CN110447215B - Dynamic warning method and terminal for malicious behavior of application software - Google Patents

Dynamic warning method and terminal for malicious behavior of application software Download PDF

Info

Publication number
CN110447215B
CN110447215B CN201880019202.7A CN201880019202A CN110447215B CN 110447215 B CN110447215 B CN 110447215B CN 201880019202 A CN201880019202 A CN 201880019202A CN 110447215 B CN110447215 B CN 110447215B
Authority
CN
China
Prior art keywords
terminal
information
application software
alarm
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201880019202.7A
Other languages
Chinese (zh)
Other versions
CN110447215A (en
Inventor
林子敏
刘艺锋
袁中举
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN110447215A publication Critical patent/CN110447215A/en
Application granted granted Critical
Publication of CN110447215B publication Critical patent/CN110447215B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephone Function (AREA)

Abstract

The application discloses a dynamic warning method and a terminal for malicious behaviors of application software, relates to the field of terminal security, and is used for dynamically adjusting warning for the malicious behaviors of the application software. The method comprises the following steps: the terminal monitors the behavior of calling key functions by application software; the terminal generates a behavior vector according to the number of times of calling key functions by application software monitored in preset time; the terminal inputs the behavior vector into a malicious behavior model based on a machine learning algorithm to obtain a result vector of the application software; the terminal generates alarm information for the malicious behavior type with the threat level greater than or equal to the alarm threshold; the terminal prompts warning information; the terminal acquires first feedback information of a user aiming at the alarm information; the terminal keeps an alarm threshold corresponding to the malicious behavior type according to the first feedback information; the terminal acquires second feedback information of the user aiming at the alarm information; and the terminal improves the alarm threshold corresponding to the malicious behavior type according to the second feedback information. The embodiment of the application is used for alarming the malicious software.

Description

Dynamic warning method and terminal for malicious behavior of application software
The present application claims priority of chinese patent application with application number 201711101431.7, entitled "method for determining and alarming malicious behavior of mobile device adapted to user" filed by chinese patent office on 10/11/2017, which is incorporated herein by reference in its entirety.
Technical Field
The application relates to the field of terminal security, in particular to a dynamic warning method and a terminal for malicious behaviors of application software.
Background
With the terminal device bearing more and more important data such as user privacy, property and the like, malicious application software gradually becomes an important source threatening the terminal security, and a malicious behavior analysis technology aiming at the application software is continuously developed. In the prior art, the same model is adopted for different users to alarm malicious behaviors of terminal software, but in practice, many behaviors of application software are between normal behaviors and malicious behaviors, different users have different judgment standards for the behaviors of the application, and the situation that an alarm result is inconsistent with user perception may occur.
Disclosure of Invention
The embodiment of the application provides a dynamic warning method and a terminal for malicious behaviors of application software, which are used for dynamically adjusting warning for the malicious behaviors of the application software.
In order to achieve the above purpose, the embodiment of the present application adopts the following technical solutions:
in a first aspect, a method for dynamically warning about malicious behavior of application software is provided, and is characterized by comprising: application software for monitoring operation of terminal calls N key functions F1、F2、...、FNThe behavior of (c); the terminal generates an N-dimensional behavior vector A (A) according to the number of times of calling N key functions by application software monitored in preset time1,A2,.......,AN) Wherein the behavior vector a ═ (a)1,A2,.......,AN) The ith dimension A ofiRepresenting application software calling key function FiI is more than or equal to 1 and less than or equal to N; the terminal sets the behavior vector A as (A) based on a machine learning algorithm1,A2,.......,AN) Inputting a malicious behavior model to obtain an M-dimensional result vector B ═ B of the application software1,B2,......,BM) M < N, resulting vector B ═ B1,B2,......,BM) Each dimension of (A) corresponds to a malicious behavior type and its corresponding powerThe hypochondriac level; the terminal generates alarm information for the malicious behavior types with threat levels larger than or equal to an alarm threshold, wherein each malicious behavior type corresponds to one alarm threshold; the terminal prompts warning information; the terminal acquires first feedback information of a user aiming at the alarm information, wherein the first feedback information is approved alarm information; the terminal keeps an alarm threshold corresponding to the malicious behavior type in the alarm information according to the first feedback information; the terminal acquires second feedback information of the user aiming at the alarm information, wherein the second feedback information is non-approved alarm information; and the terminal improves the alarm threshold corresponding to the malicious behavior type in the alarm information according to the second feedback information. The method and the device call N key functions F through application software which monitors running in the terminal equipment1、F2、...、FNAccording to the number of times that the application software calls the N key functions, generating an N-dimensional behavior vector A (A) in a preset time1,A2,.......,AN) Wherein the ith dimension A of the behavior vectoriRepresenting application software calling key function FiI is more than or equal to 1 and less than or equal to N; the terminal inputs the behavior vector into a malicious behavior model based on a machine learning algorithm to obtain an M-dimensional result vector B of the application software (B ═ B)1,B2,......,BM) M is less than N, and each dimension of the result vector corresponds to a malicious behavior type and a threat level thereof; the terminal generates alarm information for the malicious behavior types with threat levels larger than or equal to an alarm threshold, wherein each malicious behavior type corresponds to one alarm threshold; the terminal prompts warning information; the terminal acquires first feedback information of a user aiming at the alarm information, wherein the first feedback information is approved alarm information; the terminal keeps an alarm threshold corresponding to the malicious behavior type in the alarm information according to the first feedback information; the terminal acquires second feedback information of the user aiming at the alarm information, wherein the second feedback information is non-approved alarm information; and the terminal improves the alarm threshold corresponding to the malicious behavior type in the alarm information according to the second feedback information. The terminal mathematically expresses the times of calling key functions by the application software by using the behavior vector, inputs a malicious behavior model to obtain a result vector representing the type of the malicious behavior and the threat level of the malicious behavior, and then obtains the result vector according to eachAnd generating alarm information according to the threat level of the malicious behavior type and an alarm threshold, and then adjusting the alarm threshold according to the feedback of the user to the alarm information so as to adapt to different users and terminals, thereby realizing the dynamic adjustment of the alarm aiming at the malicious behavior of the application software.
In one possible embodiment, the method further comprises: the method comprises the steps that a terminal obtains security information of the terminal, wherein the security information comprises a security state and security requirements; if the security state of the terminal is low or the security requirement is high, the alarm threshold for some or all malicious behavior types is lowered. The embodiment may adjust the alarm threshold according to the security information of the terminal.
In a second aspect, a terminal is provided, including: a monitoring unit for monitoring the application software calling N key functions F1、F2、...、FNThe behavior of (c); a generating unit, configured to generate an N-dimensional behavior vector a (a) according to the number of times that the monitoring unit monitors that the application software calls the N key functions within a preset time1,A2,.......,AN) Wherein the behavior vector a ═ (a)1,A2,.......,AN) The ith dimension A ofiRepresenting application software calling key function FiI is more than or equal to 1 and less than or equal to N; an acquisition unit configured to set (a) the behavior vector a generated by the generation unit based on a machine learning algorithm1,A2,.......,AN) Inputting a malicious behavior model to obtain an M-dimensional result vector B ═ B of the application software1,B2,......,BM) M < N, resulting vector B ═ B1,B2,......,BM) Each dimension of (a) corresponds to a malicious behavior type and its threat level; the generating unit is also used for generating alarm information for malicious behavior types of which the threat level is greater than or equal to an alarm threshold value, wherein each malicious behavior type corresponds to one alarm threshold value; the prompting unit is used for prompting the alarm information generated by the generating unit; the acquiring unit is also used for acquiring first feedback information of the user aiming at the alarm information, wherein the first feedback information is approved alarm information; an adjusting unit for keeping according to the first feedback information obtained by the obtaining unitAn alarm threshold corresponding to the malicious behavior type in the alarm information; the acquisition unit is also used for acquiring second feedback information of the user aiming at the alarm information, wherein the second feedback information is non-approved alarm information; and the adjusting unit is further used for improving an alarm threshold corresponding to the malicious behavior type in the alarm information according to the second feedback information. Based on the same inventive concept, as the principle and the advantageous effects of the terminal for solving the problems can refer to the possible method embodiments of the first aspect and the advantageous effects brought thereby, the implementation of the terminal can refer to the possible method embodiments of the first aspect and the first aspect, and repeated details are not repeated.
In a third aspect, an embodiment of the present application provides a terminal, including: a processor, a memory, and a communication interface; the memory is used for storing computer execution instructions, the processor is coupled with the memory, and when the terminal runs, the processor executes the computer execution instructions stored in the memory so as to enable the terminal to execute any one of the above dynamic warning methods for application software malicious behaviors.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on any one of the terminals, the instructions cause the terminal to execute the dynamic warning method for malicious behavior of any one of the application software.
In a fifth aspect, an embodiment of the present application provides a computer program product containing instructions, which when run on any one of the above terminals, causes the terminal to execute the above dynamic warning method for malicious behavior of application software.
In the embodiments of the present application, the names of the components in the terminal described above do not limit the device itself, and in practical implementations, the components may appear by other names. Insofar as the functions of the respective components are similar to those of the embodiments of the present application, they are within the scope of the claims of the present application and their equivalents.
In addition, the technical effects brought by any one of the design manners of the third aspect to the fifth aspect can be referred to the technical effects brought by the different design methods in the first aspect, and are not described herein again.
Drawings
Fig. 1 is a schematic front view of a terminal according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of a hardware structure of a terminal according to an embodiment of the present disclosure;
fig. 3 is a first flowchart illustrating a dynamic warning method for malicious behavior of application software according to an embodiment of the present application;
fig. 4 is a schematic diagram of obtaining a behavior vector according to an embodiment of the present application;
FIG. 5 is a diagram illustrating a resulting vector provided in an embodiment of the present application;
FIG. 6 is a diagram illustrating a display of alarm information according to an embodiment of the present application;
fig. 7 is a schematic diagram illustrating a warning message displayed in a message frame according to an embodiment of the present application;
FIG. 8 is a schematic diagram illustrating an alarm message displayed in a notification center according to an embodiment of the present application;
fig. 9 is a flowchart illustrating a second method for dynamically alerting about malicious behavior of application software according to an embodiment of the present application;
fig. 10 is a third schematic flowchart of a dynamic warning method for malicious behavior of application software according to an embodiment of the present application;
fig. 11 is a first schematic structural diagram of a terminal according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of a terminal according to an embodiment of the present application.
Detailed Description
The terminal in this embodiment of the application may be various electronic devices configured with a display screen, for example, a wearable electronic device (e.g., a smart watch, etc.), a tablet computer, a desktop computer, a virtual reality device, an augmented reality device, or a mobile phone 200 shown in fig. 1 or fig. 2, and the specific form of the terminal is not limited in this embodiment of the application.
The following embodiments take a mobile phone as an example to illustrate how a terminal implements a specific technical solution in the embodiments. As shown in fig. 1 or fig. 2, the terminal in the embodiment of the present application may be a mobile phone 200. Fig. 1 is a schematic front view of a mobile phone 200, and fig. 2 is a schematic hardware structure of the mobile phone 200. The embodiment will be specifically described below by taking the mobile phone 200 as an example. It should be understood that the illustrated handset 200 is merely one example of a terminal that may have more or fewer components than shown in the figures, may combine two or more components, or may have different components.
As shown in fig. 2, the handset 200 may include: a Radio Frequency (RF) circuit 210, a memory 220, an input unit 230, a display unit 240, a sensor 250, an audio circuit 260, a Wireless Fidelity (Wi-Fi) module 270, a processor 280, a bluetooth module 281, and a power supply 290.
The RF circuit 210 may be used for receiving and transmitting signals during information transmission and reception or during a call, and may receive downlink data of a base station and then send the downlink data to the processor 280 for processing; the uplink data may be transmitted to the base station. Typically, the RF circuitry includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier, a duplexer, and the like. The RF circuit 210 of the present application may obtain the malicious behavior model and the alarm policy from the cloud.
Memory 220 may be used to store software programs and data. The processor 280 performs various functions of the cellular phone 200 and data processing by executing software programs or data stored in the memory 220. The memory 220 may include high speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Memory 220 stores an operating system that enables cell phone 200 to function, such as developed by apple Inc
Figure GPA0000273748750000061
Operating System, developed by Google
Figure GPA0000273748750000062
Open source operating system, developed by Microsoft corporation
Figure GPA0000273748750000063
An operating system, etc. The memory 220 of the application can store malicious behavior models and alarm strategies from the cloud, can also store various application software, and can also store codes for monitoring and analyzing the behaviors of the application software.
The input unit 230 (e.g., a touch screen) may be used to receive input numeric or character information, generate signal inputs related to user settings and function control of the cellular phone 200. Specifically, the input unit 230 may include a touch panel 231 disposed on the front surface of the mobile phone 200 as shown in fig. 1, and may collect a touch operation by a user thereon or nearby. The input unit 230 of the present application may receive feedback information of a user for alarm information.
The display unit 240 (i.e., a display screen) may be used to display information input by or provided to the User and a Graphical User Interface (GUI) for various menus of the mobile phone 200. The display unit 240 may include a display panel 241 disposed on the front surface of the cellular phone 200. The display panel 241 may be configured in the form of a liquid crystal display, a light emitting diode, or the like. The display unit 240 may be used to display various graphical user interfaces described herein. The touch panel 231 may be covered on the display panel 241, or the touch panel 231 and the display panel 241 may be integrated to realize the input and output functions of the mobile phone 200, and the integrated function may be referred to as a touch display screen for short. The display unit 240 may display alarm information in the present application.
The handset 200 may also include at least one sensor 250, such as a light sensor, motion sensor. The cell phone 200 may also be configured with other sensors such as a gyroscope, barometer, hygrometer, thermometer, infrared sensor, and the like.
Audio circuitry 260, speaker 261, and microphone 262 may provide an audio interface between a user and cell phone 200. The audio circuit 260 may transmit the electrical signal converted from the received audio data to the speaker 261, and convert the electrical signal into a sound signal by the speaker 261 and output the sound signal; on the other hand, the microphone 262 converts the collected sound signals into electrical signals, which are received by the audio circuit 260 and converted into audio data, which are then output to the RF circuit 210 for transmission to, for example, another cell phone, or to the memory 220 for further processing.
Wi-Fi belongs to a short-distance wireless transmission technology, and the mobile phone 200 can help a user to receive and send e-mails, browse webpages, access streaming media and the like through the Wi-Fi module 270, and provides wireless broadband internet access for the user. The Wi-Fi module 270 of the present application may obtain malicious behavior models and alarm policies from the cloud.
The processor 280 is a control center of the mobile phone 200, connects various parts of the entire mobile phone using various interfaces and lines, and performs various functions of the mobile phone 200 and processes data by operating or executing software programs stored in the memory 220 and calling data stored in the memory 220. In some embodiments, processor 280 may include one or more processing units; the processor 280 may also integrate an application processor, which primarily handles operating systems, user interfaces, applications, etc., and a baseband processor, which primarily handles wireless communications. It will be appreciated that the baseband processor described above may not be integrated into the processor 280.
And the bluetooth module 281 is used for performing information interaction with other bluetooth devices having the bluetooth module through a bluetooth protocol. For example, the mobile phone 200 may establish a bluetooth connection with a wearable electronic device (e.g., a smart watch) having a bluetooth module through the bluetooth module 281, so as to perform data interaction.
The handset 200 also includes a power supply 290 (such as a battery) for powering the various components. The power supply may be logically coupled to the processor 280 through a power management system to manage charging, discharging, and power consumption functions through the power management system.
The methods in the following embodiments can be implemented in the mobile phone 200 having the above hardware structure.
As shown in fig. 3, an embodiment of the present application provides a dynamic warning method for malicious behavior of application software, where the method may include:
step S101, calling N key functions F by application software monitored and operated by a terminal1、F2、...、FNThe behavior of (c).
The application software installed and running on the terminal may come from different downloading sources, such as an application mall, an official website of the application software, a web link, and the like, and the application is not limited thereto. Regardless of the source of the application software, if the application software is malicious software, the application software and the application software have common malicious behaviors in operation, and the security of terminal information can be threatened. For example, malicious software may steal user privacy information, including call recordings, short message content, International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), geographic location, address book, browser history, and so on, and upload the information to a remote server controlled by a hacker; malicious software can send malicious fee deduction short messages, make a malicious call and intercept verification code short messages; malicious software can acquire the ROOT authority through system bugs, and install other programs in a background silent mode, or deceive users to install other programs through forging antivirus software, prompting updating and other modes; malicious software may download a large amount of software in the background, consuming the user's mobile phone traffic, or perform some more power consuming operations to consume the mobile phone's power, thereby affecting normal mobile phone communications. These malicious behaviors are implemented in software by calling functions, such as the sms manager. Providing a Default HttpClient. execute function to send a hypertext Transfer Protocol (HTTP) request; connect function is provided to connect Uniform Resource Locator (URL); lan, rumtime, exec function is provided for executing external commands. It should be noted that even if the function is called, it is not necessarily malicious, for example, normal application software may call the smsmanager. Therefore, the terminal can monitor whether the application software has malicious behaviors by monitoring the frequency of calling key functions by the application software.
In particular, since the operating system provides a very large number of functions that can be called by the application software, and many functions are not called by the application software to perform malicious activities, the term "key function" is used in the following embodiments of the present application to refer to a function that can be called by the application software to perform malicious activities.
The developer of the terminal software system can use the N key functions F1、F2、...、FNThe terminal may obtain the Identifier of the application software calling the key function by adding a related code, for example, the terminal may obtain a Process Identifier (PID) through a getpid function or a User Identifier (UID) through a getuid function.
It is understood that "key function" is only a word used in the embodiments of the present application, and its representative meaning has been described in the embodiments of the present application, and its name does not set any limit to the embodiments of the present application; in addition, in some other embodiments of the present application, the "key function" may also be referred to as other words such as "important function", "sensitive function", "feature function", "danger function", and the like.
Step S102, the terminal generates an N-dimensional behavior vector a (a) according to the number of times that the application software calls the N key functions, which is monitored within a preset time period1,A2,.......,AN)。
The behavior vector A ═ A1,A2,.......,AN) The ith dimension A ofiRepresents that the application software calls the key function FiWherein i is more than or equal to 1 and less than or equal to N. It should be noted that the application software is not required to call all the N key functions F1、F2、...、FNOnly at least one of the key functions may be called.
For example, a developer may add a code for acquiring a PID or UID of an application software in a function for sending a short message smsmanager. For another example, the developer may add a code for acquiring the PID or UID of the application software to the kill process sys _ kill function of the system call, and count the number of times the function is called by a certain application software by the terminal, because the behavior of calling the function may involve destroying the system.
The terminal can abstract the times of calling N key functions by each application software in the preset time into an N-dimensional behavior vector, each dimension represents the times of calling a certain key function by the application software in the preset time, and if the certain key function is not called, the statistics value of the times of the corresponding dimension is 0. N is the number of all critical functions that the application software may call. For example, referring to the diagram in FIG. 4, assume that the resulting behavior vector of software 1 is A1=(A11,A12,.......,A1N) First dimension A11Second dimension a, representing the number of times software 1 calls the smsmanager12Indicating the number of times software 1 calls the sys _ kill function within a preset time. Similarly, the behavior vector of software 2 is obtained as A2=(A21,A22,.......,A2N) First dimension A21Second dimension a, representing the number of times software 2 calls the smsmanager22The number of times that the software 2 calls the sys _ kill function in the preset time is represented, and the behavior vectors of other software are analogized. If software 1 calls the smsmanager senddatamessage function 18 times and calls the sys kill function 0 times within a preset time, the behavior vector of software 1 can be represented as a1=(18,0,.......,A1N)。
Step S103, the terminal or the cloud end sets the behavior vector A to (A) based on a machine learning algorithm1,A2,.......,AN) Inputting a malicious behavior model to obtain an M-dimensional result vector B ═ B of the application software1,B2,......,BM)。
M < N, resulting in vector B ═ B1,B2,......,BM) Each dimension of (a) corresponds to a type of malicious activity and its threat level.
As described above, each dimension of the behavior vector represents the number of times that the application software calls a certain key function within a preset time, but since the number of key functions is large, a plurality of key functions may correspond to a malicious behavior, and the threat level of different key functions corresponding to a malicious behavior is different, it is inconvenient to analyze the behavior of the application software from the perspective of the key functions.
Therefore, the behavior vectors can be summarized through the malicious behavior model, so that the malicious behavior types and threat levels thereof corresponding to the key functions are obtained, namely, the result vectors. Malicious behavior types may include, for example, privacy theft, malicious deductions, system destruction, and the like. The threat level refers to the severity of the malicious activity of the application software and may be represented, for example, by a numerical level of 0-10. For each application software, each malicious behavior type corresponds to a threat level, for example, a malicious application, and the malicious behavior type includes privacy stealing and a destruction system, wherein the threat level of privacy stealing is 3, and the threat level of destruction system is 5. The malicious behavior model is a mathematical model and is obtained by training behavior vectors and result vectors of a large amount of application software by the cloud according to a machine learning algorithm. Each dimension of the result vector represents a certain malicious behavior type and its threat level. The result vector is actually a dimension reduction processing result obtained by summarizing the behavior vector, and the types of the malicious behaviors are far less than the number of the key functions, so that the times of calling the key functions with higher dimensionality can be represented by the types of the malicious behaviors with lower dimensionality and the corresponding threat levels.
When the cloud training malicious behavior model is used, a large number of real or simulated terminal equipment system environments can be constructed at the cloud, a large number of application software with known M-dimensional result vectors (namely malicious behavior types and threat levels) are operated on the constructed system environments to obtain the N-dimensional behavior vectors, and M represents the number of the malicious behavior types. And finally, taking the N-dimensional behavior vector and the M-dimensional result vector of each application software as a training data pair, and training the malicious behavior model based on a machine learning algorithm to finally obtain the malicious behavior model. The type of malicious activity and threat level of each application participating in the training is known as input information, which may be obtained by a third party or entered manually. The machine learning algorithm may include decision trees, logistic regression, etc., which are suitable for generalizing to known knowledge. It should be noted that the malicious behavior model may also be trained in other mathematical manners, for example, the malicious behavior type and the threat level of each application software are respectively used as a vector, two vectors form a result vector group, the N-dimensional behavior vector and the result vector group of each application software are used as a training data pair, the malicious behavior model is trained based on a machine learning algorithm, and finally, the malicious behavior model may also be obtained.
Each dimension of the behavior vector input when the cloud trains the malicious behavior model and the behavior vector obtained in step S102 represents the same meaning, so that each dimension of the obtained result vector and the result vector input when the cloud trains the malicious behavior model can also represent the same meaning when the behavior vector obtained in step S102 is input into the malicious behavior model. Referring to fig. 5, using the N-dimensional behavior vector of each application software as an input of the malicious behavior model, an M-dimensional result vector may be obtained based on the same machine learning method as that used in training the malicious behavior model, and the M-dimensional result vector includes the malicious behavior type and the corresponding threat level of each application software.
For example, assume that the resulting vector for software 1 is B1=(B11,B12,......,B1M) First dimension B11A threat level representing a software 1 malicious deduction, second dimension B12Representing the threat level at which software 1 breaches the system. Similarly, assume that the resulting vector for software 2 is B2=(B21,B22,......,B2M) First dimension B21A threat level representing a software 2 malicious deduction, second dimension B22Representing the threat level at which the software 2 breaches the system. The result vectors of other software and so on. If the threat level of malicious deduction of the software 1 is 3 and the threat level of system destruction is 5, the result vector of the software 1 can be represented as B1=(3,5,......,B1M)。
In some embodiments of the present application, the behavior vector of the application software may be sent to the cloud end by the terminal, and the cloud end generates the result vector of the application software according to the malicious behavior model stored in the cloud end and the behavior vector of the application software. In some other embodiments of the present application, the cloud may also send the malicious behavior model to the terminal, and the terminal generates the result vector of the application software according to the malicious behavior model and the behavior vector of the application software.
And step S104, the terminal generates alarm information for the malicious behavior type with the threat level greater than or equal to the alarm threshold value.
Each malicious behavior type corresponds to one alarm threshold, the alarm thresholds corresponding to multiple malicious behavior types can be collectively referred to as an alarm policy, and the same malicious behavior type can correspond to the same or different alarm thresholds for all application software. And if the threat level of one malicious behavior type of the application software is greater than or equal to the corresponding alarm threshold value, the terminal generates alarm information. For example, assuming that the alarm threshold of privacy stealing is 3, if the threat level of privacy stealing of an application is greater than or equal to 3, the system will prompt alarm information, which may indicate that the application software is stealing privacy.
In some embodiments of the present application, if the result vector of the application software is generated by the cloud, the cloud may send the malicious behavior type and the threat level of the application software to the terminal, and the terminal generates the alarm information by combining the alarm policy. The terminal can locally store the alarm strategy, or acquire the alarm strategy from the cloud.
The alarm information may include: the application name and the malicious behavior type of the malicious behavior are generated, and if the threat level of a plurality of malicious behavior types is greater than or equal to the corresponding alarm threshold, the alarm information may include the plurality of malicious behavior types.
And step S105, the terminal prompts alarm information.
For example, referring to fig. 6, after behavior analysis of a certain application software is completed, the terminal determines whether to display warning information to the user according to a warning policy issued by the cloud and a malicious behavior type and a threat level of the application software. The alarm strategy alarms aiming at all malicious behavior types and threat levels of certain application software. When the threat level of one malicious behavior type of the application software is greater than or equal to the corresponding threshold value, user warning information can be prompted through the GUI, and when the threat levels of all the malicious behavior types of the application software are less than the corresponding threshold values, the user warning information does not need to be prompted.
For example, assuming that the initial alarm threshold of privacy stealing is very low to 1, since the WeChat may acquire the address book of the user during operation, if the system determines that the behavior of WeChat belongs to privacy stealing and the threat level is greater than or equal to 1, the system may prompt alarm information, which may show that the WeChat is stealing privacy. Illustratively, as shown in FIG. 7, the alert information may be displayed in the form of a message box; alternatively, as shown in fig. 8, the warning information may be displayed in the notification center; or display the warning information in other reminding manners, which is not limited in the present application.
And step S106, the terminal acquires first feedback information of the user aiming at the alarm information.
The first feedback information is the approval of the alarm information.
The perception and the tendency of the user to different malicious behaviors can be different, and the feedback of the user to the alarm information can be received after the alarm information is displayed, wherein the feedback of the user to the alarm information comprises the alarm information which approves or disapproves one malicious behavior aiming at a certain application software. For example, referring to fig. 7 and 8, after seeing the alarm information, the user may click "accept reminder" indicating that the user approves the application software of the alarm information of malicious behavior that steals privacy.
And S107, the terminal keeps an alarm threshold corresponding to the malicious behavior type in the alarm information according to the first feedback information.
If the user approves the alarm information aiming at one malicious behavior of certain application software, the terminal can keep the alarm threshold unchanged so as to correctly alarm the next time when the same malicious behavior exists.
And S108, the terminal acquires second feedback information of the user aiming at the alarm information.
Wherein, the second feedback information is non-approval alarm information.
For example, referring to fig. 7 and 8, after seeing the warning information, the user may click "ignore alert" indicating that the user does not recognize that the application software has the warning information of malicious behavior that steals privacy.
And step S109, the terminal raises an alarm threshold corresponding to the malicious behavior type in the alarm information according to the second feedback information.
If the user does not recognize the alarm information aiming at one malicious behavior of a certain application software, which indicates that the current alarm threshold is lower than the expectation of the user, the terminal can increase the alarm threshold corresponding to the malicious behavior type in the alarm information, which is equivalent to increasing the condition for prompting the alarm information when the application software generates the same behavior next time, or stop alarming the malicious behavior type in the alarm information after the user does not recognize the alarm information aiming at one malicious behavior of a certain application software one or more times. It should be noted that, only the warning threshold of the malicious behavior type of the application software that generates the malicious behavior may be adjusted, or the warning thresholds of the malicious behavior types of all application software may be adjusted.
The alarm strategy and the malicious behavior model issued by the cloud terminal to all the terminals are the same, and the alarm strategy can be adjusted on each terminal according to the feedback of the user through the method, so that the method is suitable for different users. It should be noted that steps S106 to S107 and steps S108 to S109 do not have a sequential execution order, and the present application does not limit that steps S106 to S107 and steps S108 to S109 are executed only once, and does not limit that steps S106 to S107 and steps S108 to S109 are executed all together, for example, steps S106 to S107 may be executed only once or multiple times, or steps S108 to S109 may be executed only once or multiple times. The following description will take an example to illustrate the effect after the steps S106 to S107 or steps S108 to S109 are performed:
for example, two users a and B having the same terminal have wechat software installed in both terminals, as shown in fig. 7 or fig. 8, since wechat may acquire the address book of the user during operation, both terminals prompt the warning information "wechat is stealing your privacy". If the user A is sensitive to privacy, the user A continuously clicks for multiple times to receive the reminding, so that the alarm threshold value aiming at the privacy stealing of WeChat is reduced; the user B is not sensitive to privacy or considers that the behavior of the WeChat can be accepted, so that the reminding is ignored by continuously clicking for multiple times, and the alarm threshold value aiming at privacy stealing of the WeChat is increased. After the reminding for many times, when the WeChat has the same behavior, the terminal of the user A still prompts the alarm information, and the terminal of the user B does not prompt the alarm information any more within a period of time.
The method and the device call N key functions F through application software which monitors running in the terminal equipment1、F2、...、FNAccording to the number of times that the application software calls the N key functions, generating an N-dimensional behavior vector A (A) in a preset time1,A2,.......,AN) Wherein the ith dimension A of the behavior vectoriRepresenting application software calling key function FiI is more than or equal to 1 and less than or equal to N; the terminal inputs the behavior vector into a malicious behavior model based on a machine learning algorithm to obtain an M-dimensional result vector B of the application software (B ═ B)1,B2,......,BM) M is less than N, and each dimension of the result vector corresponds to a malicious behavior type and a threat level thereof; the terminal generates alarm information for the malicious behavior types with threat levels larger than or equal to an alarm threshold, wherein each malicious behavior type corresponds to one alarm threshold; the terminal prompts warning information; the terminal acquires first feedback information of a user aiming at the alarm information, wherein the first feedback information is approved alarm information; the terminal keeps an alarm threshold corresponding to the malicious behavior type in the alarm information according to the first feedback information; the terminal acquires second feedback information of the user aiming at the alarm information, wherein the second feedback information is non-approved alarm information; and the terminal improves the alarm threshold corresponding to the malicious behavior type in the alarm information according to the second feedback information. The terminal mathematically expresses the times of calling key functions by the application software by using the behavior vector, inputs a malicious behavior model to obtain a result vector representing the type of the malicious behavior and the threat level of the malicious behavior, and then obtains the result vector according to each malicious behaviorAnd generating alarm information according to the threat level of the behavior type and the alarm threshold, and then adjusting the alarm threshold according to the feedback of the user to the alarm information so as to adapt to different users and terminals, thereby realizing the dynamic adjustment of the alarm aiming at the malicious behavior of the application software.
In some other embodiments of the present application, referring to fig. 9, the method may further include step S201:
step S201, the terminal sends the adjusted alarm strategy to the cloud.
The purpose of this step is to improve the alarm policy at the cloud, and if very many users all select the same adjustment operation for the alarm information of a certain malicious behavior type of a certain application software, the cloud may adjust the alarm policy in the same direction, for example, very many users may not recognize the alarm information of a certain malicious behavior type of a certain application software, which indicates that the alarm threshold corresponding to the malicious behavior type is set too low, and the cloud may increase the alarm threshold.
In an embodiment of the present application, the time fed back by the terminal may include: periodic feedback, feedback after starting up, feedback before shutting down, feedback before updating the system, after adjusting the alarm strategy each time, and the like.
In some other embodiments of the present application, referring to fig. 10, the method may further include steps S301 and S302:
step S301, the terminal acquires the security information of the terminal.
The security information of the terminal includes a security status and security requirements. For the security state, system integrity and external environment may be included. The system file and the file mounting information of the terminal can be extracted to verify the system integrity of the terminal, for example, the system file or the file mounting information is inconsistent with factory leaving, which indicates that the system is possibly ROOT, and the system integrity is damaged, so that the security is lower; whether the external environment is secure may be determined according to whether the connection Wi-Fi is encrypted or whether the USB interface is connected, etc., e.g., security is lower if connected to unencrypted Wi-Fi, security is lower if the connected USB interface is easily ROOT-enabled, etc. Security requirements may include the system operating environment, for example, if the system is running a payment instrument, bank-like software, etc. the security requirements are high. The alarm strategy can be dynamically adjusted by analyzing the security information of the terminal.
And step S302, if the security state of the terminal is lower or the security requirement is higher, reducing the alarm threshold of part or all of the malicious behavior types.
The terminal can adjust the alarm strategy according to the security information of the terminal and the feedback of the user, thereby being suitable for terminals of different users.
For example, the following description shows that the alarm policy is adjusted according to the security information of the terminal, so as to improve the accuracy of malicious behavior discrimination and alarm. For example, two users a and B having the same terminal have some malicious software disguised as common game software installed in both terminals, but the terminal of the user a is already ROOT or running pay software, so that the alarm threshold of the malicious interception screen can be reduced; user B's terminal is not ROOT or running payroll software. When malicious software performs malicious interception and recording, the terminal of the user A can display prompt information to display that the malicious software is malicious interception and recording screen, and the terminal of the user B can not display the prompt information.
In summary, the scheme provided by the embodiment of the application can effectively monitor the execution process of the application software in the terminal, identify the malicious behavior type and the threat degree, quickly discover the malicious behavior according to the malicious behavior model, and prompt the user. The method can also dynamically adjust the alarm strategy according to different user feedback and terminal security information, and improve the accuracy of malicious behavior discrimination and alarm. In addition, the scheme provided by the embodiment of the application is not limited to identification and alarm of malicious software, and can also identify whether the user is a qualified user or a novice user according to the behavior characteristics fed back by the user, so that the frequency of reminding alarm information can be reduced for the qualified user, the frequency of reminding alarm information can be increased for the novice user, and better user experience can be achieved.
It is to be understood that the above-mentioned terminal and the like include hardware structures and/or software modules corresponding to the respective functions for realizing the above-mentioned functions. Those of skill in the art will readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the embodiments of the present application.
In the embodiment of the present application, the terminal and the like may be divided into functional modules according to the method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
In the case of dividing each functional module by corresponding functions, fig. 11 shows a possible structural diagram of the terminal involved in the above embodiment, and the terminal 200 includes: a monitoring unit 2011, a generating unit 2012, an acquiring unit 2013, a prompting unit 2014, and an adjusting unit 2015.
The monitoring unit 2011 is configured to support the terminal 200 to perform the process S101 in fig. 3, 4, 9, and 10; the generating unit 2012 is configured to support the terminal 200 to execute the process S102 in fig. 3, 4, 9 and 10, and the process S104 in fig. 3, 6, 9 and 10; the obtaining unit 2013 is configured to support the terminal 200 to execute the process S103 in fig. 3, 5, 9, and 10, the processes S106 and S108 in fig. 3, 9, and 10, and the process S301 in fig. 10; the prompting unit 2014 is used for supporting the terminal 200 to execute the process S105 in fig. 3, 6, 9 and 10; the adjusting unit 2015 is configured to support the terminal 200 to perform processes S107 and S109 in fig. 3, 9, and 10, and process S302 in fig. 10. All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
In the case of employing integrated units, the monitoring unit 2011, the generation unit 2012, the acquisition unit 2013, the prompting unit 2014, and the adjustment unit 2015 described above may be integrated as a processing module. Of course, the terminal may further include a storage module, a communication module, an input/output module, and the like.
At this time, as shown in fig. 12, a schematic diagram of a possible structure of the terminal according to the above embodiment is shown. The processing module 2021 is configured to control and manage the actions of the terminal. The communication module 2022 is used to support the terminal to communicate with other network entities, such as a cloud server, other terminals, and the like. The input/output module 2023 serves to receive information input by a user or output information provided to the user and various menus of the terminal. The memory module 2024 is used for storing program codes and data of the terminal.
Illustratively, the Processing module 2021 may be a Processor or a controller, such as a Central Processing Unit (CPU), a GPU, a general purpose Processor, a Digital Signal Processor (DSP), an Application-Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors, among others.
The communication module 2022 may be a transceiver, a transceiver circuit, an input-output device, a communication interface, or the like. For example, the communication module 2022 may specifically be a bluetooth device, a Wi-Fi device, a peripheral interface, or the like.
The memory module 2024 may be a memory, which may include high speed Random Access Memory (RAM), and may also include non-volatile memory, such as magnetic disk storage devices, flash memory devices, or other volatile solid state storage devices.
The input/output module 2023 may be an input/output device such as a touch screen, a keyboard, a microphone, and a display. The display may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. In addition, a touch pad may be integrated with the display for collecting touch events thereon or nearby and transmitting the collected touch information to other devices (e.g., a processor, etc.).
When the storage module is a memory, the input/output module is a display, the processing module is a processor, and the communication module is a communication interface, the memory is used for storing a computer execution instruction, and the processor is coupled to the memory, and when the terminal runs, the processor executes the computer execution instruction stored in the memory, so that the terminal executes the dynamic alarm method for the malicious behavior of the application software, as shown in any one of fig. 3, fig. 4, fig. 5, fig. 6, fig. 9, and fig. 10.
An embodiment of the present invention further provides a computer storage medium storing one or more programs, where the one or more programs include instructions, which when executed by a terminal, cause the terminal to perform the method for dynamically alerting of malicious behavior of application software as described in any one of fig. 3, 4, 5, 6, 9, and 10.
An embodiment of the present invention further provides a computer program product including instructions, which, when running on a terminal, causes the terminal to execute the dynamic warning method for malicious behavior of application software, described in any one of fig. 3, fig. 4, fig. 5, fig. 6, fig. 9, and fig. 10.
The terminal, the computer storage medium, or the computer program product provided in the embodiments of the present invention are all used for executing the corresponding method provided above, and therefore, the beneficial effects achieved by the terminal, the computer storage medium, or the computer program product may refer to the beneficial effects in the corresponding method provided above, and are not described herein again.
It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (6)

1. A dynamic warning method for malicious behaviors of application software is characterized by comprising the following steps:
application software for monitoring operation of terminal calls N key functions F1、F2、...、FNThe behavior of (c);
the terminal generates an N-dimensional behavior vector A (A) according to the number of times of calling the N key functions by the application software monitored in the preset time1,A2,.......,AN) Wherein the behavior vector a ═ (a)1,A2,.......,AN) The ith dimension A ofiRepresenting the application software calling a key function FiI is more than or equal to 1 and less than or equal to N;
the terminal sets the behavior vector A to (A) based on a machine learning algorithm1,A2,.......,AN) Inputting a malicious behavior model to obtain an M-dimensional result vector B ═ B (B) of the application software1,B2,......,BM),M<N, the result vector B ═ B1,B2,......,BM) Each dimension of (a) corresponds to a malicious behavior type and its threat level;
the terminal generates alarm information for malicious behavior types with threat levels larger than or equal to an alarm threshold, wherein each malicious behavior type corresponds to one alarm threshold;
the terminal prompts the alarm information;
the terminal acquires first feedback information of a user aiming at the alarm information, wherein the first feedback information is approved for the alarm information;
the terminal keeps an alarm threshold corresponding to the malicious behavior type in the alarm information according to the first feedback information;
the terminal acquires second feedback information of the user aiming at the alarm information, wherein the second feedback information is that the alarm information is not approved;
and the terminal improves an alarm threshold corresponding to the malicious behavior type in the alarm information according to the second feedback information.
2. The method of claim 1, further comprising:
the terminal acquires security information of the terminal, wherein the security information comprises a security state and a security requirement;
and if the security state of the terminal is lower or the security requirement is higher, reducing the alarm threshold of part or all of the malicious behavior types.
3. A terminal, comprising:
a monitoring unit for monitoring the application software calling N key functions F1、F2、...、FNThe behavior of (c);
a generating unit, configured to generate an N-dimensional behavior vector a ═ according to the number of times that the monitoring unit monitors that the application software calls the N key functions within a preset time (a)1,A2,.......,AN) Wherein the behavior vector a ═ (a)1,A2,.......,AN) The ith dimension A ofiRepresenting the application software calling a key function FiI is more than or equal to 1 and less than or equal to N;
an acquisition unit configured to set the behavior vector a generated by the generation unit to (a) based on a machine learning algorithm1,A2,.......,AN) Inputting a malicious behavior model to obtain an M-dimensional result vector B ═ B (B) of the application software1,B2,......,BM),M<N, the result vector B ═ B1,B2,......,BM) Each dimension of (a) corresponds to a malicious behavior type and its threat level;
the generation unit is further used for generating alarm information for malicious behavior types with threat levels larger than or equal to an alarm threshold, wherein each malicious behavior type corresponds to one alarm threshold;
the prompting unit is used for prompting the alarm information generated by the generating unit;
the acquiring unit is further configured to acquire first feedback information of a user for the alarm information, where the first feedback information is approval of the alarm information;
the adjusting unit is used for keeping an alarm threshold value corresponding to the malicious behavior type in the alarm information according to the first feedback information acquired by the acquiring unit;
the acquiring unit is further configured to acquire second feedback information of the user for the warning information, where the second feedback information is that the warning information is not approved;
and the adjusting unit is further configured to improve an alarm threshold corresponding to the malicious behavior type in the alarm information according to the second feedback information.
4. The terminal of claim 3,
the obtaining unit is further configured to obtain security information of the terminal, where the security information includes a security status and a security requirement;
the adjusting unit is further configured to reduce an alarm threshold of a part or all of malicious behavior types if the security state of the terminal is low or the security requirement is high.
5. A terminal, comprising: a processor, a display, a memory, and a communication interface;
the memory is used for storing computer-executable instructions, and the processor is coupled with the memory and executes the computer-executable instructions stored by the memory when the terminal runs, so as to enable the terminal to execute the dynamic warning method of application software malicious behavior according to claim 1 or 2.
6. A computer-readable storage medium having instructions stored therein, which when run on a terminal, cause the terminal to perform the method of dynamic alert of application software malicious behavior according to claim 1 or 2.
CN201880019202.7A 2017-11-10 2018-03-02 Dynamic warning method and terminal for malicious behavior of application software Active CN110447215B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN201711101431 2017-11-10
CN2017111014317 2017-11-10
PCT/CN2018/077937 WO2019091028A1 (en) 2017-11-10 2018-03-02 Method and terminal for application software malicious behavior dynamic alarm

Publications (2)

Publication Number Publication Date
CN110447215A CN110447215A (en) 2019-11-12
CN110447215B true CN110447215B (en) 2021-02-12

Family

ID=66438224

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201880019202.7A Active CN110447215B (en) 2017-11-10 2018-03-02 Dynamic warning method and terminal for malicious behavior of application software

Country Status (2)

Country Link
CN (1) CN110447215B (en)
WO (1) WO2019091028A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111783081A (en) * 2020-06-08 2020-10-16 Oppo广东移动通信有限公司 Malicious process processing method, terminal device and storage medium
CN111897630B (en) * 2020-06-10 2023-07-18 广州杰赛科技股份有限公司 Method and device for constructing equipment alarm knowledge base based on deep learning
CN112328977B (en) * 2020-11-09 2024-03-22 杭州安恒信息技术股份有限公司 Application software authenticity detection method, device, equipment and medium
CN113051560B (en) * 2021-04-13 2024-05-24 北京安天网络安全技术有限公司 Safety identification method and device for terminal behaviors
CN113452717B (en) * 2021-07-02 2023-02-28 安天科技集团股份有限公司 Method and device for communication software safety protection, electronic equipment and storage medium
CN114629696A (en) * 2022-02-28 2022-06-14 天翼安全科技有限公司 Security detection method and device, electronic equipment and storage medium
CN114978867A (en) * 2022-06-15 2022-08-30 中国电信股份有限公司 Alarm notification method, device, equipment and storage medium
CN115408696B (en) * 2022-11-02 2023-04-07 荣耀终端有限公司 Application identification method and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104270277A (en) * 2014-10-24 2015-01-07 深圳中兴网信科技有限公司 Alarming information processing method and alarming information processing device
CN104754629A (en) * 2013-12-31 2015-07-01 中兴通讯股份有限公司 Self-recovery implementing method and device for base station device
CN106357425A (en) * 2016-08-26 2017-01-25 苏州华兴源创电子科技有限公司 Network management agent method and system
CN106803037A (en) * 2016-11-28 2017-06-06 全球能源互联网研究院 A kind of software security means of defence and device

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100504903C (en) * 2007-09-18 2009-06-24 北京大学 Malevolence code automatic recognition method
CN102201928A (en) * 2010-03-24 2011-09-28 中兴通讯股份有限公司 Alarm level processing method and alarm server
CN103368904B (en) * 2012-03-27 2016-12-28 百度在线网络技术(北京)有限公司 The detection of mobile terminal, questionable conduct and decision-making system and method
CN103974259B (en) * 2013-02-01 2017-11-03 中国电信股份有限公司 Prevention method, crime prevention device and crime prevention system that malice is deducted fees
CN103679028A (en) * 2013-12-06 2014-03-26 深圳酷派技术有限公司 Software behavior monitoring method and terminal
WO2015113052A1 (en) * 2014-01-27 2015-07-30 Webroot Inc. Detecting and preventing execution of software exploits
CN103927485A (en) * 2014-04-24 2014-07-16 东南大学 Android application program risk assessment method based on dynamic monitoring
CN104462973B (en) * 2014-12-18 2017-11-14 上海斐讯数据通信技术有限公司 The dynamic malicious act detecting system and method for application program in mobile terminal
CN104598824B (en) * 2015-01-28 2016-04-06 国家计算机网络与信息安全管理中心 A kind of malware detection methods and device thereof
CN106709342B (en) * 2016-07-01 2018-11-09 腾讯科技(深圳)有限公司 Malware detection methods and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104754629A (en) * 2013-12-31 2015-07-01 中兴通讯股份有限公司 Self-recovery implementing method and device for base station device
CN104270277A (en) * 2014-10-24 2015-01-07 深圳中兴网信科技有限公司 Alarming information processing method and alarming information processing device
CN106357425A (en) * 2016-08-26 2017-01-25 苏州华兴源创电子科技有限公司 Network management agent method and system
CN106803037A (en) * 2016-11-28 2017-06-06 全球能源互联网研究院 A kind of software security means of defence and device

Also Published As

Publication number Publication date
WO2019091028A1 (en) 2019-05-16
CN110447215A (en) 2019-11-12

Similar Documents

Publication Publication Date Title
CN110447215B (en) Dynamic warning method and terminal for malicious behavior of application software
USRE49634E1 (en) System and method for determining the risk of vulnerabilities on a mobile communications device
CN110417543B (en) Data encryption method, device and storage medium
CN104580167B (en) A kind of methods, devices and systems transmitting data
EP2996061A1 (en) System and method for monitoring data and providing alerts
US9721105B2 (en) Method and apparatus for generating privacy ratings for applications
CN111064713B (en) Node control method and related device in distributed system
CN107204989B (en) Advertisement blocking method, terminal, server and storage medium
WO2013059138A1 (en) System and method for whitelisting applications in a mobile network environment
WO2013059131A1 (en) System and method for whitelisting applications in a mobile network environment
CN106412311B (en) A kind of data transmission method and terminal device
CN104796275A (en) Abnormal state processing method, system and device
JP2018523202A (en) Information acquisition method and device
CN108616499A (en) A kind of method for authenticating of application program, terminal and computer readable storage medium
CN113238868B (en) Task processing method, device, server, equipment, system and storage medium
CN110445746B (en) Cookie obtaining method and device and storage equipment
CN108615158A (en) Risk checking method, device, mobile terminal and storage medium
CN107347059B (en) Vulnerability detection method and detection terminal
CN113014452A (en) Network flow testing method, device, testing end and storage medium
CN116541865A (en) Password input method, device, equipment and storage medium based on data security
CN107102913B (en) Data back up method, device and computer equipment
CN107786423B (en) A kind of method and system of instant messaging
CN106371948B (en) A kind of data back up method and terminal device
CN115114106A (en) Method, device and equipment for processing account-out task
CN110020529B (en) Method and device for detecting user information and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant