CN111953637B - Application service method and device - Google Patents
Application service method and device Download PDFInfo
- Publication number
- CN111953637B CN111953637B CN201910411135.XA CN201910411135A CN111953637B CN 111953637 B CN111953637 B CN 111953637B CN 201910411135 A CN201910411135 A CN 201910411135A CN 111953637 B CN111953637 B CN 111953637B
- Authority
- CN
- China
- Prior art keywords
- target application
- service
- identification information
- application
- code segment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 127
- 238000012545 processing Methods 0.000 claims abstract description 45
- 238000001914 filtration Methods 0.000 claims description 9
- 238000012549 training Methods 0.000 claims description 5
- 101150053844 APP1 gene Proteins 0.000 description 13
- 101100189105 Homo sapiens PABPC4 gene Proteins 0.000 description 13
- 102100039424 Polyadenylate-binding protein 4 Human genes 0.000 description 13
- 230000005540 biological transmission Effects 0.000 description 10
- 101100055496 Arabidopsis thaliana APP2 gene Proteins 0.000 description 6
- 101100016250 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) GYL1 gene Proteins 0.000 description 6
- 102100038359 Xaa-Pro aminopeptidase 3 Human genes 0.000 description 6
- 101710081949 Xaa-Pro aminopeptidase 3 Proteins 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000013473 artificial intelligence Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/40—Support for services or applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Multimedia (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
本申请提供一种应用服务方法,包括:在富执行环境中,判断目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据服务请求获取目标应用的当前识别信息,通过当前识别信息获取目标应用的当前签名信息;判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致;若目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致,若是,则根据目标应用的服务请求进行处理。采用本申请的应用服务方法,通过比较目标应用的当前信息与注册时的初始信息是否一致,并在一致时对服务请求进行处理,保证用户使用目标应用服务的安全。
The present application provides an application service method, comprising: in a rich execution environment, judging whether a target application has a registered service, if so, obtaining a service request of the target application, obtaining the current identification information of the target application according to the service request, and using Obtain the current signature information of the target application from the current identification information; determine whether the current identification information of the target application is consistent with the initial identification information when the target application was registered; if the current identification information of the target application is consistent with the initial identification information when the target application was registered, then In the trusted execution environment, it is judged whether the current signature information of the target application is consistent with the initial signature information when the target application was registered, and if so, it is processed according to the service request of the target application. Using the application service method of the present application, by comparing whether the current information of the target application is consistent with the initial information during registration, and processing the service request when they are consistent, the security of the user using the target application service is ensured.
Description
技术领域technical field
本申请涉及应用服务领域,具体涉及一种应用服务方法与装置。The present application relates to the field of application services, in particular to an application service method and device.
背景技术Background technique
近年来,在终端设备中的人工智能服务越来越多,这些人工智能服务通常需要具有非常良好的个性化功能服务才能获得消费者的青睐。对此,终端设备的制造厂商或者是互联网开发的企业,都希望在终端设备的不同层次(包括操作系统层,框架层,应用层等)提供个性化服务。In recent years, there have been more and more artificial intelligence services in terminal devices, and these artificial intelligence services usually need to have very good personalized functions in order to be favored by consumers. In this regard, manufacturers of terminal equipment or enterprises that develop Internet all hope to provide personalized services at different levels of terminal equipment (including operating system layer, framework layer, application layer, etc.).
现在技术中的大部分终端设备的个性化服务都是采取以下的设计思路:首先,获取用户使用终设备的反馈数据,然后将反馈数据上传至后台服务器,后台服务器根据接收的反馈数据进行建立模型的训练;之后按照训练后的模型将反馈数据进行决策;最终将决策的结果反馈至终端设备,以便于用户接收决策结果。Most of the personalized services of terminal devices in the current technology adopt the following design ideas: first, obtain the feedback data of the user using the terminal device, and then upload the feedback data to the backend server, and the backend server builds a model according to the received feedback data Then, according to the trained model, the feedback data is used to make decisions; finally, the decision result is fed back to the terminal device, so that the user can receive the decision result.
上述现有的个性化服务存在着明显的技术缺陷,首先,这些服务多数需要获取用户的使用与操作日志回传到后台服务器(不限于云服务器),然后构建云端个性化模型,再通过升级软件包或者升级应用程序的方式推回到终端设备中,从而实现个性化服务功能的升级。然而这样的方式不但成本高,同时在一定程度上侵犯用户的个人隐私。即使在终端设备上搭载人工智能芯片,如果个性化服务方案设计存在缺陷,反而容易被黑客利用,导致终端设备的功能无法使用,甚至存在财产、隐私数据损失与泄露的隐患。The above-mentioned existing personalized services have obvious technical defects. First of all, most of these services need to obtain the user's usage and operation logs and send them back to the background server (not limited to cloud servers), and then build a cloud-based personalized model, and then upgrade the software. The way of package or upgrade application program is pushed back to the terminal device, so as to realize the upgrade of personalized service function. However, this method is not only costly, but also violates the user's personal privacy to a certain extent. Even if the terminal device is equipped with an artificial intelligence chip, if the design of the personalized service solution is flawed, it is easy to be exploited by hackers, resulting in the inability to use the functions of the terminal device, and even the hidden danger of loss and leakage of property and private data.
发明内容SUMMARY OF THE INVENTION
本申请提供一种应用服务方法,以解决现有的应用数据传输过程中不安全以及传输成本高的问题。本申请同时涉及一种应用服务装置。The present application provides an application service method to solve the problems of insecurity and high transmission cost in the existing application data transmission process. The present application also relates to an application service device.
本申请提供一种应用服务方法,包括:This application provides an application service method, including:
在富执行环境中,判断所述目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;In the rich execution environment, determine whether the target application has a registered service, if so, obtain the service request of the target application, obtain the current identification information of the target application according to the service request, and obtain the current identification information of the target application through the current identification information. Obtain the current signature information of the target application; determine whether the current identification information of the target application is consistent with the initial identification information when the target application was registered;
若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致,若是,则根据所述目标应用的服务请求进行处理。If the current identification information of the target application is consistent with the initial identification information at the time of registration of the target application, determine in the trusted execution environment whether the current signature information of the target application and the initial signature information at the time of registration of the target application are not If it is consistent, if it is, it will be processed according to the service request of the target application.
可选的,还包括:Optionally, also include:
在富执行环境中,获取目标应用的服务注册请求,根据所述服务注册请求获取所述目标应用的初始识别信息,通过所述初始识别信息获取所述目标应用的初始签名信息;In the rich execution environment, the service registration request of the target application is obtained, the initial identification information of the target application is obtained according to the service registration request, and the initial signature information of the target application is obtained through the initial identification information;
在可信执行环境中,根据所述初始签名信息以及所述初始识别信息,生成需要注册服务的服务标识,将所述服务标识返回至所述目标应用。In a trusted execution environment, according to the initial signature information and the initial identification information, a service identifier that needs to register a service is generated, and the service identifier is returned to the target application.
可选的,所述根据所述服务注册请求,获取所述目标应用的初始识别信息,包括:Optionally, obtaining the initial identification information of the target application according to the service registration request includes:
在高于所述目标应用的权限层获取所述目标应用的识别信息;Obtain the identification information of the target application at a higher authority layer than the target application;
将所述识别信息作为所述目标应用的初始识别信息。The identification information is used as the initial identification information of the target application.
可选的,所述通过所述初始识别信息获取所述目标应用的初始签名信息,包括:Optionally, obtaining the initial signature information of the target application by using the initial identification information includes:
根据所述初始识别信息获取所述目标应用的代码段以及代码段位置;Obtain the code segment and the code segment location of the target application according to the initial identification information;
根据所述代码段以及所述代码段位置获得所述目标应用的初始签名信息。Obtain initial signature information of the target application according to the code segment and the location of the code segment.
可选的,所述根据所述代码段以及所述代码段位置获得所述目标应用的初始签名信息,包括:Optionally, obtaining the initial signature information of the target application according to the code segment and the location of the code segment includes:
将所述代码段与所述代码段位置拼接,获得拼接后的代码信息;Splicing the code segment and the code segment position to obtain the spliced code information;
根据所述拼接后的代码信息获得所述代码段的签名信息;Obtain the signature information of the code segment according to the spliced code information;
将所述代码段的签名信息作为所述目标应用的初始签名信息。The signature information of the code segment is used as the initial signature information of the target application.
可选的,所述根据所述初始识别信息获取所述目标应用的代码段以及代码段位置,包括:Optionally, obtaining the code segment and the location of the code segment of the target application according to the initial identification information includes:
根据所述初始识别信息确定所述目标应用;Determine the target application according to the initial identification information;
从所述目标应用的代码中选取至少一个代码段作为所述目标应用的代码段。At least one code segment is selected from the code of the target application as the code segment of the target application.
可选的,还包括:Optionally, also include:
判断针对所述目标应用是否具有获取代码段的权限;Determine whether the target application has the permission to obtain the code segment;
所述通过所述初始识别信息获取所述目标应用的代码段,包括:The obtaining the code segment of the target application through the initial identification information includes:
若确定针对所述目标应用具有获取代码段的权限,则通过所述初始识别信息获取所述目标应用的代码段。If it is determined that the target application has the right to acquire the code segment, the code segment of the target application is acquired through the initial identification information.
可选的,所述在可信执行环境中,根据所述初始签名信息以及所述初始识别信息,生成需要注册服务的服务标识,包括:Optionally, in the trusted execution environment, according to the initial signature information and the initial identification information, a service identifier that needs to register a service is generated, including:
将所述初始签名信息以及所述初始识别信息存储至所述可信执行环境的数据库中;storing the initial signature information and the initial identification information in the database of the trusted execution environment;
在所述可信执行环境中,生成所述初始签名信息与所述初始识别信息对应的需要注册服务的服务标识。In the trusted execution environment, a service identifier corresponding to the initial signature information and the initial identification information that needs to register a service is generated.
可选的,所述将所述服务标识返回至所述目标应用,包括:Optionally, the returning the service identifier to the target application includes:
在所述富执行环境中,以所述服务标识为索引,储存已注册的所述目标应用的所述初始识别信息与所述初始签名信息;将所述储存在所述富执行环境中的所述服务标识返回至所述目标应用。In the rich execution environment, using the service identifier as an index, the initial identification information and the initial signature information of the registered target application are stored; The service identifier is returned to the target application.
可选的,所述服务注册请求包括以下至少一种信息:Optionally, the service registration request includes at least one of the following information:
所述目标应用中需要注册的服务的名称信息;Name information of the service that needs to be registered in the target application;
针对所述需要注册的服务是否开启数据加密的信息;Information on whether data encryption is enabled for the service that needs to be registered;
针对所述需要注册的服务的数据加密算法信息;Data encryption algorithm information for the service that needs to be registered;
针对所述需要注册的服务的数据解密公钥信息。The public key information is decrypted for the data of the service that needs to be registered.
可选的,所述目标应用的初始识别信息至少包括所述目标应用的唯一识别符,所述唯一识别符为所述目标应用在内核权限层的唯一标识。Optionally, the initial identification information of the target application includes at least a unique identifier of the target application, and the unique identifier is a unique identifier of the target application in the kernel permission layer.
可选的,所述判断所述目标应用是否存在已注册的服务,包括:Optionally, the judging whether the target application has a registered service includes:
获得所述目标应用的所有服务的信息;Obtain information about all services of the target application;
判断所述目标的应用的所有服务是否具有服务标识。Determine whether all services of the target application have service identifiers.
可选的,所述判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致,包括:Optionally, the judging whether the current identification information of the target application is consistent with the initial identification information when the target application was registered includes:
在高于所述目标应用的权限层获取所述目标应用的识别信息,将所述识别信息作为所述目标应用的当前识别信息;Obtain the identification information of the target application at a higher authority layer than the target application, and use the identification information as the current identification information of the target application;
获取所述目标应用注册时的初始识别信息;Obtain the initial identification information when the target application is registered;
判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致。Determine whether the current identification information of the target application is consistent with the initial identification information when the target application was registered.
可选的,所述在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致,包括:Optionally, judging whether the current signature information of the target application is consistent with the initial signature information when the target application was registered in the trusted execution environment includes:
根据所述目标应用的当前识别信息获取所述目标应用的当前签名信息;Obtain the current signature information of the target application according to the current identification information of the target application;
获取所述目标应用注册时的初始签名信息;Obtain the initial signature information when the target application is registered;
判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致。Determine whether the current signature information of the target application is consistent with the initial signature information when the target application was registered.
可选的,所述根据所述目标应用的当前识别信息获取所述目标应用的当前签名信息,包括:Optionally, obtaining the current signature information of the target application according to the current identification information of the target application includes:
根据所述当前识别信息获取所述目标应用的代码段以及代码段位置;Acquire a code segment and a code segment location of the target application according to the current identification information;
根据所述代码段以及所述代码段位置获得所述目标应用的当前签名信息。Obtain current signature information of the target application according to the code segment and the location of the code segment.
可选的,所述根据所述代码段以及所述代码段位置获得所述目标应用的当前签名信息,包括:Optionally, the obtaining the current signature information of the target application according to the code segment and the location of the code segment includes:
将所述代码段与所述代码段位置拼接,获得拼接后的代码信息;Splicing the code segment and the code segment position to obtain the spliced code information;
根据所述拼接后的代码信息获得所述代码段的签名信息;Obtain the signature information of the code segment according to the spliced code information;
将所述代码段的签名信息作为所述目标应用的当前签名信息。The signature information of the code segment is used as the current signature information of the target application.
可选的,所述根据所述当前识别信息获取所述目标应用的代码段以及代码段位置,包括:Optionally, obtaining the code segment and code segment location of the target application according to the current identification information includes:
根据所述当前识别信息确定所述目标应用;Determine the target application according to the current identification information;
从所述目标应用的代码中选取至少一个代码段作为所述目标应用的代码段。At least one code segment is selected from the code of the target application as the code segment of the target application.
可选的,还包括:Optionally, also include:
判断针对所述目标应用是否具有获取代码段的权限;Determine whether the target application has the permission to obtain the code segment;
所述通过所述当前识别信息获取所述目标应用的代码段,包括:The obtaining the code segment of the target application through the current identification information includes:
若确定针对所述目标应用具有获取代码段的权限,则通过所述当前识别信息获取所述目标应用的代码段。If it is determined that the target application has the right to acquire the code segment, the code segment of the target application is acquired through the current identification information.
可选的,所述获取目标应用的服务请求,包括:Optionally, the obtaining the service request of the target application includes:
在富执行环境中,获取目标应用的反馈数据样本;将所述获取目标应用的反馈数据样本作为所述获取的目标应用的服务请求;In the rich execution environment, the feedback data sample of the target application is obtained; the obtained feedback data sample of the target application is used as the service request of the obtained target application;
所述根据所述目标应用的服务请求进行处理,包括:在可信执行环境中,根据所述反馈数据样本训练用于根据目标应用的反馈数据获得服务决策结果的决策模型;将所述获得的服务决策结果的决策模型作为处理结果。The processing according to the service request of the target application includes: in a trusted execution environment, training a decision model for obtaining a service decision result according to the feedback data of the target application according to the feedback data sample; The decision model of the service decision result is used as the processing result.
可选的,还包括:Optionally, also include:
在所述富执行环境中,获取所述目标应用的反馈数据;In the rich execution environment, obtain feedback data of the target application;
在所述可信执行环境中,根据所述目标应用的反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。In the trusted execution environment, according to the feedback data of the target application and the decision model, a service decision result for the feedback data of the target application is obtained.
可选的,还包括:Optionally, also include:
在所述可信执行环境中,将所述目标应用的反馈数据存储至数据库;In the trusted execution environment, the feedback data of the target application is stored in a database;
判断所述反馈数据是否采集完毕,若判断结果为是,删除所述数据库的所有反馈数据;Judging whether the collection of the feedback data is completed, if the judgment result is yes, delete all the feedback data in the database;
根据所述目标应用的反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。According to the feedback data of the target application and the decision model, a service decision result for the feedback data of the target application is obtained.
可选的,还包括:Optionally, also include:
判断所述反馈数据是否加密,若是,则将所述反馈数据进行解密;Determine whether the feedback data is encrypted, and if so, decrypt the feedback data;
所述根据所述目标应用的反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果,包括:The obtaining, according to the feedback data of the target application and the decision-making model, a service decision result for the feedback data of the target application includes:
根据解密后的所述反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。According to the decrypted feedback data and the decision model, a service decision result for the feedback data of the target application is obtained.
可选的,所述获取目标应用的服务请求,包括:Optionally, the obtaining the service request of the target application includes:
在富执行环境中,获得目标应用的反馈数据,根据所述反馈数据获得候选对象,获取所述目标应用的决策请求;将所述获取所述目标应用的决策请求作为所述获取的目标应用的服务请求;In the rich execution environment, the feedback data of the target application is obtained, the candidate object is obtained according to the feedback data, and the decision request of the target application is obtained; the decision request for obtaining the target application is used as the target application's Request for service;
所述根据所述目标应用的服务请求进行处理,包括:在可信执行环境中,根据所述目标应用的决策请求获取用于根据所述候选对象获得决策结果的决策模型,根据所述候选对象和所述决策模型,获得决策结果;将所述获得的决策结果作为处理结果。The processing according to the service request of the target application includes: in a trusted execution environment, obtaining a decision model for obtaining a decision result according to the candidate object according to the decision request of the target application, and according to the candidate object and the decision-making model to obtain a decision-making result; the obtained decision-making result is used as a processing result.
可选的,所述根据所述反馈数据获得候选对象,包括:Optionally, the obtaining the candidate object according to the feedback data includes:
获取所述反馈数据对应的对象集合;obtaining the set of objects corresponding to the feedback data;
获得针对所述反馈数据的筛选条件,在所述对象集合筛选出符合所述筛选条件的对象,将所述符合所述筛选条件的对象作为候选对象。Filtering conditions for the feedback data are obtained, objects that meet the filtering conditions are filtered out from the object set, and the objects that meet the filtering conditions are used as candidate objects.
可选的,所述根据所述目标应用的决策请求获取用于根据所述候选对象获得决策结果的决策模型,包括:Optionally, obtaining a decision model for obtaining a decision result according to the candidate object according to the decision request of the target application includes:
获取所述决策请求中包含的服务标识;Obtain the service identifier contained in the decision request;
以所述服务标识为索引获得所述决策模型。The decision model is obtained by using the service identifier as an index.
可选的,所述根据所述候选对象和所述决策模型,获得决策结果,包括:Optionally, obtaining a decision result according to the candidate object and the decision model includes:
根据所述决策模型对所述候选对象的每一个元素进行评分,获得评分结果;Scoring each element of the candidate object according to the decision model to obtain a scoring result;
根据所述评分结果对所述每一个元素进行排序,获得排序结果;Sort each element according to the scoring result to obtain a sorting result;
将所述评分结果以及排序结果作为决策结果。The scoring result and the ranking result are used as the decision result.
对应地,本申请还提供一种应用服务装置,包括:Correspondingly, the present application also provides an application service device, including:
服务判断单元,用于在富执行环境中,判断所述目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致;a service judging unit, configured to judge whether the target application has a registered service in the rich execution environment, if so, obtain a service request of the target application, and obtain the current identification information of the target application according to the service request, Obtain the current signature information of the target application through the current identification information; determine whether the current identification information of the target application is consistent with the initial identification information when the target application was registered; If the initial identification information when the target application is registered is consistent, then in the trusted execution environment, determine whether the current signature information of the target application is consistent with the initial signature information when the target application is registered;
服务处理单元,用于判断结果若是,则根据所述目标应用的服务请求进行处理。The service processing unit is configured to perform processing according to the service request of the target application if the judgment result is yes.
本申请还提供一种终端,包括:The application also provides a terminal, including:
服务判断单元,用于在所述终端中的富执行环境中,判断目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在所述终端中的可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致;A service judgment unit, configured to judge whether the target application has a registered service in the rich execution environment of the terminal, if so, obtain the service request of the target application, and obtain the current status of the target application according to the service request identification information, obtain the current signature information of the target application through the current identification information; determine whether the current identification information of the target application is consistent with the initial identification information when the target application was registered; if the current identification information of the target application is consistent If the information is consistent with the initial identification information when the target application is registered, then determine whether the current signature information of the target application is consistent with the initial signature information when the target application is registered in the trusted execution environment in the terminal;
服务处理单元,用于判断结果若是,则根据所述目标应用的服务请求进行处理。The service processing unit is configured to perform processing according to the service request of the target application if the judgment result is yes.
与现有技术相比,本申请具有以下优点:Compared with the prior art, the present application has the following advantages:
本申请提供一种应用服务方法,包括:在富执行环境中,判断目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据服务请求获取目标应用的当前识别信息,通过当前识别信息获取目标应用的当前签名信息;判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致;若目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致,若是,则根据目标应用的服务请求进行处理。采用本申请的应用服务方法,通过比较目标应用的当前信息与注册时的初始信息是否一致,并在一致时对服务请求进行处理,从而为使用本申请的服务的目标应用提供安全保障,以防目标应用的服务在传输数据过程中被篡改,从而保证用户使用目标应用的服务的安全。The present application provides an application service method, comprising: in a rich execution environment, judging whether a target application has a registered service, if so, obtaining a service request of the target application, obtaining the current identification information of the target application according to the service request, and using Obtain the current signature information of the target application from the current identification information; determine whether the current identification information of the target application is consistent with the initial identification information when the target application was registered; if the current identification information of the target application is consistent with the initial identification information when the target application was registered, then In the trusted execution environment, it is determined whether the current signature information of the target application is consistent with the initial signature information when the target application was registered, and if so, it is processed according to the service request of the target application. By using the application service method of the present application, by comparing whether the current information of the target application is consistent with the initial information at the time of registration, and processing the service request when they are consistent, the security guarantee is provided for the target application using the service of the present application to prevent The service of the target application is tampered with in the process of data transmission, so as to ensure the security of the user using the service of the target application.
在本申请进一步改进的技术方案中,在使用本申请的应用服务之前,还需要对所述应用进行注册,在注册本申请的目标应用的服务时,所采用的目标应用的初始识别信息是在高于所述目标应用的权限层获取的,因此进一步降低了在使用该目标应用的服务传输数据时数据被篡改的可能性。In the further improved technical solution of the present application, before using the application service of the present application, the application needs to be registered. When registering the service of the target application of the present application, the initial identification information of the target application used is in It is obtained from a permission layer higher than that of the target application, thus further reducing the possibility of data being tampered with when using the service of the target application to transmit data.
附图说明Description of drawings
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请中记载的一些实施例,对于本领域普通技术人员来讲,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the accompanying drawings required for the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments described in this application. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings.
图1为本申请实施例一的应用服务方法的流程图。FIG. 1 is a flowchart of an application service method according to Embodiment 1 of the present application.
图2为本申请实施例二的应用的服务注册方法的流程图。FIG. 2 is a flowchart of a service registration method for an application according to Embodiment 2 of the present application.
图3为本申请实施例三的针对目标应用的反馈数据的处理方法的流程图。FIG. 3 is a flowchart of a method for processing feedback data for a target application according to Embodiment 3 of the present application.
图4为本申请实施例四的在线决策的方法的流程图。FIG. 4 is a flowchart of an online decision-making method according to Embodiment 4 of the present application.
图5为本申请实施例五的应用的服务注销方法的流程图。FIG. 5 is a flowchart of a service deregistration method of an application according to Embodiment 5 of the present application.
图6为本申请实施例六的应用服务装置的示意图。FIG. 6 is a schematic diagram of an application service apparatus according to Embodiment 6 of the present application.
图7为本申请实施例八的一种终端的示意图。FIG. 7 is a schematic diagram of a terminal according to Embodiment 8 of the present application.
图8为本申请实施例九的用于应用服务的系统的组件示意图。FIG. 8 is a schematic diagram of components of a system for application services according to Embodiment 9 of the present application.
具体实施方式Detailed ways
在下面的描述中阐述了很多具体细节以便于充分理解本申请。但是本申请能够以很多不同于在此描述的其它方式来实施,本领域技术人员可以在不违背本申请内涵的情况下做类似推广,因此,本申请不受下面公开的具体实施的限制。In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application. However, the present application can be implemented in many other ways different from those described herein, and those skilled in the art can make similar promotions without violating the connotation of the present application. Therefore, the present application is not limited by the specific implementation disclosed below.
本申请提供一种应用服务方法与装置,以下为具体实施例:The present application provides an application service method and device, the following are specific embodiments:
如图1所示,其为本申请实施例一的应用服务方法实施例的流程图。所述方法包括如下步骤。As shown in FIG. 1 , it is a flowchart of an embodiment of an application service method according to Embodiment 1 of the present application. The method includes the following steps.
步骤S101:在富执行环境中,判断目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据服务请求获取目标应用的当前识别信息,通过当前识别信息获取目标应用的当前签名信息;判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。Step S101: In the rich execution environment, determine whether the target application has a registered service, if so, obtain the service request of the target application, obtain the current identification information of the target application according to the service request, and obtain the current identification information of the target application through the current identification information. Signature information; determine whether the current identification information of the target application is consistent with the initial identification information when the target application was registered.
步骤S102:若目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致,若是,则根据目标应用的服务请求进行处理。Step S102: if the current identification information of the target application is consistent with the initial identification information when the target application was registered, then judge in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application was registered, and if so, then It is processed according to the service request of the target application.
本申请的应用服务方法包括目标应用的服务注册过程、反馈数据处理过程以及在线决策过程,在下述描述中,分别以三个实施例对三个过程进行一一说明。The application service method of the present application includes a service registration process of a target application, a feedback data processing process, and an online decision-making process. In the following description, three embodiments are respectively used to describe the three processes one by one.
如图2所示,其为本申请实施例二的应用服务注册方法的实施例的流程图。所述方法包括如下步骤。As shown in FIG. 2 , it is a flowchart of an embodiment of an application service registration method according to Embodiment 2 of the present application. The method includes the following steps.
步骤S201:在富执行环境中,获取目标应用的服务注册请求,根据服务注册请求获取目标应用的初始识别信息,通过初始识别信息获取目标应用的初始签名信息。Step S201: In the rich execution environment, a service registration request of the target application is obtained, initial identification information of the target application is obtained according to the service registration request, and initial signature information of the target application is obtained through the initial identification information.
在采用本实施例的应用的服务注册方法注册应用的服务时,首先获取目标应用的服务注册请求,服务注册请求包括以下至少一种信息:目标应用中需要注册的服务的名称信息,针对需要注册的服务是否开启数据加密的信息,针对需要注册的服务的数据加密算法信息以及针对需要注册的服务的数据解密公钥信息。When the application service registration method of this embodiment is used to register the service of the application, the service registration request of the target application is obtained first, and the service registration request includes at least one of the following information: name information of the service that needs to be registered in the target application. information on whether data encryption is enabled for the service that needs to be registered, the data encryption algorithm information for the service that needs to be registered, and the public key information for data decryption for the service that needs to be registered.
以目标应用的一个服务采用该实施例的方法注册为例,假设目标应用为APP1,在实际中,APP1的服务功能可能多种多样。以其中某一服务注册为例,可以将目标应用中需要注册的服务的名称信息放置在服务注册请求,这样以便于确定是目标应用的哪个服务功能将要注册本实施例的方法。为了保证采用本实施例的方法注册后,在后续传输该目标应用的数据过程中数据免去被篡改的风险,还可以将针对需要注册的服务是否开启数据加密的信息一同放置在服务注册请求中。同样地,如果将开启数据加密的信息放置在服务注册请求中,还可同时将针对需要注册的服务的数据加密算法信息以及针对需要注册的服务的数据解密公钥信息一同放置在服务注册请求中。Taking a service of a target application registered using the method of this embodiment as an example, assuming that the target application is APP1, in practice, the service functions of APP1 may be various. Taking a service registration as an example, the name information of the service to be registered in the target application can be placed in the service registration request, so as to determine which service function of the target application is to be registered with the method of this embodiment. In order to ensure that after the method of this embodiment is used for registration, the data will be free from the risk of being tampered with during the subsequent transmission of the data of the target application, the information on whether data encryption is enabled for the service that needs to be registered may also be placed in the service registration request. . Similarly, if the information for enabling data encryption is placed in the service registration request, the data encryption algorithm information for the service that needs to be registered and the data decryption public key information for the service that needs to be registered can also be placed in the service registration request. .
具体地,服务注册请求可以是包含上述服务的名称信息、针对需要注册的服务是否开启数据加密的信息、需要注册的服务的数据加密算法信息以及针对需要注册的服务的数据解密公钥信息的请求串信息。由于加密、解密以及加密所涉及的算法已经在现有技术中研究的程度较为成熟,此处不再赘述。Specifically, the service registration request may be a request including name information of the above-mentioned service, information on whether data encryption is enabled for the service that needs to be registered, data encryption algorithm information of the service that needs to be registered, and public key information for data decryption of the service that needs to be registered. string information. Since the algorithms involved in encryption, decryption, and encryption have been researched to a relatively mature degree in the prior art, they will not be repeated here.
之后,根据服务注册请求,获取目标应用的初始识别信息。具体地,获得目标应用的初始识别信息可以是在高于目标应用的权限层获取目标应用的识别信息,将高于目标应用的权限层的识别信息作为目标应用的初始识别信息。高于目标的权限层可以是运行该目标应用的系统的内核层,或者是系统的其他层,此处可以理解的是,只要高于目标应用的权限层即可,当然,在本实施例中,这里的系统是指本申请的用来注册、注销以及服务目标应用的服务的系统。需要说明的是,此部分的目标应用的初始识别信息可以是目标应用在用来注册、注销以及服务目标应用的服务的系统中的唯一识别符,例如可以是目标应用在该系统内核权限层的唯一标识。After that, according to the service registration request, the initial identification information of the target application is acquired. Specifically, obtaining the initial identification information of the target application may be obtaining the identification information of the target application at a higher authority layer than the target application, and using the identification information at a higher authority layer than the target application as the initial identification information of the target application. The authority layer higher than the target may be the kernel layer of the system running the target application, or other layers of the system. It can be understood here that as long as the authority layer is higher than the target application, of course, in this embodiment , the system here refers to the system used in this application to register, cancel and serve the service of the target application. It should be noted that the initial identification information of the target application in this part can be the unique identifier of the target application in the system used to register, log out and serve the service of the target application, for example, it can be the target application in the system kernel permission layer. Uniquely identifies.
在获取目标应用的识别信息之后,根据初始识别信息获取目标应用的初始签名信息,具体地可通过以下的描述方式获得初始签名信息。After the identification information of the target application is obtained, the initial signature information of the target application is obtained according to the initial identification information. Specifically, the initial signature information may be obtained by the following description.
首先,根据初始识别信息获取目标应用的代码段以及代码段位置。First, the code segment and the location of the code segment of the target application are obtained according to the initial identification information.
之后,根据代码段以及所述代码段位置获得目标应用的初始签名信息。具体地,作为根据代码段以及代码段位置获得目标应用的初始签名信息的方式之一,可以是将代码段与代码段位置拼接,获得拼接后的代码信息,通过HASH算法算出代码段的签名信息,将代码段的签名信息作为目标应用的初始签名信息。After that, the initial signature information of the target application is obtained according to the code segment and the location of the code segment. Specifically, as one of the ways to obtain the initial signature information of the target application according to the code segment and the position of the code segment, the code segment and the location of the code segment can be spliced to obtain the spliced code information, and the signature information of the code segment can be calculated by the HASH algorithm. , take the signature information of the code segment as the initial signature information of the target application.
在本实施例中,初始签名信息是用来保证目标应用的服务在注册以及注册之后的后续数据处理以及注销过程中数据的安全,同时也是为了保证用户在使用目标应用的隐私,因此在注册过程中需要获得目标应用的初始签名信息。在此处,初始签名信息进一步保证了目标应用的服务使用本申请的系统的安全。In this embodiment, the initial signature information is used to ensure the security of the data during registration and subsequent data processing and logout of the service of the target application, and also to ensure the privacy of the user when using the target application. Therefore, in the registration process The initial signature information of the target application needs to be obtained. Here, the initial signature information further ensures the security of the service of the target application using the system of the present application.
为获取目标应用的代码段,在根据初始识别信息获取目标应用的代码段以及代码段位置时,需要确认要注册的目标应用,即根据初始识别信息确定目标应用。例如,在多个应用同时注册服务时,在此处假如有三个应用要注册服务,三个应用依次为APP1,APP2以及APP3,那么对应三个应用肯定会存在各自的初始识别信息。假设APP1的初始识别信息为A1,APP2的初始识别信息为A2,APP3的初始识别信息为A3,那么当A1在获取目标应用的代码段以及代码段位置时,这里可以推测是要获取APP1的代码段以及代码段位置。同样的道理,当A2在获取目标应用的代码段以及代码段位置时,推测是要获取APP2的代码段以及代码段位置;以此类推,当A3在获取目标应用的代码段以及代码段位置时,推测是要获取APP3的代码段以及代码段位置。In order to obtain the code segment of the target application, when obtaining the code segment of the target application and the location of the code segment according to the initial identification information, the target application to be registered needs to be confirmed, that is, the target application is determined according to the initial identification information. For example, when multiple applications register services at the same time, if there are three applications to register services, and the three applications are APP1, APP2 and APP3 in sequence, then the corresponding three applications must have their own initial identification information. Assuming that the initial identification information of APP1 is A1, the initial identification information of APP2 is A2, and the initial identification information of APP3 is A3, then when A1 acquires the code segment and the location of the code segment of the target application, it can be speculated that the code of APP1 is to be acquired here. segment and the location of the code segment. In the same way, when A2 obtains the code segment and code segment location of the target application, it is presumed to obtain the code segment and code segment location of APP2; and so on, when A3 obtains the code segment and code segment location of the target application , it is presumed to obtain the code segment of APP3 and the location of the code segment.
在确定欲获取代码段的目标应用之后,从目标应用的代码中选取至少一个代码段作为目标应用的代码段。当然在获取目标应用的代码段以及代码段位置时,获取目标应用的代码段可以是随机获取目标应用的一段程序即可。在获取目标应用的一段程序同时,也可获取该代码段对应的位置。由于随机获取应用的代码段技术已比较成熟,此处不再赘述。After the target application for which the code segment is to be obtained is determined, at least one code segment is selected from the codes of the target application as the code segment of the target application. Of course, when acquiring the code segment and the location of the code segment of the target application, acquiring the code segment of the target application may be obtained by randomly acquiring a segment of the program of the target application. While acquiring a segment of the target application, the location corresponding to the code segment can also be acquired. Since the technology of randomly obtaining the code segment of the application is relatively mature, it will not be repeated here.
在本实施例中,在获取目标应用的代码段之前还需判断针对目标应用是否具有获取代码段的权限;若确定针对目标应用具有获取代码段的权限,则通过初始识别信息获取目标应用的代码段。In this embodiment, before acquiring the code segment of the target application, it is necessary to judge whether the target application has the right to obtain the code segment; if it is determined that the target application has the right to obtain the code segment, the code of the target application is obtained through the initial identification information part.
具体地,采用本实施例的方法对目标应用的服务进行注册时,为了确保能够获取目标应用的代码段,在获取目标应用的代码段之前,需要判断针对目标应用是否具有获取代码段的权限。此处的判断过程是为保证顺利获取目标应用的代码段。例如,若判断该实施例中服务的注册方法的执行主体判断当前的目标应用具有获取代码段的权限,则通过初始识别信息获取目标应用的代码段;否则,则不能获取目标应用的代码段。Specifically, when using the method of this embodiment to register the service of the target application, in order to ensure that the code segment of the target application can be obtained, before obtaining the code segment of the target application, it is necessary to determine whether the target application has the permission to obtain the code segment. The judgment process here is to ensure the successful acquisition of the code segment of the target application. For example, if the executor of the service registration method in this embodiment determines that the current target application has the right to obtain the code segment, the code segment of the target application is obtained through the initial identification information; otherwise, the code segment of the target application cannot be obtained.
步骤S202:在可信执行环境中,根据初始签名信息以及初始识别信息,生成需要注册服务的服务标识,将所述服务标识返回至所述目标应用。Step S202: In the trusted execution environment, according to the initial signature information and the initial identification information, a service identifier that needs to be registered for a service is generated, and the service identifier is returned to the target application.
在步骤S201获取初始签名信息与初始识别信息之后,在可信执行环境中根据初始签名信息以及初始识别信息,生成需要注册服务的服务标识。After acquiring the initial signature information and the initial identification information in step S201, a service identifier that needs to register a service is generated in the trusted execution environment according to the initial signature information and the initial identification information.
具体地,上述生成服务标识的方式可以按照以下的描述方式。Specifically, the foregoing manner of generating the service identifier may be described in the following manner.
首先,将目标应用的初始签名信息以及初始识别信息传入可信执行环境中。在本实施例的步骤S201中已提及富执行环境,本步骤中涉及可信执行环境,二者共同构成本实施例用来注册服务的操作系统。富执行环境,一般指不可信运行环境,例如常见的Android操作系统;而可信执行环境指特定的由硬件隔离的运行环境,虽然较富执行环境安全,但是存储与计算资源有限。因此本实施例中执行服务注册方法的操作系统将二者结合,一部分的步骤在富执行环境执行,而另外一部分步骤在可信执行环境中执行,以此保证数据传输的高安全性与高运算速率。First, the initial signature information and initial identification information of the target application are transferred into the trusted execution environment. The rich execution environment has been mentioned in step S201 of this embodiment, and the trusted execution environment is involved in this step, and the two together constitute the operating system used to register the service in this embodiment. A rich execution environment generally refers to an untrusted operating environment, such as the common Android operating system; and a trusted execution environment refers to a specific operating environment isolated by hardware. Although a rich execution environment is more secure, its storage and computing resources are limited. Therefore, the operating system that executes the service registration method in this embodiment combines the two, some of the steps are executed in the rich execution environment, and the other part of the steps are executed in the trusted execution environment, so as to ensure high security and high computing power of data transmission. rate.
将目标应用的初始签名信息以及初始识别信息传入可信执行环境中可以是先将目标应用的初始签名信息以及初始识别信息存储至所述可信执行环境中的数据库中;然后在所述可信执行环境中,生成需要注册服务的服务标识,即根据数据库中的初始签名信息以及初始识别信息生成需要注册服务的服务标识。例如目标应用假如为APP1,对其中的服务APP1FUNC1进行注册,首先获取其初始识别信息为A1,初始签名信息为B1,根据A1与B1生成的服务标识为D1,则D1即为APP1FUNC1的服务标识。Introducing the initial signature information and initial identification information of the target application into the trusted execution environment may be to first store the initial signature information and initial identification information of the target application in a database in the trusted execution environment; In the letter execution environment, the service identifier that needs to register the service is generated, that is, the service identifier that needs to be registered is generated according to the initial signature information and the initial identification information in the database. For example, if the target application is APP1, register the service APP1FUNC1 in it, first obtain its initial identification information as A1, initial signature information as B1, and the service ID generated according to A1 and B1 is D1, then D1 is the service ID of APP1FUNC1.
之后,将服务标识返回至目标应用。Afterwards, the service identity is returned to the target application.
在可信执行环境生成目标应用服务的服务标识后,需将服务标识返回至目标应用,以便对目标应用完成注册的服务进行标识。After the trusted execution environment generates the service identifier of the target application service, the service identifier needs to be returned to the target application, so as to identify the service registered by the target application.
具体地,将服务标识返回至目标应用的其中一种方式可以是:首先,在富执行环境中,以服务标识为索引,储存已注册的目标应用的初始识别信息与初始签名信息;之后将储存在富执行环境中的服务标识返回至所目标应用。Specifically, one of the ways to return the service identifier to the target application may be: first, in the rich execution environment, using the service identifier as an index to store the initial identification information and initial signature information of the registered target application; The service identity in the rich execution environment is returned to the target application.
上述以服务标识为索引,储存已注册的目标应用的初始识别信息与初始签名信息,是将已注册的服务标识与目标应用的相关信息先建立联系,之后通过建立的相关联系将服务标识返回至目标应用。The above-mentioned use the service identifier as an index to store the initial identification information and initial signature information of the registered target application is to first establish a connection between the registered service identifier and the relevant information of the target application, and then return the service identifier to the target application.
采用本实施例的应用的服务注册方法,能够通过目标应用的初始识别信息与初始签名信息获得目标应用的服务对应的服务标识,从而为使用本申请的服务的目标应用提供安全保障,以防目标应用的服务在传输数据过程中被篡改,从而保证用户使用目标应用的服务的安全。By adopting the application service registration method of this embodiment, the service identifier corresponding to the service of the target application can be obtained through the initial identification information of the target application and the initial signature information, thereby providing security guarantee for the target application using the service of the present application to prevent the target application from being targeted. The application's service is tampered with during data transmission, thereby ensuring the security of the user's use of the target application's service.
上述实施例二是对应用服务方法的服务注册的说明,继注册之后,本申请还提供一种针对目标应用的反馈数据的处理方法,如图3所示,其为本申请实施例三的针对目标应用服务方法的反馈数据的处理方法实施例的流程图。所述方法包括如下步骤。The second embodiment above is a description of the service registration of the application service method. After the registration, the present application also provides a method for processing feedback data for the target application, as shown in FIG. A flowchart of an embodiment of a method for processing feedback data of a target application service method. The method includes the following steps.
步骤S301:在富执行环境中,获取目标应用的反馈数据样本,判断目标应用是否存在已注册的服务,若存在,则判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。Step S301: In the rich execution environment, obtain feedback data samples of the target application, determine whether the target application has a registered service, and if so, determine whether the current identification information of the target application is consistent with the initial identification information when the target application was registered.
若采取本实施例提供的方法对目标应用的反馈数据进行处理,首先是在富执行环境中获取目标应用的反馈数据样本,反馈数据样本用于训练模型,以便于对用户使用该目标应用的反馈数据处理。If the method provided in this embodiment is adopted to process the feedback data of the target application, the first step is to obtain the feedback data samples of the target application in the rich execution environment, and the feedback data samples are used to train the model, so as to facilitate the feedback of users using the target application data processing.
在对反馈数据样本训练模型之前,首先对目标应用的服务进行服务注册的判断,判断过程是为了保证用户数据的安全,本实施例的判断分为三个层次,三个层次的判断在下述的描述中依次进行说明。Before training the model on the feedback data samples, firstly, the service of the target application is judged for service registration. The judgment process is to ensure the security of user data. The judgment in this embodiment is divided into three levels, and the three levels of judgment are as follows. They are explained in order in the description.
第一层次的判断,判断目标应用中是否具有已注册的服务。The first level of judgment is to judge whether there is a registered service in the target application.
作为判断目标应用中是否具有已注册的服务的方式之一,可以是先获得目标应用的所有服务,然后依次判断目标的应用的所有服务是否具有服务标识。As one of the ways of judging whether the target application has registered services, it may be to first obtain all the services of the target application, and then sequentially determine whether all the services of the target application have service identifiers.
由于在实施例二中已经提及,注册成功的服务均在富执行环境中存在服务标识,因此可按照判断目标应用中是否存在具有服务标识的服务来初步判断服务的注册情形。当然,在第一层次的判断中,若在目标应用的所有服务中均无注册的服务标识,则直接退出此目标应用的判断过程。若存在,则进入第二层次的判断,即判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。As mentioned in the second embodiment, the services that are successfully registered all have service identifiers in the rich execution environment, so the registration situation of the service can be preliminarily determined according to whether there is a service with a service identifier in the target application. Of course, in the first-level judgment, if there is no registered service identifier in all services of the target application, the judgment process of the target application is directly exited. If it exists, enter into the judgment of the second level, that is, judge whether the current identification information of the target application is consistent with the initial identification information when the target application was registered.
第二层次的判断,判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。The second-level judgment is to judge whether the current identification information of the target application is consistent with the initial identification information when the target application was registered.
在第一层次判断目标应用符合条件时,进入第二层次的判断。When it is judged at the first level that the target application meets the conditions, the judgment of the second level is entered.
在实施例二中已经提及,注册成功的服务在注册过程中在富执行环境中存在初始识别信息,因此经过第一层次的判断符合条件时,便可在富执行环境中提取当前目标应用注册时的初始识别信息。As mentioned in the second embodiment, a service that has successfully registered has initial identification information in the rich execution environment during the registration process. Therefore, after the first-level judgment meets the conditions, the current target application registration can be extracted in the rich execution environment. initial identification information.
同样地,当判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致时,必然也可以根据当前的目标应用在富执行环境中确定当前的目标应用的当前识别信息。类似于实施例二获取初始识别信息的方式,获取当前目标应用的当前识别信息可以按照同样的方式,即在高于当前目标应用的权限层获取当前目标应用的识别信息,将识别信息作为当前目标应用的当前识别信息。Similarly, when judging whether the current identification information of the target application is consistent with the initial identification information when the target application was registered, the current identification information of the current target application can also be determined in the rich execution environment according to the current target application. Similar to the way in which the initial identification information is obtained in the second embodiment, the current identification information of the current target application can be obtained in the same way, that is, the identification information of the current target application is obtained at a higher authority layer than the current target application, and the identification information is used as the current target application. The current identifying information for the app.
在获取当前识别信息与初始识别信息后,判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。例如,APP1注册服务时的初始识别信息为A1,若当前识别信息也为A1,则判断目标应用的当前识别信息与目标应用注册时的初始识别信息一致;APP1注册服务时的初始识别信息为A1,若当前识别信息也为A01,则判断目标应用的当前识别信息与目标应用注册时的初始识别信息不一致。After acquiring the current identification information and the initial identification information, it is determined whether the current identification information of the target application is consistent with the initial identification information when the target application was registered. For example, the initial identification information of APP1 when registering the service is A1, and if the current identification information is also A1, it is determined that the current identification information of the target application is consistent with the initial identification information when the target application is registered; the initial identification information of APP1 when registering the service is A1 , if the current identification information is also A 0 1, it is determined that the current identification information of the target application is inconsistent with the initial identification information when the target application was registered.
步骤S302:若目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致,若是,则根据反馈数据样本训练用于根据目标应用的反馈数据获得服务决策结果的决策模型。Step S302: If the current identification information of the target application is consistent with the initial identification information when the target application was registered, then determine in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application was registered, and if so, then A decision model for obtaining a service decision result based on the feedback data of the target application is trained according to the feedback data samples.
在步骤S301中,若判断目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则进入第三层次的判断,即判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致。In step S301, if it is determined that the current identification information of the target application is consistent with the initial identification information when the target application was registered, the third level of judgment is entered, that is, it is judged whether the current signature information of the target application and the initial signature information when the target application is registered are not Consistent.
第三层次的判断,判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致。The third-level judgment is to judge whether the current signature information of the target application is consistent with the initial signature information when the target application was registered.
在第二层次判断目标应用符合条件时,进入第三层次的判断。When it is judged at the second level that the target application meets the conditions, the judgment of the third level is entered.
同样地,在实施例二中已经提及,注册成功的服务在注册过程中在富执行环境中存在初始签名信息,因此经过第二层次的判断符合条件时,便可在富执行环境中提取当前目标应用注册时的初始签名信息。Similarly, it has been mentioned in the second embodiment that the service successfully registered has initial signature information in the rich execution environment during the registration process. Therefore, after the second-level judgment meets the conditions, the current service can be extracted in the rich execution environment. Initial signature information when the target application is registered.
当在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致时,必然也可以根据当前的目标应用的当前识别信息在富执行环境中确定当前的目标应用的当前签名信息。类似于实施例二获取初始签名信息的方式,获取当前目标应用的当前签名信息可以按照同样的方式,即根据目标应用的当前识别信息获取目标应用的当前签名信息。When judging in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application was registered, it is also necessary to determine the current signature of the current target application in the rich execution environment according to the current identification information of the current target application. Current signature information. Similar to the way of obtaining the initial signature information in the second embodiment, the current signature information of the current target application can be obtained in the same way, that is, the current signature information of the target application is obtained according to the current identification information of the target application.
作为根据目标应用的当前识别信息获取目标应用的当前签名信息的一种方式,首先根据当前识别信息获取目标应用的代码段以及代码段位置,之后根据代码段以及所述代码段位置获得目标应用的当前签名信息。As a way to obtain the current signature information of the target application according to the current identification information of the target application, first obtain the code segment and the code segment position of the target application according to the current identification information, and then obtain the target application's code segment and the code segment position according to the current identification information. Current signature information.
具体地,作为根据代码段以及代码段位置获得目标应用的当前签名信息的方式之一,可以是将代码段与代码段位置拼接,通过HASH算法算出代码段的签名信息,将代码段的签名信息作为目标应用的当前签名信息。Specifically, as one of the ways to obtain the current signature information of the target application according to the code segment and the location of the code segment, the code segment and the location of the code segment can be spliced together, the signature information of the code segment is calculated by the HASH algorithm, and the signature information of the code segment is As the current signature information of the target application.
在本实施例中,当前签名信息是用来保证目标应用的服务在数据处理过程中数据的安全,同时也是为了保证用户在使用目标应用的隐私,因此在数据处理过程中需要获得目标应用的当前签名信息。在此处,当前签名信息进一步保证了目标应用的服务使用本申请的系统的安全。In this embodiment, the current signature information is used to ensure the data security of the service of the target application in the data processing process, and also to ensure the privacy of the user when using the target application. Therefore, the current signature information of the target application needs to be obtained during the data processing process. Signature information. Here, the current signature information further ensures the security of the service of the target application using the system of the present application.
为获取目标应用的代码段,在根据当前识别信息获取目标应用的代码段以及代码段位置时,需要确认要注册的目标应用,即根据当前识别信息确定目标应用。例如,在多个应用同时处理数据时,假设有三个应用要处理数据,三个应用依次为APP1,APP2以及APP3,那么对应三个应用肯定会存在各自的当前识别信息。假设APP1的当前识别信息为A1,APP2的当前识别信息为A2,APP3的当前识别信息为A3,那么当A1在获取目标应用的代码段以及代码段位置时,这里可以推测是要获取APP1的代码段以及代码段位置。同样的道理,当A2在获取目标应用的代码段以及代码段位置时,推测是要获取APP2的代码段以及代码段位置;以此类推,当A3在获取目标应用的代码段以及代码段位置时,推测是要获取APP3的代码段以及代码段位置。In order to obtain the code segment of the target application, when obtaining the code segment of the target application and the location of the code segment according to the current identification information, the target application to be registered needs to be confirmed, that is, the target application is determined according to the current identification information. For example, when multiple applications process data at the same time, assuming that there are three applications to process data, and the three applications are APP1, APP2, and APP3 in sequence, then corresponding current identification information must exist for the three applications. Assuming that the current identification information of APP1 is A1, the current identification information of APP2 is A2, and the current identification information of APP3 is A3, then when A1 acquires the code segment and the location of the code segment of the target application, it can be speculated that the code of APP1 is to be acquired here. segment and the location of the code segment. In the same way, when A2 obtains the code segment and code segment location of the target application, it is presumed to obtain the code segment and code segment location of APP2; and so on, when A3 obtains the code segment and code segment location of the target application , it is presumed to obtain the code segment of APP3 and the location of the code segment.
在确定欲获取代码段的目标应用之后,从目标应用的代码中选取至少一个代码段作为目标应用的代码段。当然在获取目标应用的代码段以及代码段位置时,获取目标应用的代码段可以是随机获取目标应用的一段程序即可。在获取目标应用的一段程序同时,也可获取该代码段对应的位置。由于随机获取应用的代码段技术已比较成熟,此处不再赘述。After the target application for which the code segment is to be obtained is determined, at least one code segment is selected from the codes of the target application as the code segment of the target application. Of course, when acquiring the code segment and the location of the code segment of the target application, acquiring the code segment of the target application may be obtained by randomly acquiring a segment of the program of the target application. While acquiring a segment of the target application, the location corresponding to the code segment can also be acquired. Since the technology of randomly obtaining the code segment of the application is relatively mature, it will not be repeated here.
在本实施例中,在获取目标应用的代码段之前还需判断针对目标应用是否具有获取代码段的权限;若确定针对目标应用具有获取代码段的权限,则通过当前识别信息获取目标应用的代码段。In this embodiment, before acquiring the code segment of the target application, it is necessary to determine whether the target application has the right to obtain the code segment; if it is determined that the target application has the right to obtain the code segment, the code of the target application is obtained through the current identification information part.
具体地,采用本实施例的方法对目标应用的服务进行注册之后的数据处理时,为了确保能够获取目标应用的代码段,在获取目标应用的代码段之前,需要判断针对目标应用是否具有获取代码段的权限。此处的判断过程是为保证顺利获取目标应用的代码段。例如,若判断当前的目标应用具有获取代码段的权限,则通过当前识别信息获取目标应用的代码段;否则,则不能获取目标应用的代码段。Specifically, when using the method of this embodiment to perform data processing after the service of the target application is registered, in order to ensure that the code segment of the target application can be obtained, before obtaining the code segment of the target application, it is necessary to determine whether the target application has an acquisition code. segment permissions. The judgment process here is to ensure the successful acquisition of the code segment of the target application. For example, if it is determined that the current target application has the right to obtain the code segment, the code segment of the target application is obtained through the current identification information; otherwise, the code segment of the target application cannot be obtained.
在获得当前签名信息与目标应用注册时的初始签名信息后,在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致。例如,APP1注册服务时的初始签名信息为B1,若当前签名信息也为B1,则判断目标应用的当前签名信息与目标应用注册时的初始签名信息一致;APP1注册服务时的初始签名信息为B1,若当前签名信息也为B01,则判断目标应用的当前签名信息与目标应用注册时的初始签名信息不一致。需要说明的是,此判断过程是在可信执行环境中执行的,而获取签名信息是在富执行环境进行的。总之,在数据处理过程中,三个层次判断中的最后判断是在可信执行环境中执行的,以充分保证目标应用的数据在处理过程中不会被篡改。After obtaining the current signature information and the initial signature information when the target application was registered, it is judged in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application was registered. For example, the initial signature information when APP1 registers for a service is B1, and if the current signature information is also B1, it is determined that the current signature information of the target application is consistent with the initial signature information when the target application is registered; the initial signature information when APP1 registers for a service is B1 , if the current signature information is also B 0 1, it is determined that the current signature information of the target application is inconsistent with the initial signature information when the target application was registered. It should be noted that this judgment process is performed in a trusted execution environment, and the acquisition of signature information is performed in a rich execution environment. In a word, in the process of data processing, the final judgment in the three-level judgment is executed in a trusted execution environment to fully ensure that the data of the target application will not be tampered with during the processing.
在校验三个层次均符合条件后,即目标应用存在注册的服务,目标应用的当前识别信息与注册的初始识别信息一致,以及,目标应用的当前签名信息与注册的初始签名信息一致是,根据反馈数据样本训练用于根据目标应用的反馈数据获得服务决策结果的决策模型。After verifying that the three levels meet the conditions, that is, the target application has a registered service, the current identification information of the target application is consistent with the registered initial identification information, and the current signature information of the target application is consistent with the registered initial signature information: A decision model for obtaining a service decision result based on the feedback data of the target application is trained according to the feedback data samples.
具体地,作为训练用于根据目标应用的反馈数据获得服务决策结果的决策模型的实现方式之一,首先,在所述可信执行环境中,将所述反馈数据样本采用在线处理或者批处理的方式学习。之后,获取学习之后的决策模型,以目标应用的服务标识为索引将决策模型存入可信执行环境中。Specifically, as one of the implementation manners of training a decision model for obtaining service decision results according to the feedback data of the target application, first, in the trusted execution environment, the feedback data samples are processed online or in batch processing. way to learn. After that, the learned decision model is obtained, and the decision model is stored in the trusted execution environment with the service identifier of the target application as an index.
在将决策模型存入可信执行环境后,在富执行环境中,获取目标应用的反馈数据,根据目标应用的反馈数据以及决策模型,获得针对目标应用的反馈数据的服务决策结果。After the decision model is stored in the trusted execution environment, in the rich execution environment, the feedback data of the target application is obtained, and the service decision result for the feedback data of the target application is obtained according to the feedback data of the target application and the decision model.
在获取反馈数据时,可暂时将目标应用的反馈数据存放在可信执行环境中的数据库。然后判断反馈数据是否采集完毕,若判断结果为是,删除数据库的所有反馈数据。这样及时删除使用完毕的反馈数据,一方面可以节省存储空间,另一方面,可以保证反馈数据的安全。When acquiring the feedback data, the feedback data of the target application may be temporarily stored in the database in the trusted execution environment. Then it is judged whether the collection of the feedback data is completed, and if the judgment result is yes, delete all the feedback data in the database. In this way, the used feedback data can be deleted in time, on the one hand, the storage space can be saved, and on the other hand, the safety of the feedback data can be ensured.
在对反馈数据处理之前,还需判断反馈数据是否加密,若是,则将反馈数据进行解密;并根据解密后的反馈数据以及决策模型,获得针对目标应用的反馈数据的服务决策结果。Before processing the feedback data, it is necessary to judge whether the feedback data is encrypted, and if so, decrypt the feedback data; and obtain the service decision result of the feedback data for the target application according to the decrypted feedback data and the decision model.
采用本实施例的针对目标应用的反馈数据的处理方法,能够在安全等级较高的可信执行环境中处理数据,保证了目标应用的反馈数据的安全;由于使用本实施例的针对目标应用的反馈数据的处理方法是针对已经注册了目标应用的服务的,因此需要逐级校验目标应用是否注册服务,注册时的目标应用的初始识别信息与当前目标应用的当前识别信息是否一致,以及在可信执行环境中校验注册时的目标应用的初始签名信息与当前目标应用的当前签名信息是否一致,进一步防止目标应用的服务在传输反馈数据过程中被恶意篡改,从而进一步保证用户使用目标应用的服务的安全。By using the method for processing feedback data for the target application in this embodiment, data can be processed in a trusted execution environment with a higher security level, and the security of the feedback data for the target application is ensured; The processing method of the feedback data is for the services that have already registered the target application, so it is necessary to check whether the target application has registered the service level by level, whether the initial identification information of the target application at the time of registration is consistent with the current identification information of the current target application, and whether the target application is registered. In the trusted execution environment, verify whether the initial signature information of the target application during registration is consistent with the current signature information of the current target application, further preventing the service of the target application from being maliciously tampered with during the transmission of feedback data, thereby further ensuring that users can use the target application. security of services.
上述实施例三是对应用服务方法的反馈数据的处理的说明,继反馈数据的处理之后,本申请还提供一种针对目标应用的在线决策的方法,如图4所示,其为本申请实施例四的针对目标应用服务方法的在线决策方法实施例的流程图。所述方法包括如下步骤。The above-mentioned third embodiment is an illustration of the processing of the feedback data of the application service method. After the processing of the feedback data, the present application also provides a method for online decision-making for the target application, as shown in FIG. 4 , which is implemented in the present application. Example 4 is a flowchart of an embodiment of an online decision-making method for a target application service method. The method includes the following steps.
步骤S401:在富执行环境中,获得目标应用的反馈数据,根据所述反馈数据获得候选对象,获取所述目标应用的决策请求,判断所述目标应用是否已注册针对所述决策请求的服务;若是,则判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致。Step S401: in a rich execution environment, obtain feedback data of a target application, obtain a candidate object according to the feedback data, obtain a decision request of the target application, and determine whether the target application has registered a service for the decision request; If so, it is judged whether the current identification information of the target application is consistent with the initial identification information when the target application was registered.
在使用本实施例的方法获得决策结果时,首先是在富执行环境中获取目标应用的反馈数据,并根据反馈数据获得候选对象。When using the method of this embodiment to obtain the decision result, firstly, the feedback data of the target application is obtained in the rich execution environment, and the candidate object is obtained according to the feedback data.
具体地,根据反馈数据获得候选对象可以按照以下描述的方式。Specifically, obtaining candidate objects according to the feedback data may be in the following manner.
首先,获取反馈数据的对应的对象集合。First, the corresponding object set of the feedback data is obtained.
之后,获得针对反馈数据的筛选条件,在对象集合筛选出符合筛选条件的对象,将符合筛选条件的对象作为候选对象。After that, the filter conditions for the feedback data are obtained, the objects that meet the filter conditions are filtered out from the object set, and the objects that meet the filter conditions are used as candidate objects.
由于本实施例的方法是用于获得决策结果的方法,在获得反馈数据的同时,也同时获得触发该方法的针对目标应用的决策请求。Since the method in this embodiment is a method for obtaining a decision result, when the feedback data is obtained, the decision request for the target application that triggers the method is also obtained at the same time.
当然,在获取反馈数据之前,同样首先对目标应用的服务进行服务注册的判断,判断过程同样是为了保证用户数据的安全,本实施例的判断也分为三个层次,三个层次的判断同实施例三中的判断。Of course, before the feedback data is obtained, the service registration of the target application is also judged first. The judgment process is also to ensure the security of user data. The judgment in this embodiment is also divided into three levels. The three levels of judgment are the same as Judgment in Example 3.
前两个层次的判断分别是,判断所述目标应用是否已注册针对所述决策请求的服务;若是,则判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致。具体判断的描述方式已在实施例三中详细描述,此处不再赘述,详细参见实施例三对此部分的描述。The judgment of the first two levels is to judge whether the target application has registered the service for the decision request; if so, judge whether the current identification information of the target application is consistent with the initial identification information when the target application was registered. . The description manner of the specific judgment has been described in detail in the third embodiment, which is not repeated here. For details, please refer to the description of this part in the third embodiment.
步骤S402:若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致,若是,根据所述目标应用的决策请求获取用于根据所述候选对象获得决策结果的决策模型,根据所述候选对象和所述决策模型,获得决策结果。Step S402: If the current identification information of the target application is consistent with the initial identification information when the target application was registered, then determine in a trusted execution environment that the current signature information of the target application is the same as the initial identification information when the target application was registered. Whether the signature information is consistent, and if so, obtain a decision model for obtaining a decision result according to the candidate object according to the decision request of the target application, and obtain a decision result according to the candidate object and the decision model.
同样地,若判断目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致,同样的,此部分的详细描述参见实施例三对应的此部分的描述,此处不再赘述。Similarly, if it is determined that the current identification information of the target application is consistent with the initial identification information when the target application was registered, then it is judged in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application was registered. , for the detailed description of this part, refer to the description of this part corresponding to Embodiment 3, and details are not repeated here.
在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息一致后,根据目标应用的决策请求以及之前获取的候选对象获取用于根据候选对象获得决策结果的决策模型。具体获取决策模型的方式可以按照下述描述的方式。After judging in the trusted execution environment that the current signature information of the target application is consistent with the initial signature information when the target application was registered, the decision model for obtaining the decision result according to the candidate object is obtained according to the decision request of the target application and the previously obtained candidate object. The specific way to obtain the decision model can be as described below.
首先,获取决策请求中包含的服务标识。在步骤S401中获取的决策请求中包括目标应用已注册服务的服务标识。First, get the service ID contained in the decision request. The decision request obtained in step S401 includes the service identifier of the registered service of the target application.
获取服务标识之后,以服务标识为索引获得反馈数据处理预存的决策模型,将决策模型作为用于根据候选对象获得决策结果的决策模型。由于在实施例三的决策模型训练之后,已将获得的决策模型以服务标识为索引存入了可信执行环境,因此在决策过程中,只需以服务标识为索引,在可信执行环境获得反馈数据处理预存的决策模型即可。After the service identifier is acquired, the feedback data is obtained by using the service identifier as an index to process the pre-stored decision model, and the decision model is used as the decision model for obtaining the decision result according to the candidate object. After the training of the decision-making model in the third embodiment, the obtained decision-making model has been stored in the trusted execution environment with the service ID as the index. Therefore, in the decision-making process, only the service ID is needed as the index, and the obtained decision model is obtained in the trusted execution environment. Feedback data processing pre-stored decision model can be.
获得决策模型之后,根据候选对象和决策模型,获得决策结果。其中,获得的决策结果包括根据决策模型对候选对象的每一个元素打分,以及根据打分对每一个元素排序,并将对每一个元素的打分以及排序结果作为决策结果。After the decision model is obtained, the decision result is obtained according to the candidate object and the decision model. The obtained decision result includes scoring each element of the candidate object according to the decision model, and sorting each element according to the score, and using the scoring and sorting result of each element as the decision result.
采用本实施例的在线决策的方法,同样能够在安全等级较高的可信执行环境中进行决策,由于使用本实施例的在线决策是针对已经注册了目标应用的服务的,因此需要逐级校验目标应用是否注册服务,注册时的目标应用的初始识别信息与当前目标应用的当前识别信息是否一致,以及在可信执行环境中校验注册时的目标应用的初始签名信息与当前目标应用的当前签名信息是否一致,进一步防止目标应用的服务在决策过程中被恶意篡改,从而进一步保证用户使用目标应用的服务的安全。Using the online decision-making method of this embodiment, it is also possible to make decisions in a trusted execution environment with a higher security level. Since the online decision-making using this embodiment is aimed at the services that have registered the target application, it is necessary to check the service level by level. Verify whether the target application is registered with the service, whether the initial identification information of the target application during registration is consistent with the current identification information of the current target application, and verify in the trusted execution environment whether the initial signature information of the target application during registration is the same as the current target application. Whether the current signature information is consistent further prevents malicious tampering of the target application's service in the decision-making process, thereby further ensuring the security of the user's use of the target application's service.
对应于实施例二的服务注册,同时为了进一步确保本申请的应用服务的安全,本申请还提供一种应用的服务注销方法,如图5所示,其为本申请实施例五的应用服务的注销方法实施例的流程图。所述方法包括如下步骤。Corresponding to the service registration of the second embodiment, in order to further ensure the safety of the application service of the present application, the present application also provides a service deregistration method of the application, as shown in FIG. The flowchart of the embodiment of the logout method. The method includes the following steps.
步骤S501:在富执行环境中,获取目标应用的服务注销请求,根据服务注销请求判断目标应用是否存在已注册的服务,若存在,则判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。Step S501: In the rich execution environment, obtain the service deregistration request of the target application, determine whether the target application has a registered service according to the service deregistration request, and if so, determine the current identification information of the target application and the initial identification when the target application is registered Is the information consistent.
在本实施例中,采用应用的服务注销方法,首先要获取目标应用的服务注销请求,根据注销请求进行后续的操作。In this embodiment, using the service logout method of the application, firstly, the service logout request of the target application is obtained, and subsequent operations are performed according to the logout request.
同实施例三相似,在采用本实施例的注销方法时,同样要进行三个层次的判断,以下是对三个层次的判断简要说明,具体详细的描述部分参见实施例三的相关描述部分。Similar to Embodiment 3, when the logout method of this embodiment is adopted, three levels of judgment are also required. The following is a brief description of the three levels of judgment. For detailed description, please refer to the relevant description of Embodiment 3.
第一层次的判断,判断目标应用中是否具有已注册的服务。The first level of judgment is to judge whether there is a registered service in the target application.
作为判断目标应用中是否具有已注册的服务的方式之一,可以是先获得目标应用的所有服务,然后依次判断目标的应用的所有服务是否具有服务标识。若存在,则进入第二层次的判断,即判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。As one of the ways of judging whether the target application has registered services, it may be to first obtain all the services of the target application, and then sequentially determine whether all the services of the target application have service identifiers. If it exists, enter into the judgment of the second level, that is, judge whether the current identification information of the target application is consistent with the initial identification information when the target application was registered.
第二层次的判断,判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。在第一层次判断目标应用符合条件时,进入第二层次的判断。The second-level judgment is to judge whether the current identification information of the target application is consistent with the initial identification information when the target application was registered. When it is judged at the first level that the target application meets the conditions, the judgment of the second level is entered.
具体地,上述判断判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致的其中一种方式可以是,首先,在高于目标应用本身的权限层获取目标应用的识别信息,并将识别信息作为目标应用的当前识别信息;之后,获取目标应用注册时的初始识别信息;在获得初始识别信息与当前识别消息后,判断目标应用的当前识别信息与目标应用注册时的初始识别信息是否一致。Specifically, one of the above-mentioned ways of judging whether the current identification information of the target application is consistent with the initial identification information when the target application is registered may be: first, the identification information of the target application is obtained at a higher authority layer than the target application itself, and Take the identification information as the current identification information of the target application; then, obtain the initial identification information when the target application is registered; after obtaining the initial identification information and the current identification information, determine the current identification information of the target application and the initial identification information when the target application is registered Is it consistent.
步骤S502:若目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致,若是,则删除针对目标应用的反馈数据与决策模型。Step S502: if the current identification information of the target application is consistent with the initial identification information when the target application was registered, then determine in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application was registered, and if so, then Delete feedback data and decision models for the target application.
在步骤S501中,若判断目标应用的当前识别信息与目标应用注册时的初始识别信息一致,则进入第三层次的判断,即判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致。In step S501, if it is determined that the current identification information of the target application is consistent with the initial identification information when the target application was registered, the third level of judgment is entered, that is, it is judged whether the current signature information of the target application and the initial signature information when the target application is registered are not Consistent.
第三层次的判断,判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致。The third-level judgment is to judge whether the current signature information of the target application is consistent with the initial signature information when the target application was registered.
在第二层次判断目标应用符合条件时,进入第三层次的判断。When it is judged at the second level that the target application meets the conditions, the judgment of the third level is entered.
同样地,在实施例二中已经提及,注册成功的服务在注册过程中在富执行环境中存在初始签名信息,因此经过第二层次的判断符合条件时,便可在富执行环境中提取当前目标应用注册时的初始签名信息。Similarly, it has been mentioned in the second embodiment that the service successfully registered has initial signature information in the rich execution environment during the registration process. Therefore, after the second-level judgment meets the conditions, the current service can be extracted in the rich execution environment. Initial signature information when the target application is registered.
当在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致时,必然也可以根据当前的目标应用的当前识别信息在富执行环境中确定当前的目标应用的当前签名信息。类似于实施例二获取初始签名信息的方式,获取当前目标应用的当前签名信息可以按照同样的方式,即根据目标应用的当前识别信息获取目标应用的当前签名信息。When judging in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application was registered, it is also necessary to determine the current signature of the current target application in the rich execution environment according to the current identification information of the current target application. Current signature information. Similar to the way of obtaining the initial signature information in the second embodiment, the current signature information of the current target application can be obtained in the same way, that is, the current signature information of the target application is obtained according to the current identification information of the target application.
作为根据目标应用的当前识别信息获取目标应用的当前签名信息的一种方式,首先根据当前识别信息获取目标应用的代码段以及代码段位置,之后根据代码段以及所述代码段位置获得目标应用的当前签名信息。As a way to obtain the current signature information of the target application according to the current identification information of the target application, first obtain the code segment and the code segment position of the target application according to the current identification information, and then obtain the target application's code segment and the code segment position according to the current identification information. Current signature information.
具体地,作为根据代码段以及代码段位置获得目标应用的当前签名信息的方式之一,可以是将代码段与代码段位置拼接,通过HASH算法算出代码段的签名信息,将代码段的签名信息作为目标应用的当前签名信息。Specifically, as one of the ways to obtain the current signature information of the target application according to the code segment and the location of the code segment, the code segment and the location of the code segment can be spliced together, the signature information of the code segment is calculated by the HASH algorithm, and the signature information of the code segment is As the current signature information of the target application.
在本实施例中,当前签名信息是用来保证目标应用的服务在注销过程中数据的安全,同时也是为了保证用户在使用目标应用的隐私,因此在注销过程中需要获得目标应用的当前签名信息。在此处,当前签名信息进一步保证了目标应用的服务使用本申请的系统的安全。In this embodiment, the current signature information is used to ensure the data security of the service of the target application during the logout process, and also to ensure the privacy of the user when using the target application. Therefore, the current signature information of the target application needs to be obtained during the logout process. . Here, the current signature information further ensures the security of the service of the target application using the system of the present application.
为获取目标应用的代码段,在根据当前识别信息获取目标应用的代码段以及代码段位置时,需要确认要注册的目标应用,即根据当前识别信息确定目标应用。在确定欲获取代码段的目标应用之后,从目标应用的代码中选取至少一个代码段作为目标应用的代码段。当然在获取目标应用的代码段以及代码段位置时,获取目标应用的代码段可以是随机获取目标应用的一段程序即可。在获取目标应用的一段程序同时,也可获取该代码段对应的位置。由于随机获取应用的代码段技术已比较成熟,此处不再赘述。In order to obtain the code segment of the target application, when obtaining the code segment of the target application and the location of the code segment according to the current identification information, the target application to be registered needs to be confirmed, that is, the target application is determined according to the current identification information. After the target application for which the code segment is to be obtained is determined, at least one code segment is selected from the codes of the target application as the code segment of the target application. Of course, when acquiring the code segment and the location of the code segment of the target application, acquiring the code segment of the target application may be obtained by randomly acquiring a segment of the program of the target application. While acquiring a segment of the target application, the location corresponding to the code segment can also be acquired. Since the technology of randomly obtaining the code segment of the application is relatively mature, it will not be repeated here.
在本实施例中,在获取目标应用的代码段之前还需判断针对目标应用是否具有获取代码段的权限;若确定针对目标应用具有获取代码段的权限,则通过当前识别信息获取目标应用的代码段。In this embodiment, before acquiring the code segment of the target application, it is necessary to determine whether the target application has the right to obtain the code segment; if it is determined that the target application has the right to obtain the code segment, the code of the target application is obtained through the current identification information part.
具体地,采用本实施例的方法对目标应用的服务进行注册之后的注销时,为了确保能够获取目标应用的代码段,在获取目标应用的代码段之前,需要判断针对目标应用是否具有获取代码段的权限。此处的判断过程是为保证顺利获取目标应用的代码段。例如,若判断当前的目标应用具有获取代码段的权限,则通过当前识别信息获取目标应用的代码段;否则,则不能获取目标应用的代码段。Specifically, in order to ensure that the code segment of the target application can be obtained when the service of the target application is deregistered by using the method of this embodiment, before obtaining the code segment of the target application, it is necessary to determine whether the target application has an acquisition code segment. permission. The judgment process here is to ensure the successful acquisition of the code segment of the target application. For example, if it is determined that the current target application has the right to obtain the code segment, the code segment of the target application is obtained through the current identification information; otherwise, the code segment of the target application cannot be obtained.
在获得当前签名信息与目标应用注册时的初始签名信息后,在可信执行环境中判断目标应用的当前签名信息与目标应用注册时的初始签名信息是否一致。需要说明的是,此判断过程是在可信执行环境中执行的,而获取签名信息是在富执行环境进行的。总之,在注销过程中,三个层次判断中的最后判断是在可信执行环境中执行的,以充分保证目标应用的数据在注销过程中不会被篡改。After obtaining the current signature information and the initial signature information when the target application was registered, it is judged in the trusted execution environment whether the current signature information of the target application is consistent with the initial signature information when the target application was registered. It should be noted that this judgment process is performed in a trusted execution environment, and the acquisition of signature information is performed in a rich execution environment. In a word, during the logout process, the final judgment in the three-level judgment is executed in a trusted execution environment, so as to fully ensure that the data of the target application will not be tampered with during the logout process.
在校验三个层次均符合条件后,即目标应用存在注册的服务,目标应用的当前识别信息与注册的初始识别信息一致,以及,目标应用的当前签名信息与注册的初始签名信息一致时,则删除针对目标应用的反馈数据与决策模型。After verifying that the three levels meet the conditions, that is, the target application has a registered service, the current identification information of the target application is consistent with the registered initial identification information, and the current signature information of the target application is consistent with the registered initial signature information, Then delete the feedback data and decision model for the target application.
采用本实施例的应用服务的注销方法,同样能够在安全等级较高的可信执行环境中进行注销,由于使用本实施例的应用服务的注销方法是针对已经注册了目标应用的服务的,因此需要逐级校验目标应用是否注册服务,注册时的目标应用的初始识别信息与当前目标应用的当前识别信息是否一致,以及在可信执行环境中校验注册时的目标应用的初始签名信息与当前目标应用的当前签名信息是否一致,进一步防止目标应用的服务在注销过程中或在注销之前被恶意篡改,从而进一步保证用户使用目标应用的服务的安全。By using the method for deregistering an application service in this embodiment, the deregistration can also be performed in a trusted execution environment with a higher security level. It is necessary to check whether the target application is registered with the service level by level, whether the initial identification information of the target application during registration is consistent with the current identification information of the current target application, and verify that the initial signature information of the target application during registration is consistent with the current identification information of the current target application in the trusted execution environment. Whether the current signature information of the current target application is consistent, further prevents the service of the target application from being maliciously tampered with during the logout process or before logout, thereby further ensuring the security of the user using the service of the target application.
总之,在上述的实施例二至实施例五中,将本申请的应用服务分为注册过程、数据处理过程、在线决策过程以及注销过程,并对注册后的每个阶段都进行验证,从而保证用户使用目标应用的服务的安全。In a word, in the above-mentioned Embodiments 2 to 5, the application services of the present application are divided into registration process, data processing process, online decision-making process and cancellation process, and each stage after registration is verified to ensure that The security of users using the services of the target application.
与上述的应用服务方法相对应,本申请还提供一种应用服务装置。请参考图6,其为本申请实施例六的一种应用服务装置的实施例的示意图,由于装置实施例基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可,下述描述的装置实施例仅仅是示意性的。本申请提供的一种应用服务装置包括如下部分。Corresponding to the above application service method, the present application further provides an application service device. Please refer to FIG. 6 , which is a schematic diagram of an embodiment of an application service apparatus according to Embodiment 6 of the present application. Since the apparatus embodiment is basically similar to the method embodiment, the description is relatively simple. For related details, please refer to the part of the method embodiment The description is sufficient, and the device embodiments described below are merely illustrative. An application service device provided by this application includes the following parts.
本申请提供一种应用服务装置,包括:The present application provides an application service device, including:
服务判断单元601,用于在富执行环境中,判断所述目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致;The
服务处理单元602,用于判断结果若是,则根据所述目标应用的服务请求进行处理。The
可选的,还包括:Optionally, also include:
初始签名信息获取单元,用于在富执行环境中,获取目标应用的服务注册请求,根据所述服务注册请求获取所述目标应用的初始识别信息,通过所述初始识别信息获取所述目标应用的初始签名信息。The initial signature information obtaining unit is configured to obtain the service registration request of the target application in the rich execution environment, obtain the initial identification information of the target application according to the service registration request, and obtain the information of the target application through the initial identification information. Initial signature information.
服务标识生成单元,用于在可信执行环境中,根据所述初始签名信息以及所述初始识别信息,生成需要注册服务的服务标识。A service identifier generating unit is configured to generate, in a trusted execution environment, a service identifier that needs to register a service according to the initial signature information and the initial identification information.
标识返回单元,用于将所述服务标识返回至所述目标应用。An identity returning unit, configured to return the service identity to the target application.
可选的,所述初始签名信息获取单元具体用于:Optionally, the initial signature information acquisition unit is specifically used for:
在高于所述目标应用的权限层获取所述目标应用的识别信息;Obtain the identification information of the target application at a higher authority layer than the target application;
将所述识别信息作为所述目标应用的初始识别信息。The identification information is used as the initial identification information of the target application.
可选的,所述初始签名信息获取单元具体用于:Optionally, the initial signature information acquisition unit is specifically used for:
根据所述初始识别信息获取所述目标应用的代码段以及代码段位置;Obtain the code segment and the code segment location of the target application according to the initial identification information;
根据所述代码段以及所述代码段位置获得所述目标应用的初始签名信息。Obtain initial signature information of the target application according to the code segment and the location of the code segment.
可选的,所述初始签名信息获取单元具体用于:Optionally, the initial signature information acquisition unit is specifically used for:
将所述代码段与所述代码段位置拼接,获得拼接后的代码信息;Splicing the code segment and the code segment position to obtain the spliced code information;
根据所述拼接后的代码信息获得所述代码段的签名信息;Obtain the signature information of the code segment according to the spliced code information;
将所述代码段的签名信息作为所述目标应用的初始签名信息。The signature information of the code segment is used as the initial signature information of the target application.
可选的,所述初始签名信息获取单元具体用于:Optionally, the initial signature information acquisition unit is specifically used for:
根据所述初始识别信息确定所述目标应用;Determine the target application according to the initial identification information;
从所述目标应用的代码中选取至少一个代码段作为所述目标应用的代码段。At least one code segment is selected from the code of the target application as the code segment of the target application.
可选的,所述初始签名信息获取单元还用于:Optionally, the initial signature information acquisition unit is also used for:
判断针对所述目标应用是否具有获取代码段的权限;Determine whether the target application has the permission to obtain the code segment;
所述通过所述初始识别信息获取所述目标应用的代码段,包括:The obtaining the code segment of the target application through the initial identification information includes:
若确定针对所述目标应用具有获取代码段的权限,则通过所述初始识别信息获取所述目标应用的代码段。If it is determined that the target application has the right to acquire the code segment, the code segment of the target application is acquired through the initial identification information.
可选的,所述服务标识生成单元,具体用于:Optionally, the service identifier generating unit is specifically used for:
将所述初始签名信息以及所述初始识别信息存储至所述可信执行环境的数据库中;storing the initial signature information and the initial identification information in the database of the trusted execution environment;
在所述可信执行环境中,生成所述初始签名信息与所述初始识别信息对应的需要注册服务的服务标识。In the trusted execution environment, a service identifier corresponding to the initial signature information and the initial identification information that needs to register a service is generated.
可选的,所述标识返回单元,具体用于:Optionally, the identifier returning unit is specifically used for:
在所述富执行环境中,以所述服务标识为索引,储存已注册的所述目标应用的所述初始识别信息与所述初始签名信息;将所述储存在所述富执行环境中的所述服务标识返回至所述目标应用。In the rich execution environment, using the service identifier as an index, the initial identification information and the initial signature information of the registered target application are stored; The service identifier is returned to the target application.
可选的,所述注册服务请求包括以下至少一种信息:Optionally, the registration service request includes at least one of the following information:
所述目标应用中需要注册的服务的名称信息;Name information of the service that needs to be registered in the target application;
针对所述需要注册的服务是否开启数据加密的信息;Information on whether data encryption is enabled for the service that needs to be registered;
针对所述需要注册的服务的数据加密算法信息;Data encryption algorithm information for the service that needs to be registered;
针对所述需要注册的服务的数据解密公钥信息。The public key information is decrypted for the data of the service that needs to be registered.
可选的,所述目标应用的初始识别信息至少包括所述目标应用的唯一识别符,所述唯一识别符为所述目标应用在内核权限层的唯一标识。Optionally, the initial identification information of the target application includes at least a unique identifier of the target application, and the unique identifier is a unique identifier of the target application in the kernel permission layer.
可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically used for:
获得所述目标应用的所有服务的信息;Obtain information about all services of the target application;
判断所述目标的应用的所有服务是否具有服务标识。Determine whether all services of the target application have service identifiers.
可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically used for:
在高于所述目标应用的权限层获取所述目标应用的识别信息,将所述识别信息作为所述目标应用的当前识别信息;Obtain the identification information of the target application at a higher authority layer than the target application, and use the identification information as the current identification information of the target application;
获取所述目标应用注册时的初始识别信息;Obtain the initial identification information when the target application is registered;
判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致。Determine whether the current identification information of the target application is consistent with the initial identification information when the target application was registered.
可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically used for:
根据所述目标应用的当前识别信息获取所述目标应用的当前签名信息;Obtain the current signature information of the target application according to the current identification information of the target application;
获取所述目标应用注册时的初始签名信息;Obtain the initial signature information when the target application is registered;
判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致。Determine whether the current signature information of the target application is consistent with the initial signature information when the target application was registered.
可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically used for:
根据所述当前识别信息获取所述目标应用的代码段以及代码段位置;Acquire a code segment and a code segment location of the target application according to the current identification information;
根据所述代码段以及所述代码段位置获得所述目标应用的当前签名信息。Obtain current signature information of the target application according to the code segment and the location of the code segment.
可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically used for:
将所述代码段与所述代码段位置拼接,获得拼接后的代码信息;Splicing the code segment and the code segment position to obtain the spliced code information;
根据所述拼接后的代码信息获得所述代码段的签名信息;Obtain the signature information of the code segment according to the spliced code information;
将所述代码段的签名信息作为所述目标应用的当前签名信息。The signature information of the code segment is used as the current signature information of the target application.
可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically used for:
根据所述当前识别信息确定所述目标应用;Determine the target application according to the current identification information;
从所述目标应用的代码中选取至少一个代码段作为所述目标应用的代码段。At least one code segment is selected from the code of the target application as the code segment of the target application.
可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically used for:
判断针对所述目标应用是否具有获取代码段的权限;Determine whether the target application has the permission to obtain the code segment;
若确定针对所述目标应用具有获取代码段的权限,则通过所述当前识别信息获取所述目标应用的代码段。If it is determined that the target application has the right to acquire the code segment, the code segment of the target application is acquired through the current identification information.
可选的,所述服务判断单元,具体用于:在富执行环境中,获取目标应用的反馈数据样本,将所述获取目标应用的反馈数据样本作为所述获取的目标应用的服务请求;Optionally, the service judgment unit is specifically configured to: in a rich execution environment, obtain a feedback data sample of the target application, and use the obtained feedback data sample of the target application as the obtained service request of the target application;
所述服务处理单元,具体用于:在可信执行环境中,则根据所述反馈数据样本训练用于根据目标应用的反馈数据获得服务决策结果的决策模型;将所述获得的服务决策结果的决策模型作为处理结果。The service processing unit is specifically configured to: in a trusted execution environment, train a decision model for obtaining a service decision result according to the feedback data of the target application according to the feedback data sample; Decision model as the processing result.
可选的,还包括决策单元,所述决策单元具体用于:Optionally, it also includes a decision-making unit, and the decision-making unit is specifically used for:
在所述富执行环境中,获取所述目标应用的反馈数据;In the rich execution environment, obtain feedback data of the target application;
在所述可信执行环境中,根据所述目标应用的反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。In the trusted execution environment, according to the feedback data of the target application and the decision model, a service decision result for the feedback data of the target application is obtained.
可选的,所述决策单元具体用于:Optionally, the decision-making unit is specifically used for:
在所述可信执行环境中,将所述目标应用的反馈数据采集至数据库;In the trusted execution environment, the feedback data of the target application is collected into a database;
判断所述反馈数据是否采集完毕,若判断结果为是,删除所述数据库的所有反馈数据;Judging whether the collection of the feedback data is completed, if the judgment result is yes, delete all the feedback data in the database;
根据所述目标应用的反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。According to the feedback data of the target application and the decision model, a service decision result for the feedback data of the target application is obtained.
可选的,所述决策单元中还包括解密单元,所述解密单元具体用于:Optionally, the decision-making unit further includes a decryption unit, and the decryption unit is specifically used for:
判断所述反馈数据是否加密,若是,则将所述反馈数据进行解密;Determine whether the feedback data is encrypted, and if so, decrypt the feedback data;
所述决策单元具体用于:The decision-making unit is specifically used for:
根据解密后的所述反馈数据以及所述决策模型,获得针对所述目标应用的反馈数据的服务决策结果。According to the decrypted feedback data and the decision model, a service decision result for the feedback data of the target application is obtained.
可选的,所述服务判断单元,具体用于:在富执行环境中,获得目标应用的反馈数据,根据所述反馈数据获得候选对象;获取所述目标应用的决策请求;将所述获取所述目标应用的决策请求作为所述获取的目标应用的服务请求;Optionally, the service judgment unit is specifically configured to: in a rich execution environment, obtain feedback data of a target application, and obtain a candidate object according to the feedback data; obtain a decision request of the target application; The decision request of the target application is used as the service request of the obtained target application;
所述服务处理单元,具体用于:在可信执行环境中,根据所述目标应用的决策请求获取用于根据所述候选对象获得决策结果的决策模型,根据所述候选对象和所述决策模型,获得决策结果;将所述获得的决策结果作为处理结果。The service processing unit is specifically configured to: in a trusted execution environment, obtain a decision model for obtaining a decision result according to the candidate object according to the decision request of the target application, and according to the candidate object and the decision model , obtain the decision result; take the obtained decision result as the processing result.
可选的,所述服务判断单元,具体用于:Optionally, the service judgment unit is specifically used for:
获取所述反馈数据对应的对象集合;obtaining the set of objects corresponding to the feedback data;
获得针对所述反馈数据的筛选条件,在所述对象集合筛选出符合所述筛选条件的对象,将所述符合所述筛选条件的对象作为候选对象。Filtering conditions for the feedback data are obtained, objects that meet the filtering conditions are filtered out from the object set, and the objects that meet the filtering conditions are used as candidate objects.
可选的,所述服务处理单元,具体用于:Optionally, the service processing unit is specifically used for:
获取所述决策请求中包含的服务标识;Obtain the service identifier contained in the decision request;
以所述服务标识为索引获得所述决策模型。The decision model is obtained by using the service identifier as an index.
可选的,所述服务处理单元,具体用于:Optionally, the service processing unit is specifically used for:
根据所述决策模型对所述候选对象的每一个元素进行评分,获得评分结果;Scoring each element of the candidate object according to the decision model to obtain a scoring result;
根据所述评分结果对所述每一个元素进行排序,获得排序结果;Sort each element according to the scoring result to obtain a sorting result;
将所述评分结果以及排序结果作为决策结果。The scoring result and the ranking result are used as the decision result.
本申请的应用服务方法可应用在终端上,对应地,本申请还提供一种终端,请参考图7,其为本申请实施例七的一种终端的示意图,由于该终端实施例基本相似于方法实施例一至实施例五,所以描述得比较简单,相关之处参见实施例一至实施例五的部分说明即可,下述描述的方法实施例仅仅是示意性的。The application service method of the present application can be applied to a terminal. Correspondingly, the present application also provides a terminal. Please refer to FIG. 7 , which is a schematic diagram of a terminal according to Embodiment 7 of the present application, because the terminal embodiment is basically similar to Method Embodiments 1 to 5 are described in a relatively simple manner. For relevant parts, please refer to the partial descriptions of Embodiments 1 to 5. The method embodiments described below are only illustrative.
本申请提供的终端包括如下部分。The terminal provided by this application includes the following parts.
服务判断单元701,用于在所述终端中的富执行环境中,判断目标应用是否存在已注册的服务,若存在,则获取目标应用的服务请求,根据所述服务请求获取所述目标应用的当前识别信息,通过所述当前识别信息获取所述目标应用的当前签名信息;判断所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息是否一致;若所述目标应用的当前识别信息与所述目标应用注册时的初始识别信息一致,则在所述终端中的可信执行环境中判断所述目标应用的当前签名信息与所述目标应用注册时的初始签名信息是否一致;The
服务处理单元702,用于判断结果若是,则根据所述目标应用的服务请求进行处理。The
本申请还提供一种用于应用服务的系统,如图8所示,其为本申请实施例八的一种用于应用服务的系统实施例的组件示意图。所述系统包括如下组件:反馈数据采集器,服务管理器,端侧决策TA,反馈学习器,决策器,数据与模型管理器。The present application further provides a system for application service, as shown in FIG. 8 , which is a schematic diagram of components of an embodiment of a system for application service according to Embodiment 8 of the present application. The system includes the following components: a feedback data collector, a service manager, an end-side decision TA, a feedback learner, a decision maker, and a data and model manager.
其中反馈数据采集器与服务管理器位于该系统的富执行环境中。反馈数据采集器用于根据在高于目标应用的权限层的识别信息采集目标应用的反馈数据,服务管理器用于根据在高于目标应用的权限层的识别信息将服务的请求类型传入到可信执行环境。The feedback data collector and service manager are located in the rich execution environment of the system. The feedback data collector is used to collect the feedback data of the target application according to the identification information at the authority layer higher than the target application, and the service manager is used to transmit the service request type to the trusted application according to the identification information at the authority layer higher than the target application. execution environment.
端侧决策TA,反馈学习器,决策器以及数据与模型管理器均位于可信执行环境中。端侧决策TA用于根据服务的请求类型调用反馈学习器,决策器,数据与模型管理器,并对服务的请求类型处理。服务的请求类型包括:服务的注册/注销,反馈数据处理以及在线决策。反馈学习器用于根据反馈数据样本训练用于根据目标应用的反馈数据获得服务决策结果的决策模型。决策器用于根据反馈数据与决策模型,获得针对目标应用的反馈数据的服务决策结果。所述数据与模型管理器用于存储反馈数据与决策模型。End-to-end decision TA, feedback learner, decider, and data and model manager are all located in a trusted execution environment. The end-side decision TA is used to call the feedback learner, decider, data and model manager according to the request type of the service, and process the request type of the service. Service request types include: service registration/deregistration, feedback data processing, and online decision-making. The feedback learner is used to train a decision model for obtaining a service decision result according to the feedback data of the target application according to the feedback data samples. The decider is used to obtain the service decision result of the feedback data for the target application according to the feedback data and the decision model. The data and model manager is used to store feedback data and decision models.
本申请的系统,将各个组件分配在不同的执行环境,保证了采用本系统的应用在传输数据过程中的安全,以防使用目标应用的服务时,在数据传输过程中数据被篡改。In the system of the present application, each component is allocated to different execution environments, which ensures the safety of applications using the system during data transmission, and prevents data from being tampered with during data transmission when using the services of the target application.
本申请虽然以较佳实施例公开如上,但其并不是用来限定本申请,任何本领域技术人员在不脱离本申请的精神和范围内,都可以做出可能的变动和修改,因此本申请的保护范围应当以本申请权利要求所界定的范围为准。Although the present application is disclosed above with preferred embodiments, it is not intended to limit the present application. Any person skilled in the art can make possible changes and modifications without departing from the spirit and scope of the present application. Therefore, the present application The scope of protection shall be subject to the scope defined by the claims of this application.
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory. Memory may include non-persistent memory in computer readable media, random access memory (RAM) and/or non-volatile memory in the form of, for example, read only memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
1、计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括非暂存电脑可读存储媒体(non-transitorycomputer readable storage media),如调制的数据信号和载波。1. Computer readable media includes both persistent and non-permanent, removable and non-removable media. Information storage can be implemented by any method or technology. Information may be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Flash Memory or other memory technology, Compact Disc Read Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable storage media, such as modulated data signals and carrier waves.
2、本领域技术人员应明白,本申请的实施例可提供为方法、系统或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。2. Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Claims (28)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910411135.XA CN111953637B (en) | 2019-05-16 | 2019-05-16 | Application service method and device |
PCT/CN2020/088644 WO2020228564A1 (en) | 2019-05-16 | 2020-05-06 | Application service method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910411135.XA CN111953637B (en) | 2019-05-16 | 2019-05-16 | Application service method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111953637A CN111953637A (en) | 2020-11-17 |
CN111953637B true CN111953637B (en) | 2022-08-26 |
Family
ID=73288833
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910411135.XA Active CN111953637B (en) | 2019-05-16 | 2019-05-16 | Application service method and device |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN111953637B (en) |
WO (1) | WO2020228564A1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113296831B (en) * | 2021-06-11 | 2023-08-25 | 恒安嘉新(北京)科技股份公司 | Application identifier extraction method and device, computer equipment and storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105446713A (en) * | 2014-08-13 | 2016-03-30 | 阿里巴巴集团控股有限公司 | Safe storage method and equipment |
CN105447387A (en) * | 2015-11-05 | 2016-03-30 | 工业和信息化部电信研究院 | Trusted application detection method and apparatus based on hardware isolation environment |
WO2017219812A1 (en) * | 2016-06-25 | 2017-12-28 | 华为技术有限公司 | Content recommendation method and device |
EP3293656A1 (en) * | 2016-09-13 | 2018-03-14 | Gemalto Sa | Method for controlling access to a trusted application in a terminal |
CN108156175A (en) * | 2018-01-22 | 2018-06-12 | 成都汇智远景科技有限公司 | To the access method of shared storage information under cloud computing platform |
CN108399329A (en) * | 2018-01-23 | 2018-08-14 | 晶晨半导体(上海)股份有限公司 | A method of improving trusted application safety |
CN108664772A (en) * | 2018-04-27 | 2018-10-16 | 北京可信华泰信息技术有限公司 | A method of ensureing security of system |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104023032B (en) * | 2014-06-23 | 2017-11-24 | 北京握奇智能科技有限公司 | Application based on credible performing environment technology is limited discharging method, server and terminal |
US10250595B2 (en) * | 2015-03-30 | 2019-04-02 | Gbs Laboratories, Llc | Embedded trusted network security perimeter in computing systems based on ARM processors |
CN105429760B (en) * | 2015-12-01 | 2018-12-14 | 神州融安科技(北京)有限公司 | A kind of auth method and system of the digital certificate based on TEE |
US9917862B2 (en) * | 2016-04-14 | 2018-03-13 | Airwatch Llc | Integrated application scanning and mobile enterprise computing management system |
-
2019
- 2019-05-16 CN CN201910411135.XA patent/CN111953637B/en active Active
-
2020
- 2020-05-06 WO PCT/CN2020/088644 patent/WO2020228564A1/en active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105446713A (en) * | 2014-08-13 | 2016-03-30 | 阿里巴巴集团控股有限公司 | Safe storage method and equipment |
CN105447387A (en) * | 2015-11-05 | 2016-03-30 | 工业和信息化部电信研究院 | Trusted application detection method and apparatus based on hardware isolation environment |
WO2017219812A1 (en) * | 2016-06-25 | 2017-12-28 | 华为技术有限公司 | Content recommendation method and device |
EP3293656A1 (en) * | 2016-09-13 | 2018-03-14 | Gemalto Sa | Method for controlling access to a trusted application in a terminal |
CN108156175A (en) * | 2018-01-22 | 2018-06-12 | 成都汇智远景科技有限公司 | To the access method of shared storage information under cloud computing platform |
CN108399329A (en) * | 2018-01-23 | 2018-08-14 | 晶晨半导体(上海)股份有限公司 | A method of improving trusted application safety |
CN108664772A (en) * | 2018-04-27 | 2018-10-16 | 北京可信华泰信息技术有限公司 | A method of ensureing security of system |
Also Published As
Publication number | Publication date |
---|---|
WO2020228564A1 (en) | 2020-11-19 |
CN111953637A (en) | 2020-11-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6476339B6 (en) | System and method for monitoring, controlling, and encrypting per-document information on corporate information stored on a cloud computing service (CCS) | |
JP7144117B2 (en) | Model training system and method and storage medium | |
US10887307B1 (en) | Systems and methods for identifying users | |
EP3100171B1 (en) | Client authentication using social relationship data | |
US9667657B2 (en) | System and method of utilizing a dedicated computer security service | |
EP3029593B1 (en) | System and method of limiting the operation of trusted applications in the presence of suspicious programs | |
US11552953B1 (en) | Identity-based authentication and access control mechanism | |
US10833859B2 (en) | Automating verification using secure encrypted phone verification | |
US10032037B1 (en) | Establishing application trust levels using taint propagation as a service | |
US9270467B1 (en) | Systems and methods for trust propagation of signed files across devices | |
US20230385396A1 (en) | Methods and systems for verifying applications | |
CN109937564B (en) | Method and apparatus for detecting fraudulent account usage in a distributed computing system | |
US10193699B2 (en) | Probabilistic classifiers for certificates | |
US20150067772A1 (en) | Apparatus, method and computer-readable storage medium for providing notification of login from new device | |
US11689551B2 (en) | Automatic identification of applications that circumvent permissions and/or obfuscate data flows | |
WO2019011187A1 (en) | Method, device, and apparatus for loss reporting, removing loss report, and service management of electronic account | |
JP7401288B2 (en) | System and method for changing account record passwords under threat of unauthorized access to user data | |
US12056243B2 (en) | Methods and systems for verifying applications | |
US11671422B1 (en) | Systems and methods for securing authentication procedures | |
Angelogianni et al. | How many FIDO protocols are needed? Surveying the design, security and market perspectives | |
CN114138590A (en) | Operation and maintenance processing method, device and electronic device of Kubernetes cluster | |
US20250071095A1 (en) | Automatic network signature generation | |
CN111953637B (en) | Application service method and device | |
US12278824B2 (en) | Detecting malicious behavior from handshake protocols using machine learning | |
CN116644472A (en) | Data encryption and data decryption methods and devices, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |