CN111062032A

CN111062032A - Anomaly detection method and system and computer-readable storage medium

Info

Publication number: CN111062032A
Application number: CN201911289343.3A
Authority: CN
Inventors: 杨磊; 田克雨
Original assignee: Shanghai Junzheng Network Technology Co Ltd
Current assignee: Shanghai Junzheng Network Technology Co Ltd
Priority date: 2019-12-13
Filing date: 2019-12-13
Publication date: 2020-04-24

Abstract

The invention discloses an anomaly detection method and system, comprising the following steps: detecting whether the system operating environment is abnormal; detecting whether the application program parameters are abnormal; and detecting whether applications in the blacklist exist. According to the anomaly detection scheme, most cheating means can be detected through comprehensive judgment, and the safety of the App running environment is guaranteed, so that the Android App is protected from running in a relatively safe environment.

Description

Anomaly detection method and system and computer-readable storage medium

Technical Field

The invention relates to the technical field of Android technical principles, Android App (software running on an Android system) running technology, virtual environment technology and App application double-opening technology, in particular to an anti-cheating mechanism of an Android App aiming at virtual environment running and application cloning technology.

Background

The Android system is the most widely applied system of the current mobile terminal operating system, has very high market share and is on the growing trend every year, but the Android system also bears great challenges in terms of safety due to the openness and high market share of the Android system.

The Android mobile phone is used as a personal close-fitting handheld device, a lot of personalized user privacy data are stored in the Android mobile phone, and some data are generated in the application process of using third-party development by a user, such as an account number and a password for logging in social application, a browsing record generated by a browser, an operation history record and the like, and some data such as a GPS (global positioning system), a mobile phone device ID and the like are provided by the Android mobile phone. On the native Android system, in order to ensure the security of user private data, each application program runs an instance with the identity of the same UID (Android software user ID), and applications are isolated by adopting a secure sandbox technology, and only their own files and very limited system services can be accessed under default conditions.

However, under some scenarios and requirements, multiple instances of one application can be run on the Android phone, and the multiple instances are generally called as application multi-open, application split, application clone or the like. At present, some mobile phone manufacturers have implemented the function of multi-application on their own mobile phone ROM, such as the function of multi-application of huashi and millet, and the multi-application function is implemented by making corresponding modification and upgrade on the operating system. However, in the dynamic loading technology provided by the Android system, many third-party developers use the technology to realize the plug-in of the application function in the early stage, so that the incremental updating of the application is realized, and the situation that a user downloads a complete application program package in each updating process is avoided. The technology is gradually evolved into an application virtualization technology, namely, one application can realize loading of other applications and stably run in the application, the function can be realized without changing byte codes of a system and the application, and the started and run application does not need to be really installed on a real mobile phone of a user. Many users can also select an application multi-open system provided by a third party to realize application differentiation under the condition of not using a mobile phone supported by multiple applications.

Under some scenes and requirements, simulated positioning can be performed, namely, real positioning information of the mobile phone can be modified in a software mode, or a required simulated position can be generated to be used as the positioning information.

Android technologies such as multi-boot application and analog positioning are originally used for solving some requirements and problems in some scenes for users conveniently, but are utilized by various black productions in recent years to achieve abnormal or illegal purposes, such as wool pulling behavior, and even provide a tampering function for some multi-boot apps. In some scenes, the normal use specification of the application program can be seriously disturbed, various behaviors such as malicious attack, tampering, cheating and the like are caused, and serious potential safety hazards are introduced. For apps that do not have the requirement of multi-switch or simulated positioning at all for a common user, once the App is detected to be currently running in the environment of multi-switch or simulated positioning, the follow-up behavior of the user is limited reasonably.

Therefore, those skilled in the art are dedicated to develop a detection scheme capable of detecting abnormal situations such as potential safety hazards and sensitive behaviors.

Disclosure of Invention

In view of the above-mentioned defects of the prior art, the technical problem to be solved by the present invention is how to effectively detect abnormal situations such as potential safety hazards and sensitive behaviors.

The inventor finds that the cheating software can be roughly divided into two types through long-term observation and research, wherein one type is to achieve the purpose of tampering the function by applying the cheating software to divide the body and copying a target App, and the other type is to achieve simulated mobile phone positioning by modifying positioning data of a mobile phone system so as to achieve the specific purpose.

Some existing technologies have single detection modes and methods, and application scenes are fuzzy, so that judgment and detection cannot be carried out comprehensively and accurately. Other prior art aims at malicious attacks on the App, for example, processes of a target protection program are monitored, authority state information of all associated processes is recorded, whether malicious attacks exist or not is judged according to changes of the associated processes, and application environment and potential safety hazards cannot be detected from a global layer. In the prior art, an operating environment system capable of detecting App sensitive information is constructed by modifying system source codes of a virtual machine, the App sensitive information is monitored by observing monitoring points of an App architecture layer and a ndk (library function for android mobile phone development software) layer, but the App needs to be operated in a modified system for monitoring, and the specific purpose which can be achieved only in a specific environment mainly from the aspect of modifying the system source codes cannot be widely applied to a standard system.

The invention carries out a series of researches aiming at the problems, provides an effective abnormity detection scheme, can detect most cheating means through comprehensive judgment, and ensures the safety of the App running environment, thereby protecting the Android App to run in a relatively safe environment.

In one aspect, the present invention provides an anomaly detection method, including the steps of: detecting whether the system operating environment is abnormal; and detecting whether the application program parameters are abnormal.

In some embodiments, optionally, the step of detecting whether the system operating environment is abnormal includes: detecting whether to turn on the analog positioning; and/or detecting whether to operate in a virtual environment; and/or detecting whether Root; and/or detecting the presence of an XPosed framework.

In some embodiments, it is optional to detect whether the simulated positioning is turned on and/or whether the simulated positioning is running in a virtual environment, and then detect whether the Root is.

In some embodiments, optionally, if the system runtime environment is Root, detecting whether an XPosed framework exists; and skipping detection of the XPosed framework if the system runtime environment is not Root.

In some embodiments, optionally, the step of detecting whether the application parameter is abnormal includes: detecting whether the same UID exists; and/or detecting whether the same package name exists; and/or detecting whether the private package name is abnormal.

In some embodiments, optionally, if there is an abnormality in the system operating environment, providing an abnormality feedback and ending the detection; and if the system running environment is not abnormal, continuously detecting whether the application program parameters are abnormal.

In some embodiments, optionally, the method further includes: it is detected whether there are applications in the blacklist.

In some embodiments, optionally, whether the system operating environment and/or the application parameters are abnormal is detected, and then whether the application programs in the blacklist exist is detected.

In another aspect, the present invention further provides an anomaly detection system, including: the system running environment detection module is configured to detect whether the system running environment is abnormal or not; and an application parameter detection module configured to detect whether the application parameter is abnormal.

In some embodiments, optionally, the system execution environment detection module is further configured to detect whether the simulated positioning is turned on, and/or detect whether the virtual environment is running, and/or detect whether Root exists, and/or detect whether an XPosed framework exists.

In some embodiments, optionally, the system operating environment detecting module is further configured to detect whether the simulated positioning is turned on and/or whether the simulated positioning is operating in a virtual environment, and then detect whether the Root is detected.

In some embodiments, optionally, the system execution environment detection module is further configured to detect whether an XPosed framework exists when the system execution environment is Root, and to skip detecting the XPosed framework when the system execution environment is not Root.

In some embodiments, optionally, the application parameter detection module is further configured to detect whether the same UID exists, and/or detect whether the same package name exists, and/or detect whether the private package name is abnormal.

In some embodiments, optionally, the method further includes: a blacklist detection module configured to be able to detect whether there are applications in a blacklist.

In another aspect, the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, is capable of implementing the steps of the abnormality detection method according to the above.

The method and the system provided by the invention at least have the following technical effects:

(1) the comprehensive technical scheme is adopted for judgment, and a supplement mechanism is accompanied, so that the detection is more comprehensive and accurate.

(2) The method mainly aims at the App running environment, can monitor application cloning, application proxy, virtual environment and the like, detects the application environment and potential safety hazards from a global layer, belongs to an anti-cheating mechanism aiming at virtual environment running and application cloning technology, and does not singly protect a certain specific application program.

(3) The technical scheme is in the App, belongs to the technical scheme of self-protection, and is characterized in that the current running environment is detected by the App to determine whether the App is safe or not, and the App is oriented to a conventional running system, has no special requirements on the running system, and has a wider application range and is universal.

The conception, the specific structure and the technical effects of the present invention will be further described with reference to the accompanying drawings to fully understand the objects, the features and the effects of the present invention.

Drawings

FIG. 1 is a flow chart of a preferred embodiment of the anomaly detection method of the present invention;

FIG. 2 is a flow chart of a preferred embodiment of the anomaly detection method of the present invention;

FIG. 3 is a flow chart of a preferred embodiment of the anomaly detection method of the present invention;

FIG. 4 is a schematic diagram of the internal structure of a preferred embodiment of the anomaly detection system of the present invention.

Detailed Description

The technical contents of the preferred embodiments of the present invention will be more clearly and easily understood by referring to the drawings attached to the specification. The present invention may be embodied in many different forms of embodiments and the scope of the invention is not limited to the embodiments set forth herein.

In the drawings, structurally identical elements are represented by like reference numerals, and structurally or functionally similar elements are represented by like reference numerals throughout the several views. The size and thickness of each component shown in the drawings are arbitrarily illustrated, and the present invention is not limited to the size and thickness of each component. The thickness of the components may be exaggerated where appropriate in the figures to improve clarity.

The inventor finds out through long-term research and analysis that the existing cheating means mainly comprise the following two main categories:

(1) cheating is achieved by applying cloning techniques.

The principle of cheating by applying cloning or individualization is: and (3) running the multi-opened App in a new process, and hooking various system functions to ensure that the multi-opened App considers that the multi-opened App is a normal App to run.

hook refers to a hook behavior, or an agent, and when a program calls a method, the purpose of call monitoring can be achieved through a hook technology. After a hook event has occurred for a particular system event, the program that made the hook event will be notified by the system upon the occurrence of the hook event, and can then respond to the event at a first time. The application may set up a subroutine via hook to monitor certain messages for a specified window, and the monitored window may be created by other processes. When a message arrives, it is processed before the target window processing function. The hook mechanism allows an application to intercept a process message or a specific event. hook is essentially a segment of a program that handles messages, which are put on the system through system calls. Whenever a particular message is sent, the hook program captures the message before the destination window is reached, i.e. the hook function takes control. In this case, the hook function may process (change) the message, may continue to transfer the message without processing, or may forcibly end the transfer of the message.

The multi-open App has two forms in terms of form, one is to directly load the multi-open App from the multi-open App, such as a parallel space, a VirtualApp and the like; the other is to let the user newly install an App, but the App is essentially a shell and is used for loading the opened App.

(2) Cheating is achieved by utilizing an analog positioning technology.

One way is to perform the principle of analog positioning by modifying the set data, and the current stable idea is to use hook to inject App _ process (software running process) to find a positioning method and then modify the positioning method, wherein the method needs to be characterized by needing the Android mobile phone system to perform Root authority processing (the process of modifying the Android system to obtain the highest authority).

Another way is to modify the result of location manager (native location management class of Android) during running by using the "simulated location" function of the mobile phone itself, for example, using a debug API (application programming Interface) of the Android itself to simulate the result of GPS provider (GPS positioning result). The calls and operations are made, for example, by the following methods: settestproviderlocation (Provider, Location).

According to the anomaly detection method and system provided by the invention, the priority of step-by-step detection is established by referring to factors such as the difficulty degree of cheating means, the inclusion relationship of technical means and the like, and the accuracy of a detection result and the detection performance are improved according to the determination of the priority, so that whether the system environment operated by the current App has cheating behaviors or cheating risks or not is comprehensively judged.

FIG. 1 is a flowchart illustrating an anomaly detection method according to a preferred embodiment of the present invention. As shown in fig. 1, the abnormality detection method may include the steps of:

and step S101, detecting whether the system operating environment is abnormal. In some embodiments, one or more specific detection means may include, but are not limited to: detecting whether to turn on the analog positioning; detecting whether to operate in a virtual environment; detecting whether Root exists; detecting whether an XPossed framework exists.

Step S102, whether the application program parameters are abnormal is detected. In some embodiments, one or more specific detection means may include, but are not limited to: detecting whether the same UID exists; detecting whether the same package name exists; and detecting whether the private packet name is abnormal.

The detection of the system running environment and the detection of the application program parameters are combined together, firstly, the abnormal environment which is easy to form cheating behaviors or has cheating risks is detected, and then, the characteristics of the specific cheating behaviors are detected. From the technical implementation difficulty and the detection efficiency, compared with the detection of the application program parameters, the detection of the system operation environment has relatively low technical difficulty and relatively high detection efficiency, so that the system operation environment on which the cheating technology depends is preferentially detected, and the detection efficiency and performance can be improved.

FIG. 2 is a flowchart illustrating an anomaly detection method according to a preferred embodiment of the present invention. As shown in fig. 2, the abnormality detection method may include the steps of:

step S110, detecting whether the system operating environment is abnormal. In some embodiments, one or more specific detection means may include, but are not limited to: detecting whether to turn on the analog positioning; detecting whether to operate in a virtual environment; detecting whether Root exists; detecting whether an XPossed framework exists.

If the system operating environment is judged to be abnormal (for example, simulation positioning is opened, the system operates in a virtual environment, Root exists, an XPosed frame exists and the like), step S140 is executed, abnormal feedback is provided for the control system, and the detection is finished.

The control system may be a separate program or device, or may be an integrated module for performing corresponding actions according to the detection result. In some embodiments, after receiving the abnormal feedback, the control system may send a warning or prompt message to the user through a text, a picture, a sound, or the like, to remind the user that there is a risk currently, and may also stop running or quit closing the current application. Optionally, different actions may be performed according to different exception types.

If the system operating environment is not abnormal, the step S120 is continuously executed to detect whether the application program parameter is abnormal. In some embodiments, one or more specific detection means may include, but are not limited to: detecting whether the same UID exists; detecting whether the same package name exists; and detecting whether the private packet name is abnormal.

If the application program parameters are judged to be abnormal (for example, the same UID exists, the same package name exists, the private package name is abnormal, and the like), step S140 is executed to provide abnormal feedback to the control system and end the detection.

If the application program parameters are not abnormal, the step S130 is continuously executed to detect whether the application program in the blacklist exists. In some embodiments, a blacklist mechanism is established for all currently found cheating software through a cloud management mechanism, and a characteristic value of a blacklist App is mainly stored to assist monitoring as a bottom-of-pocket scheme so as to avoid omission. According to the technical scheme, technical holes or technical blind spots caused by the technical scheme are effectively made up, and the accuracy and comprehensiveness of the abnormity detection can be effectively improved.

Whether the system operating environment and/or the application program parameters are abnormal is detected firstly, whether the application programs in the blacklist exist is detected, the blacklist mechanism is placed in the last detection, a mechanism for detection and compensation can be achieved, the development of the technology is better adapted, the influence of the appearance of a new cloning technology on the whole detection result is better met, and the detection precision and the flexibility are improved.

If the application program in the blacklist is determined to exist, step S140 is executed to provide an exception feedback to the control system, and the detection is ended. If the application program in the blacklist does not exist, the current risk does not exist, and the detection is finished.

FIG. 3 is a flowchart illustrating an anomaly detection method according to a preferred embodiment of the present invention. As shown in fig. 3, the abnormality detection method may include the steps of:

step S310, whether the simulation positioning is turned on or not is detected. In some embodiments, it is detected whether a handset application has a function of simulating positioning opened. In some mobile phones, the function belongs to the self-contained function of a mobile phone system, so that positioning and debugging in the development process are facilitated, and the current simulation positioning software part depends on the option.

If the opened analog positioning is detected, step S370 is executed to feed back the abnormality and end the detection.

If the simulated positioning is not turned on, the process continues to step S320 to detect whether the virtual environment is operated. In some embodiments, whether the current App runs in the virtual environment is detected, and a third party in the virtual environment can modify the system source code, so that the App is monitored.

If the operation in the virtual environment is detected, step S370 is executed, an abnormality is fed back, and the detection is ended. Because the detection technology difficulty and the detection difficulty of the simulated positioning and the virtual environment are lower, the simulated positioning and the virtual environment are detected first, and once an abnormal condition is detected, feedback can be carried out, so that the detection efficiency and the detection performance are favorably improved.

If it is detected that neither the simulated positioning nor the virtual environment is turned on, the process continues to step S330, and it is detected whether the mobile phone system is in Root environment. In some embodiments, Root environment monitoring of the mobile phone system and a request of the App for the Root authority are used to determine whether the current mobile phone system is in the Root environment.

If the mobile phone system is detected to be in the Root environment, the step S340 is continuously executed to detect whether an XPosed framework exists.

In some embodiments, whether the XPosed helper class and the XPosed bridge class exist can be detected, and the method assists in actively throwing out the exception information and detecting whether the exception log print contains the XPosed class feature. An XPosed frame is installed on the Android mobile phone system, and whether the current application program runs in the XPosed frame or not is detected. The XPosed framework has the main function of providing a new application platform, and after a developer installs the XPosed framework, the developer can install more system-level applications through the platform built by the XPosed framework. The principle of the XPosed framework is to replace files under an Android System/System/bin directory, so that certain functions of the System can be taken over, and further more permissions are given to App developed based on the XPosed framework. Part of the simulation positioning software can also achieve the purpose of simulation positioning through an XPosed framework.

In some embodiments, detection may be performed by:

(1) in the running application, the Android native tool classloader is used for searching whether the' de.

(2) The method comprises the steps of actively throwing an exception in an application program, and detecting whether XPosed related characteristics exist in exception information, such as containing XPosed character strings or containing XPosed frame directory features.

Specifically, a ClassLoader method (or function) is used for searching for relevant classes, an exception is thrown when the class does not exist, whether an XPosed framework exists can be judged by detecting the thrown exception, and the actual codes are as follows:

defining a character string:

String XPOSED_HELPERS＝"de.robv.Android.xposed.XPosedHelpers”；

String XPOSED_HELPERS＝"de.robv.Android.xposed.XPosedBridge"；

and searching related classes:

ClassLoader.getSystemClassLoader().loadClass(XPOSED_HELPERS).newInstance()；

when the existence of the XPosed feature is detected, that is, the current software runs on the XPosed framework, so that it can be determined that the current software runs in the unsafe environment, step S370 is executed, and the existence of the abnormality is fed back, and the detection is ended. If the presence of an XPosed frame is not detected, the subsequent steps are continued.

In some embodiments, if it is detected that the mobile phone system is not in the Root environment, step S340 is skipped, and the subsequent steps are directly performed without detecting whether the XPosed framework exists. The detection whether the XPosed frame exists is detected only when the Root permission exists, otherwise, the XPosed detection is skipped, because the XPosed relies on the Root environment, the detection is not needed in a system without the Root environment, and the detection efficiency and the performance are favorably improved.

In the technical solution of the present invention, the detection of Root and/or XPosed frames is a loop in the overall detection scheme. The Root mobile phone does not necessarily have application copying behavior, and the environment of application copying needs much Root environment. Therefore, in the technical scheme of the invention, Root is taken as a ring for risk monitoring, and the application replication risk is relatively high when a Root environment exists, so that other conditions can be intensively monitored. Compared with the prior art scheme of simply detecting whether the mobile phone is Root, the technical scheme of the invention is more comprehensive and comprehensive.

If neither Root nor XPosed frameworks are detected, then the process continues to step S350, and whether abnormal application parameters or abnormal actions exist is detected. In some embodiments, one or more of the following detections may be performed sequentially or in parallel: detecting whether the same UID exists; detecting whether the same package name exists; and detecting whether the private packet name is abnormal. And if two identical App processes UID are running, the characteristic is considered as one of the main characteristics of applying clone or applying multiple opens, and the clone application can be effectively detected. The presence or absence of duplicate packet names, which is the same principle as duplicate UIDs, is also considered as an important flag for applications of clones. Detecting App private directory, and the application path after opening more may also contain the package name of the software opening more.

In some embodiments, the detection and determination may be made by a variety of methods, such as:

(1) one App in the Android system corresponds to one unique UID, and if the packet names corresponding to two processes under the same UID are the same and two private directories are under the "/data/data", the application can be judged to be opened more.

(2) And detecting the original package name, and adopting a hook to process the getPackageName method by multiple applications. Following this idea, if the same package appears in the application list, it can be determined that the application is opened more.

(3) When the cloned application is operated, the application loads the so library of the multi-open application, detects whether the loaded so library contains the package names of the applications, and can also judge whether the application is multi-open.

(4) The application path after multi-opening can contain the package name of multi-opening software, and whether the current system is safe or not can be detected by detecting whether an abnormal directory exists under the App normal directory or not.

Each program in the Android has one UID, the Android allocates UIDs with different ordinary levels to each program in a default condition, and if applications are called mutually, only the UIDs are the same, so that shared data has certain safety, and data cannot be obtained randomly among each software. And the same Application only has one UID, so the problem of access authority does not exist among Activities under the Application.

By this property of the Android system, it is understood that the same UID, the system will be considered as the same application, and once another application is considered as the same application as the application, the communication of data between the two applications can be completed. At this time, the cheater is given the opportunity to know, so that whether the application is copied can be judged by detecting whether the UIDs of the apps are the same or not. The copied App is at risk of cheating and is therefore considered an unsafe operating environment and can be detected and notified to the user.

In some embodiments, when the App is copied by using the same UID, the software running on the Android mobile phone system may detect the App process UID by:

(1) acquiring a running process list through a Linux command:

CommandUtil.getSingleInstance().exec("ps”)；

(2) acquiring a self UID matching rule:

CommandUtil.getSingleInstance().exec("cat/proc/self/cgroup”)；

int uidStartIndex＝filter.lastIndexOf("uid")；

int uidEndIndex＝filter.lastIndexOf("/pid")；

filter＝filter.substring(uidStartIndex+4,uidEndIndex)；

String struid＝filter.replaceAll("\n","")；

int uid＝Integer.valueOf(struid)；

filter＝String.format("u0_a％d",uid-10000)；

(3) matching UIDs traversing all the processes with the UIDs of the processes:

each piece of software in the Android system has a private and unique package name (packagemame), and the packagemame is a file directory which can be operated by the software and is also a mark of uniqueness of the software. The multi-open application can achieve the purpose of copying the application by a method of processing a getPackAgName (the getPackAgName method is an Android system method) through hook. When it is detected that there are multiple identical packagenames present, this indicates that the current software has been copied.

In some embodiments, software running on the Android phone system may detect the package name when the App is copied by the hook processing getpackagemame method as follows:

(1) acquiring the packageName of the running software:

String packageName＝context.getPackageName()；

(2) acquiring the packageName of other software in the system:

PackageManager pm＝context.getPackageManager()；

List<PackageInfo>pkgs＝pm.getInstalledPackages(0)；

(3) detecting whether the same packageName exists:

in some embodiments, one or more of the following detection means may also be used in combination:

(1) and (3) Java API detection: detecting whether a debugger is connected through a Java Api: os.

(2) The way of TracerPid in java read/proc/uid/status file is to detect whether it is debugged.

The detection methods are based on the method and the interface provided by the Android native system for expansion, do not have special requirements on detection environment, and have good universality. And various concrete detection methods can be increased, decreased and matched flexibly, and can be adjusted in pertinence according to different requirements, so that the applicability is better.

If an abnormal application parameter or abnormal action (e.g., the same UID exists, the same package name exists, an abnormality exists in the private package name, etc.) is detected, step S370 is performed to feed back the existence of the abnormality and end the detection.

If the abnormal application parameters or abnormal actions are not detected, the step S360 is continuously executed to detect whether the application is in the blacklist. In some embodiments, a blacklist mechanism is established for all currently found cheating software through a cloud management mechanism, and a characteristic value of a blacklist App is mainly stored to assist monitoring as a bottom-of-pocket scheme so as to avoid omission. Through blacklist detection, existing technical blind spots and new technical bugs can be effectively dealt with, and therefore compensation and bottom-finding strategies are achieved. A blacklist mechanism is placed in the last detection, a detection compensation mechanism can be played, the influence of the development of the technology and the appearance of a new clone technology on a combined detection result can be better adapted, and the detection precision and flexibility are improved.

The invention also provides an anomaly detection system which comprises a system operation environment detection module and an application program parameter detection module.

The system running environment detection module is used for detecting whether the system running environment is abnormal, for example, whether simulation positioning is opened or not, whether the system runs in a virtual environment or not, whether Root or not, whether an XPosed framework exists or not and the like. In some embodiments, the system operating environment detection module detects whether the simulated positioning is turned on and/or whether the system operates in a virtual environment, and then detects whether Root exists. Detecting whether an XPossed framework exists when the system runtime environment is Root, and skipping detection of the XPossed framework when the system runtime environment is not Root.

The application parameter detection module is used for detecting whether the application parameters are abnormal, for example, detecting whether the same UID exists, detecting whether the same package name exists, detecting whether the private package name is abnormal, and the like.

The anomaly detection system provided by the invention can also comprise a blacklist detection module which is used for detecting whether the application program in the blacklist exists or not.

In some embodiments, when the application program starts to run, the application program asynchronously enters the anomaly detection system, after a result is detected, a popup window pops up under the condition of anomaly to prevent a user, and no feedback can be made under the normal condition.

The anomaly detection method and system provided by the invention comprise a main detection scheme and an auxiliary detection scheme, wherein the main detection scheme establishes a priority level for step-by-step detection by referring to factors such as difficulty degree of cheating means, inclusion relationship of technical means and the like, the accuracy of a monitoring result and the improvement of detection performance are achieved according to the determination of the priority level, and whether cheating behaviors or cheating risks exist in the environment where the current App operates is comprehensively determined. The auxiliary monitoring scheme mainly combines cloud management, and adds a blacklist and a registration form mechanism to cooperate with detection.

The technical scheme of the invention can effectively detect and identify the following cheating means:

(1) software running in a virtual environment;

(2) software for simulating a positioning function is started;

(3) software that has the same UID or package name or private directory modified;

(4) software running on top of the XPosed framework;

(5) the black list is maintained regularly by other cheating means appearing in the black list.

In some embodiments, the present invention also provides a computer apparatus, device or terminal, the internal structure of one embodiment of which may be as shown in fig. 4. The computer apparatus, device or terminal includes a processor, a memory, a network interface, a display screen and an input device connected by a system bus. The processor is used for providing calculation and control capability, and the memory comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operating system and the computer program to run in the non-volatile storage medium. The network interface is used for communicating with an external terminal through network connection. The computer program is executed by a processor to implement the various methods, procedures, steps disclosed in the present invention, or the processor executes the computer program to implement the functions of the respective modules or units in the embodiments disclosed in the present invention. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell, an external keyboard, a touch pad or a mouse and the like.

Illustratively, a computer program may be divided into one or more modules or units, which are stored in a memory and executable by a processor to implement the inventive arrangements. These modules or units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution of a computer program in an apparatus, device or terminal.

The device, the equipment or the terminal can be computing equipment such as a desktop computer, a notebook computer, a mobile electronic device, a palm computer, a cloud server and the like. It will be appreciated by those skilled in the art that the arrangements shown in the drawings are merely block diagrams of some of the arrangements relevant to the inventive arrangements and do not constitute limitations on the apparatus, devices or terminals to which the arrangements are applied, and that a particular apparatus, device or terminal may include more or less components than shown in the drawings, or may combine certain components, or have a different arrangement of components.

The Processor may be a Central Processing Unit (CPU), other general or special purpose Processor, a microprocessor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. The processor is the control center of the above-mentioned apparatus, device or terminal, and connects the respective parts of the apparatus, device or terminal by using various interfaces and lines.

The memory may be used to store computer programs, modules and data, and the processor may implement various functions of the apparatus, device or terminal by executing or executing the computer programs and/or modules stored in the memory and calling the data stored in the memory. The memory may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required by at least one function, and the like; the data storage area may store various types of data (such as multimedia data, documents, operation histories, etc.) created according to the application, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), a magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.

The invention also provides a computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the above-mentioned method. It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, databases, or other media used in embodiments provided herein may include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).

The above-described apparatus or terminal device integrated modules and units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer-readable storage medium. Based on such understanding, the present invention can realize all or part of the procedures of the disclosed methods, and can also be realized by relevant hardware instructed by a computer program, which can be stored in a computer readable storage medium, and when the computer program is executed by a processor, the steps of the methods can be realized. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying computer program code, recording medium, U.S. disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution media, and the like. It should be noted that the computer readable medium may contain content that is appropriately increased or decreased as required by legislation and patent practice in the jurisdiction.

In some embodiments, the various methods, procedures, modules, devices, apparatuses, or systems disclosed herein may be implemented or performed in one or more processing devices (e.g., digital processors, analog processors, digital circuits designed to process information, analog circuits designed to process information, state machines, computing devices, computers, and/or other mechanisms for electronically processing information). The one or more processing devices may include one or more devices that perform some or all of the operations of a method in response to instructions stored electronically on an electronic storage medium. The one or more processing devices may include one or more devices configured through hardware, firmware, and/or software to be specifically designed for performing one or more operations of a method. The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be considered to be within the technical scope of the present invention, and the technical solutions and the inventive concepts thereof according to the present invention should be equivalent or changed within the scope of the present invention.

Embodiments of the invention may be implemented in hardware, firmware, software, or various combinations thereof, and may also be implemented as instructions stored on a machine-readable medium, which may be read and executed using one or more processing devices. In some implementations, a machine-readable medium may include various mechanisms for storing and/or transmitting information in a form readable by a machine (e.g., a computing device). For example, a machine-readable storage medium may include read-only memory, random-access memory, magnetic disk storage media, optical storage media, flash-memory devices, and other media for storing information, and a machine-readable transmission medium may include various forms of propagated signals (including carrier waves, infrared signals, digital signals), and other media for transmitting information. While firmware, software, routines, or instructions may be described in the above disclosure in terms of performing certain exemplary aspects and embodiments of certain actions, it will be apparent that such descriptions are merely for convenience and that such actions in fact result from a machine device, computing device, processing device, processor, controller, or other device or machine executing the firmware, software, routines, or instructions.

This written description uses examples to disclose the invention, one or more examples of which are described or illustrated in the specification and drawings. Each example is provided by way of explanation of the invention, not limitation of the invention. In fact, it will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the scope or spirit of the invention. For instance, features illustrated or described as part of one embodiment, can be used with another embodiment to yield a still further embodiment. It is therefore intended that the present invention cover the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents. The above description is only a specific embodiment of the present invention, but the protection scope of the present invention is not limited thereto, and any technical solutions that can be obtained by logic analysis, reasoning or limited experiments based on the prior art by those skilled in the art according to the concept of the present invention, or easily conceivable variations or alternatives thereof, should be covered within the protection scope of the present invention.

Claims

1. An abnormality detection method characterized by comprising the steps of:

detecting whether the system operating environment is abnormal; and

detecting whether the application program parameters are abnormal.

2. The abnormality detection method according to claim 1, wherein said step of detecting whether the system operating environment is abnormal includes:

detecting whether to turn on the analog positioning; and/or

Detecting whether to operate in a virtual environment; and/or

Detecting whether Root exists; and/or

Detecting whether an XPossed framework exists.

3. The abnormality detection method according to claim 2, characterized in that:

whether the simulated positioning is opened and/or whether the simulated positioning is operated in a virtual environment is detected, and then whether Root exists is detected.

4. The abnormality detection method according to claim 2, characterized in that:

if the system running environment is Root, detecting whether an XPosed framework exists; and

if the system runtime environment is not Root, then detection of the XPosed framework is skipped.

5. The anomaly detection method according to claim 1, characterized in that said step of detecting whether an application parameter is anomalous comprises:

detecting whether the same UID exists; and/or

Detecting whether the same package name exists; and/or

And detecting whether the private packet name is abnormal.

6. The abnormality detection method according to claim 1, characterized in that:

if the system operation environment is abnormal, providing abnormal feedback and finishing detection; and

and if the system operating environment is not abnormal, continuously detecting whether the application program parameters are abnormal.

7. The abnormality detection method according to claim 1, further comprising:

it is detected whether there are applications in the blacklist.

8. The abnormality detection method according to claim 7, characterized in that:

firstly, whether the system operating environment and/or the application program parameters are abnormal is detected, and then whether the application programs in the blacklist exist is detected.

9. An anomaly detection system, comprising:

the system running environment detection module is configured to detect whether the system running environment is abnormal or not; and

and the application program parameter detection module is configured to detect whether the application program parameters are abnormal.

10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, is able to carry out the steps of the anomaly detection method according to any one of claims 1 to 8.