remote assistance method and relevant device | |
| CN107239387A (en) | A kind of data exception detection method and terminal | |
| CN110213200A (en) | A kind of risk behavior hold-up interception method and relevant device | |
| CN110443044A (en) | Block chain client bug excavation method, device, equipment and storage medium | |
| CN104200164B (en) | Loader virus searching and killing method, device and terminal | |
| CN107766068A (en) | Application system patch installation, device, computer equipment and storage medium | |
| CN109543409B (en) | Method, device and equipment for detecting malicious application and training detection model | |
| CN110209563A (en) | Examination question assessment monitoring and managing method, electronic equipment and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |