CN112396071A - Information monitoring method and device, terminal and storage medium - Google Patents

Information monitoring method and device, terminal and storage medium Download PDF

Info

Publication number
CN112396071A
CN112396071A CN201910745305.8A CN201910745305A CN112396071A CN 112396071 A CN112396071 A CN 112396071A CN 201910745305 A CN201910745305 A CN 201910745305A CN 112396071 A CN112396071 A CN 112396071A
Authority
CN
China
Prior art keywords
uplink message
application
user
information
white list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910745305.8A
Other languages
Chinese (zh)
Inventor
赵鹏宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201910745305.8A priority Critical patent/CN112396071A/en
Publication of CN112396071A publication Critical patent/CN112396071A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2415Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on parametric or probabilistic models, e.g. based on likelihood ratio or false acceptance rate versus a false rejection rate
    • G06F18/24155Bayesian classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Computer Hardware Design (AREA)
  • Biophysics (AREA)
  • Technology Law (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Medical Informatics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the invention relates to the field of information processing, and discloses an information monitoring method and device, a terminal and a storage medium. Intercepting an uplink message sent by a target application at a system layer, forwarding the uplink message to an application layer, and detecting the uplink message at the application layer; and when the uplink message contains the user privacy information, intercepting the uplink message and informing the user. According to the invention, the application information uploaded to the network is monitored, so that the user privacy information is prevented from being leaked, and meanwhile, the monitoring object is limited to the uplink message of the application, so that the influence of monitoring on the network performance is reduced to the minimum, the risk of network delay is reduced, and the user experience is improved.

Description

Information monitoring method and device, terminal and storage medium
Technical Field
The present invention relates to the field of information processing, and in particular, to an information monitoring method and apparatus, a terminal, and a storage medium.
Background
The third-party applications owned by the current smart phone are more and more abundant, a user is difficult to avoid obtaining some personal privacy messages while using the third-party application services, once some malicious applications or applications with weak security awareness upload the privacy messages to a network environment through an unencrypted communication protocol, the privacy messages of the user are possibly leaked, and therefore, it is more and more important to timely identify and intercept unsafe application operations so as to protect the privacy messages of the user.
Disclosure of Invention
An object of embodiments of the present invention is to provide an information monitoring method and apparatus, a terminal, and a storage medium, which at least solve the problem that private information of a user is exposed in an unsafe network environment due to malicious third-party applications or insufficient security awareness, and at the same time reduce the influence of information sent by a monitoring application on network performance as much as possible.
In order to solve at least the above technical problems, embodiments of the present invention provide an information monitoring method and apparatus, a terminal, and a storage medium, including: intercepting an uplink message sent by a target application at a system layer, forwarding the uplink message to an application layer, and detecting the uplink message at the application layer; and when the uplink message contains the user privacy information, intercepting the uplink message and informing the user.
An embodiment of the present invention further provides an application information monitoring apparatus, including: the intercepting unit is used for intercepting the uplink messages sent by each application at a system layer and forwarding the uplink messages to an application layer; the detection unit is used for detecting the uplink message in an application layer; and the processing unit intercepts the uplink message and informs the user when the uplink message contains the user privacy information.
An embodiment of the present invention further provides a terminal, including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the at least one processor to execute the information monitoring method.
The embodiment of the invention also provides a computer readable storage medium for storing a computer program, wherein the computer program is used for executing the information monitoring method by calculation.
Compared with the prior art, the embodiment of the invention monitors the user privacy information by designing an information monitoring method to replace VPN service, and intercepts and informs the user if the information monitoring method judges that the user privacy information is contained, thereby preventing the user privacy information from being leaked. Meanwhile, the monitoring is only directed at the uplink message of the application, so that the monitoring of the information is more targeted, the influence of the monitoring on the network performance is reduced to the minimum, the possibility of network delay is reduced, and the user experience is improved.
In addition, before forwarding the uplink message to the application layer, the method further includes: judging whether the source application of the uplink message exists in a white list or not according to a preset white list, and sending the uplink message when the source application of the uplink message exists in the white list; and when the source application of the uplink message does not exist in the white list, forwarding the uplink message to an application layer. The uplink messages sent by the applications existing in the white list do not need to be monitored, so that the white list is arranged, the system customizability flexibility is increased, and unnecessary calculation overhead of the system can be reduced, so that the overall performance is increased.
In addition, the white list is preset by one or more of the following methods: the system automatically sets a white list and a user-defined white list; the system automatically sets the white list to include one or more of the following applications: application without networking authority, system application and manufacturer setting application; the user-defined whitelist is manually added by the user. The system automatically sets the white list without manual execution of the user, so that the user can simply use the white list, and the problem that the calculation burden of the system is increased due to the fact that the user does not set the white list is avoided. The user-defined white list can enable the user to add the trust application independently, and user experience is improved.
In addition, before the application layer detects the uplink message, the method further comprises the following steps: and judging whether the uplink message is encrypted, if so, sending the uplink message, and if not, detecting the uplink message in an application layer. If the uplink message is encrypted, the uplink message is free from the risk of revealing the privacy information of the user, so that the uplink message does not need to be detected, and the calculation burden of the system can be reduced.
In addition, the detection of the uplink message in the application layer includes: detecting the uplink message by adopting a pre-trained word embedding dimension-reducing Bayesian classification algorithm as a main algorithm; if the probability that the uplink message detected by the main algorithm contains the user privacy information is smaller than a first preset threshold value, judging that the uplink message does not contain the user privacy information; if the probability that the uplink message detected by the main algorithm contains the user privacy information is larger than a second preset threshold value, judging that the uplink message contains the user privacy information; if the probability that the uplink message detected by the main algorithm contains the user privacy information is larger than a first preset threshold and smaller than a second preset threshold, performing secondary detection on the uplink message by adopting an auxiliary detection algorithm; the first preset threshold is smaller than the second preset threshold. The word embedding dimension reduction Bayesian classification algorithm can greatly reduce the complexity of data processed by the detection algorithm, remarkably improve the efficiency of the detection algorithm, and meanwhile, in order to ensure the reliability of detection results while ensuring the efficiency, the auxiliary detection algorithm is added for secondary judgment, so that the overall accuracy of the algorithm can be remarkably improved. Since most cases only high speed algorithms need to be performed, the overall detection procedure time consumption can still be kept sufficiently low. Therefore, by means of the two-step process, the detection process can simultaneously ensure high speed and high accuracy.
In addition, the auxiliary detection algorithm is a one-dimensional convolutional neural network. The one-dimensional convolutional neural network algorithm is deep learning, has high reliability and can obviously improve the overall accuracy of the algorithm.
In addition, the detecting the uplink message in the application layer further comprises: and starting the virtual private network VPN service, and sending the uplink message through the virtual private network VPN service when the uplink message does not contain the user privacy information. When the VPN service is started, the uplink message forwarded by the application layer is forwarded to the VPN application after detection is completed, and the uplink message is sent by the VPN, so that the VPN and the service of the invention can be independently switched and do not interfere with each other.
Drawings
One or more embodiments are illustrated by the corresponding figures in the drawings, which are not meant to be limiting.
FIG. 1 is a flow chart of an information monitoring method according to a first embodiment of the present invention;
fig. 2 is a schematic diagram of an information monitoring method according to a first embodiment of the present invention;
FIG. 3 is a detection flow chart of two detection algorithms for privacy protection according to a first embodiment of the present invention;
FIG. 4 is a flow chart of the main algorithm in accordance with the first embodiment of the present invention;
FIG. 5 is a flow chart of an assist detection algorithm in accordance with the first embodiment of the present invention;
FIG. 6 is a flow chart of an information monitoring method according to a second embodiment of the present invention;
FIG. 7 is a flow chart of an information monitoring method according to a third embodiment of the present invention;
FIG. 8 is a flow chart of an information monitoring method according to a fourth embodiment of the present invention;
fig. 9 is a schematic diagram of an information monitoring method according to a fourth embodiment of the present invention;
FIG. 10 is a schematic view of an information monitoring apparatus according to a sixth embodiment of the present invention;
fig. 11 is a schematic structural diagram of an electronic device according to a seventh embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not constitute any limitation to the specific implementation manner of the present invention, and the embodiments may be mutually incorporated and referred to without contradiction.
A first embodiment of the present invention relates to an information monitoring method, which can be applied to various terminal devices, such as a user mobile phone, a tablet computer, and the like, and is not described herein again. In the embodiment, the system layer intercepts the uplink messages sent by each application, forwards the uplink messages to the application layer, detects the uplink messages in the application layer and judges whether the uplink messages contain user privacy information or not; and if the uplink message contains user privacy information, intercepting the uplink message and informing the user, otherwise, sending the uplink message.
The following describes the implementation details of the information monitoring method of the present embodiment in detail, and the following is only provided for the convenience of understanding and is not necessary for implementing the present embodiment.
A flowchart of an information monitoring method in the present embodiment is shown in fig. 1, and includes:
step 101, intercepting an uplink message sent by a target application at a system layer.
Specifically, the current smart phone has rich third-party applications, and when a network request is sent by the third-party application, the network request may carry various user information to be uploaded, wherein the user information may include user privacy information. As shown in fig. 2, in order to monitor the uplink message sent by the target application 11, a virtual module 21, such as a virtual network card, may be specifically set in the system layer 20, and is used to intercept the uplink message sent by the target application 11.
It can be noted that the intercepted message refers specifically to an uplink message, and the downlink message is directly sent to the application according to normal logic, so that the downlink message does not need to be monitored, and it can be understood that the risk that private information is leaked does not exist in the information received by the user.
And 102, forwarding the uplink message to an application layer.
Specifically, the uplink message of the target application 11 is intercepted by the virtual module 21, and then sent to the application layer 10 by the virtual module 21. In particular, the virtual module 21 sends the intercepted upstream message to the detection module 12 operating at the application layer 10.
And 103, detecting the uplink message in an application layer.
Specifically, the intercepted uplink message of the target application is detected at the detection module 12 of the application layer 10, which may specifically be a certain detection application, and the detection application adopts a specific detection algorithm to detect whether the uplink message of the target application contains the user privacy information, and outputs a detection result. The specific detection algorithm will be described in detail after the description of the specific implementation steps of this embodiment.
And step 104, executing step 105 when the uplink message contains the user privacy information, otherwise, executing step 106.
Specifically, whether the obtained uplink message contains the privacy message is judged according to the detection result obtained in the step 103; subsequent processing is performed according to the different determination results.
And 105, intercepting the uplink message and informing the user.
Specifically, the uplink message which is determined to contain the user privacy is intercepted temporarily, a warning is sent to the user, warning information which is sent to the user contains the details of the detection, then the user can decide what operation to perform next, and the user can choose to ignore the warning and continue sending or intercept and delete the uplink message immediately.
And step 106, sending the uplink message.
After the detection application detects the uplink message of the target application, the uplink message is released and sent to the external network 30 directly by the system layer 20.
The judgment of whether the uplink message of the target application contains the user privacy information needs to identify the uploaded information on the detection module in real time, so that the performance of the detection algorithm is extremely high. The algorithm technology can compress the word space with a large range in the message into a plurality of limited core semantic categories, extracts the message body with complex content machines into the characteristics consisting of some semantic labels, and then carries out privacy information detection by taking the processed characteristics as a main body.
In order to ensure the reliability of the detection result while ensuring the efficiency, a dimensionality reduction optimization strategy is adopted, and a set of detection flow is designed in the embodiment, as shown in fig. 3, a main algorithm and an auxiliary detection algorithm are combined into one detection flow, wherein the main algorithm is a pre-training word embedded dimensionality reduction bayesian classification algorithm, the auxiliary detection algorithm is a sectional type one-dimensional convolutional neural network classification algorithm, when the posterior probability confidence of the main detection algorithm reaches a certain threshold requirement, secondary judgment is carried out by the auxiliary detection algorithm, so that the false alarm rate and the omission factor are both controlled to be the lowest, and the detection flow specifically comprises the following steps:
step 1101, calculating the posterior probability confidence degree containing the privacy information through a main algorithm.
The pre-training word embedding dimension-reducing Bayes classification algorithm adopted by the main algorithm is based on a Bayes formula and specifically comprises word embedding, clustering and an LDA topic model. Based on the three concepts, the main algorithm is specially customized for the application scene of the embodiment, whether sensitive information is contained or not is judged, fine semantics and a sequence structure of a word do not need to be concerned, and then redundant information is removed through embedded coding and classification dimension reduction operation, and only core features are reserved. The accuracy can be kept high while the algorithm calculation complexity is remarkably reduced and the speed is increased. The main algorithm flowchart is shown in fig. 4, and specifically includes the following steps 1201 to 1205:
step 1201, firstly, the text to be detected is segmented into words and is decomposed into word sets.
Specifically, in the word segmentation algorithm, the frequency can be used as the probability to calculate, in a given text to be detected, statistics is performed by taking words as units, the frequency of occurrence of each word is counted, and all possible word segmentation results are counted, so that a word set is formed.
These words are then converted to vector encodings by a pre-trained word embedding model, step 1202. The word embedding model is pre-trained, and the conversion process is highly efficient.
Specifically, word embedding is a word encoding technique developed in the field of natural language processing in recent years, in which natural words are mapped into a high-dimensional vector space by a certain rule, vectors of the same dimension are used to represent each word, and the vector distance of words of similar semantics is ensured to be closer as much as possible. Word embedding is generally used for preprocessing of deep learning of natural language recognition, and the algorithm proposed in the embodiment applies this technique to word feature extraction for classification and dimension reduction. In practice, the word embedding result should be a high-dimensional vector, and the vector distance after the words with similar semantics are coded is also more similar.
At step 1203, the transformed vector code actually contains semantic features and can be used directly for dimensionality reduction. The dimension reduction process is to divide the coded words into preset k semantic classes through a k-nearest neighbor classification algorithm. The centers of the k semantic classes are obtained by pre-training through a k-means clustering algorithm, and the classification process is very efficient.
Specifically, clustering is to apply a k-means clustering algorithm to cluster a large number of words in a message body into a limited number of central semantic classifications, and to give vector features corresponding to each central semantic and a relationship between the vector features and sensitive information. The operation of the step is preprocessing, and the clustering result and the relation parameter are written into the algorithm to be directly used after the calculation is finished. The mechanism can obviously reduce the complexity of data processing required by the algorithm in formal detection, greatly improve the detection speed and cannot reduce the detection accuracy.
In step 1204, the classified and dimensionality-reduced message is converted into a feature vector composed of a plurality of semantic classes, and the feature dimensionality is greatly reduced compared with that before dimensionality reduction, so that the computation amount of subsequent calculation is reduced.
Specifically, clustering is performed on the basis of word embedding codes, and a large number of word banks are clustered into a plurality of semantic classes, the number of semantic classes being much smaller than the number of words. And when the method is used, words are replaced by semantic classes, so that dimension reduction is completed.
And step 1205, the feature vector of the message is substituted into a Bayesian formula to solve the posterior probability containing the sensitive information, and the detection is completed through the calculation result.
In particular, the LDA topic model is a bayesian model, and the basic assumption is that messages with different topics (including or not including private information) have different word frequency distribution probabilities, so that the topic of a message can be inferred by the distribution of different words in the message. The inference process is established on the basis of a strict Bayesian formula, so that the LDA model has higher reliability compared with the common method.
In order to classify intercepted messages with the LDA model, some model parameters need to be specified. These parameters may be obtained by training, assuming a training set ω ═ ω, ω12,...ωMAnd ω is a word in the document, and the model parameters are estimated by using a maximum likelihood method:
Figure BDA0002165363140000061
where α is a parameter of Dirichlet prior (Dirichlet prior) of each document topic distribution, that is, a priori weight of the document topic. η is a parameter of Dirichlet prior (Dirichlet priors) distributed for each topic word, i.e. a prior weight of a word in a topic. All subjects 'α and all words' η are typically considered equal and sparse, and can be represented by α and η, which can be estimated by the above formula using maximum likelihood.
The parameter training is pre-training, and the writing application after pre-training by a manufacturer does not influence the speed of the user in use.
After the model parameters are determined, the probability distribution of different words in the messages containing the user privacy information and the messages not containing the user privacy information is determined. Then the word frequency distribution in the message can be obtained, and the posterior probability of the message aiming at different subjects can be calculated through a Bayesian formula:
Figure BDA0002165363140000062
wherein, let θ bemShowing the distribution of topics for the mth document, having a value of θmk=p(zkm)。βkWord distribution representing topic k, with βki=p(ωi|zk)。zmnIs the subject to which the nth word in the mth document belongs. Word frequency omega observed at presentmnThen, the theta can be estimated by the Bayesian formula of the above formulamk,zmnThe parameter values.
At this time, the detection and judgment can be completed only by comparing the posterior probability of the current message aiming at the subjects containing the privacy information and the subjects not containing the privacy information. The algorithm is high in speed and accuracy, and can efficiently screen messages, so that the influence of the function on user experience is reduced to the minimum. The core of the algorithm is that efficiency is used as the first guide, all time-consuming steps are pre-calculated in a preprocessing mode, and the steps executed in actual detection are simplified and efficient, so that the influence of the detection process on user experience is reduced to the minimum.
The posterior probability confidence is obtained through the main algorithm in the above steps, and the next step 1102 of the detection flow combining the following two detection algorithms is executed according to the calculation result to judge the result of the posterior probability confidence:
step 1102, determining whether the confidence of the obtained posterior probability is smaller than a first threshold, which is 0.25 in this embodiment, but not limited to this value, and when the classification confidence is smaller than the first threshold, performing step 1104, that is, determining that the detection result does not include privacy information; otherwise, go to step 1103.
Specifically, the posterior probability confidence obtained by the main algorithm determines that the uplink message does not contain private information when the value is smaller than the first threshold, and continues to perform the next step 1103 to determine when the value is not smaller than the first threshold, where the first threshold is not limited to 0.25 in this embodiment.
Step 1103, determining whether the confidence of the obtained posterior probability is greater than a second threshold, which is 0.75 in this embodiment, but not limited to this value. When the classification confidence is greater than the second threshold, step 1105 is performed, that is, it is determined that the detection result includes the privacy information, otherwise, step 1106 is performed.
Specifically, it is determined that the uplink message contains the private information when the value is greater than the second threshold value according to the posterior probability confidence obtained in the first step, and when the value is not greater than the second threshold value, the next step 1106 is continuously performed to perform the determination, where the second threshold value is not limited to 0.75 in this embodiment.
And step 1106, performing secondary judgment by using an auxiliary detection algorithm.
Although good results can be obtained by using the main algorithm, the function of detecting the private information requires higher accuracy, because under the application scene of the technology, the user experience is seriously influenced by both missing report and false report. A great amount of false reports can make the interception mechanism lose significance, and a great amount of false reports can seriously reduce the use experience of a user, so that an algorithm with higher accuracy is introduced for secondary judgment when the confidence coefficient of the posterior probability calculated by the LDA is not too high, and the mechanism can reach the required level in the aspects of overall speed and accuracy.
The auxiliary detection algorithm is a one-dimensional convolutional neural network, and the method has high accuracy and high speed and meets the requirement on a secondary judgment algorithm. In deep learning, a convolutional neural network is generally used for processing images, and a cyclic neural network is mostly used in analysis of natural language, which is determined by characteristics of images and natural language, images are more concerned about the relationship between a certain feature and surrounding features and require that the features have translation invariance, and natural language is more concerned about the sequence of appearance of the features and the relationship between the features and preceding and following sentences.
However, although the privacy information detection in the embodiment belongs to semantic recognition, the privacy information detection is greatly different from the attention points of natural language processing, and the text faced by the privacy recognition is not a complete sentence and has no coherent semantics, so that the problem that the order problem of the whole sentence is not concerned much and the problem is caused by trying to recognize the semantics of the network data packet is solved. Meanwhile, the private information may appear at any position of the data packet, translation invariance is required for feature identification, and features of the private information generally exist in one segment, which all indicate that the one-dimensional convolutional neural network is more satisfactory, and in addition, the parallel processing of the convolutional neural network has higher performance than that of the cyclic neural network.
On the basis, in order to further improve the running speed of the neural network, a segmented one-dimensional convolution neural network model is provided on the basis of not reducing the accuracy of the neural network result. The model multiplexes intermediate calculation results of word embedding and classification in the main algorithm, and directly uses intermediate variables cached in the main algorithm as input values of the convolutional neural network. The traditional neural network mainly comprises an embedding layer, a convolutional layer, a pooling layer and a full-connection layer, and finally, the output is a sigmod activation function for two classifications. In this way, the embedded layer, the convolution layer and the pooling layer can be removed from the traditional one-dimensional convolution neural network, the depth and the variable number of the neural network are reduced, and the operation speed is obviously improved.
Based on the above reasons, the flow chart of the auxiliary detection algorithm provided in this embodiment is shown in fig. 5, wherein step 1301, step 1302 and step 1303 are first half of a segment, and actually, the operation is consistent with that of the main algorithm, and intermediate calculation results of word embedding and classification in the main algorithm can be directly used, so that in practice, secondary judgment is performed only by executing the second half of the segment to speed up the algorithm, and the specific flow includes:
and 1304, inputting the intermediate calculation result of the main algorithm into a one-dimensional convolution neural network for calculation.
Step 1305, outputting the classification result by using the full connection layer.
Step 1306, output the result of the binary classification through the Sigmod activation function.
Most messages can be successfully detected through the main algorithm, and secondary judgment is not required. In practice this procedure will be performed very fast, ensuring overall high efficiency. In a few cases, the judgment of the main algorithm fails and is supplemented by a secondary detection algorithm, the secondary detection algorithm is deep learning, the reliability is very high, and the integral accuracy of the algorithm can be obviously improved. The detection flow provided by the invention can find a proper balance point in speed and accuracy, so that the whole detection process keeps high speed and high accuracy, and the invention can reach the commercial standard.
The auxiliary detection algorithm is completed in the above steps 1301 to 1306, and the following step 1107 is the last step of the detection flow combining the two detection algorithms, that is, the user privacy message is judged according to the secondary judgment result of the auxiliary detection algorithm:
step 1107, if the secondary judgment result contains the privacy message, step 1105 is executed, that is, the detection result is judged to contain the privacy message; otherwise, step 1104 is executed, i.e. it is determined that the detection result does not contain the privacy information.
Specifically, whether the uplink message contains the user privacy information is checked through a designed algorithm flow, if the uplink message does not contain the user privacy information, the fact that the uplink message does not have the risk of revealing the user privacy information is shown, and it is judged that the detection result does not contain the privacy information. If the user privacy information is detected in the data packet, the uplink message contains the user privacy information, so that a great privacy disclosure risk exists, and the detection result is judged to contain the privacy information.
According to the embodiment, the application information uploaded to the network is monitored, so that the privacy information of the user is prevented from being leaked, and meanwhile, the monitoring object is limited to the uplink message of the application, so that the influence of monitoring on the network performance is reduced to the minimum, the risk of network delay is reduced, and the user experience is improved. In addition, compared with the existing detection technology based on the VPN service, because the functional module of the embodiment is completely arranged in the system, redundant status bar identification is avoided, and a background application is not resident in a task bar, the scheme of the embodiment can effectively prevent the user from clearing the background process and simultaneously clearing the process of the detection application to cause function abnormity, and more importantly, the simple use experience can be provided for the user.
A second embodiment of the present invention relates to an information monitoring method. The second embodiment is substantially the same as the first embodiment, and mainly differs therefrom in that: in the second embodiment of the present invention, a white list is preset, and an uplink message of a target application is processed according to the set white list, as shown in fig. 6, the processing includes:
step 201, intercepting the uplink message sent by each application at the system layer. This step is similar to step 101 of the first embodiment, and is not described herein again.
Step 202, determine whether the source application of the uplink message exists in the white list.
In particular, in this step, the white list is a list of trusted applications, i.e. the applications present in the white list are trusted applications that do not need to be detected, so that upstream messages sent by the applications do not need to be intercepted.
In addition, the white list is preset by one or more of the following methods: the system automatically sets a white list and a user-defined white list; the system automatically sets the white list to include one or more of the following applications: application without networking authority, system application and manufacturer setting application; the user-defined whitelist is manually added by the user. The three applications in the white list automatically set by the system are only specific examples, but not limited to these three applications. The user sets the white list to be manually added by the user, and the user can set the white list according to the use requirement of the user.
The uplink message sent by the trusted application existing in the white list does not need to be intercepted and detected, so that the white list is set, the system customizability flexibility is improved, unnecessary calculation overhead of the system can be reduced, and the overall performance can be improved. In addition, the white list is divided into the system automatic setting white list and the user self-defined white list, and the automatic setting white list does not need to be manually executed by the user, so that the simple use experience of the user can be provided, and the condition that the calculation burden of the system is increased due to the fact that the user is not set can be avoided. The user can add the trusted application independently by setting the white list, so that the possibility that the application which is determined to be trusted by the user is intercepted by detection is avoided, and the user experience is improved.
Step 203, forwarding the uplink message to the application layer.
And step 204, detecting the uplink message at an application layer.
Step 205, when the uplink message contains the user privacy information, step 206 is executed, otherwise, step 207 is executed.
And step 206, intercepting the uplink message and informing the user.
Step 207, sending the uplink message.
Step 201, step 203, step 204, step 205, step 206 and step 207 of this embodiment are similar to step 101, step 102, step 103, step 104, step 105 and step 106 of the first embodiment, respectively, and are not described again here.
A third embodiment of the present invention relates to an information monitoring method, and as shown in fig. 7, the third embodiment is substantially the same as the second embodiment, and mainly differs in that: in the third embodiment of the present invention, before the application layer detects the uplink message, the method further includes: and judging whether the uplink message is encrypted, if so, sending the uplink message, and if not, detecting the uplink message in an application layer. As shown in fig. 7, includes:
step 301, intercepting the uplink message sent by each application at the system layer. This step is similar to step 201 of the second embodiment, and is not described herein again.
Step 302, determine whether the source application of the uplink message exists in the white list. This step is similar to step 202 of the second embodiment, and is not described herein again. In a specific embodiment, this step is optional and not necessary to practice the present solution.
Step 303, forwarding the uplink message to the application layer.
Step 304, determine whether the uplink message is encrypted.
Specifically, a preliminary check may be performed on the obtained uplink message to see whether the data message is encrypted, for example, whether the data message is an encrypted HTTPS protocol, which is only an example and is not limited to the HTTPS encryption protocol. If the data message is encrypted HTTPS protocol, this proves that the upstream message will not be listened to during transmission, and can be considered secure. The uplink information can be directly transmitted through detection. If the uplink message is an unencrypted HTTPS protocol, the security risk is considered to exist, and the next step is needed to continue detection.
Step 305, detecting the uplink message in the application layer.
Step 306, when the uplink message contains the user privacy information, step 307 is executed, otherwise, step 308 is executed.
Step 307, intercepting the uplink message and notifying the user.
Step 308, sending the uplink message.
Steps 301, 302, 303, 305, 306, 307 and 308 of this embodiment are similar to steps 201, 202, 203, 204, 205, 206 and 207 of the first embodiment, respectively, and are not repeated herein.
In the embodiment, if the uplink message is encrypted, the uplink message is considered to have no risk of revealing the privacy information of the user, so that the uplink message does not need to be detected, and the calculation burden of the system can be reduced.
The related technical details mentioned in the first embodiment and the second embodiment are still valid in this embodiment, and are not described herein again in order to reduce repetition. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the first embodiment.
A fourth embodiment of the present invention relates to an information monitoring method, and is substantially the same as the third embodiment, and mainly differs therefrom in that: if the user opens the VPN service, the request entering the normal sending process is transmitted to the application of the VPN service after the detection is finished according to the preset process, and the subsequent communication is processed by the VPN service. The starting of the private information detection interception function does not influence the user to use the VPN service.
Specifically, as shown in fig. 8, the present invention includes:
step 401, intercepting the uplink message sent by each application at the system layer.
Step 402, determine whether the application exists in the white list.
Step 403, forwarding the uplink message to the application layer.
Step 404, determine whether the uplink message is encrypted.
Step 405, detecting the uplink message in the application layer.
Step 406, when the uplink message contains the user privacy information, step 408 is executed, otherwise, step 409 is executed.
Steps 401, 402, 403, 404, 405, and 406 in this embodiment are similar to steps 301, 302, 303, 304, 305, and 306 in the third embodiment, and are not repeated herein.
Step 407, whether the VPN service is open.
The detection module is compatible with the VPN service of the system, when the user starts the VPN service, the whole module architecture is as shown in fig. 9, the VPN application 13 and the detection module 12 are in a serial processing mode, the uplink message is intercepted and transmitted to the detection module 12 by the first virtual module 21 for detection, when the detection process is finished and the uplink message is sent out again, the uplink message is forwarded to the VPN application 13 through the second virtual module 22 according to the normal VPN service, and finally the uplink message is sent through the VPN gateway 40, thereby completing step 410. For the VPN service, whether the received information data is detected or not does not have influence, so the detection process in the invention is transparent for the VPN service, and the VPN service and the detection process can be started simultaneously.
Step 408, intercepting the uplink message and notifying the user.
Step 409, sending the uplink message.
Steps 408 and 409 of this embodiment are similar to steps 307 and 308 of the third embodiment, respectively, and are not described again here.
Step 410, sending an upstream message through the VPN service.
This step is illustrated as step 407 and will not be described further herein.
In this mode of the embodiment, the existence of the detection module is not sensed no matter the application to be detected or the VPN service opened by the user. That is, the detection module in this embodiment does not affect the use function of any mobile phone itself, so the VPN and the service of this embodiment can be switched on and off independently without interference.
A fifth embodiment of the present invention relates to an information monitoring method, and is substantially the same as the fourth embodiment, and mainly differs therefrom in that: in a fifth embodiment of the present invention, the privacy detection function of the system layer may be turned off.
And according to a set rule, detecting the starting state of the private information detection function by the system layer, and if the detection function is not started, entering a normal communication flow for preparation and sending. If the detection function is turned on, the data packet of the network request is transmitted to the next step for detection. According to the implementation method, the user can select to close the privacy detection, so that the user experience can be improved.
The related technical details mentioned in the fourth embodiment are still valid in this embodiment, and are not described herein again in order to reduce repetition. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the fourth embodiment.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
It should be noted that each module referred to in this embodiment is a logical module, and in practical applications, one logical unit may be one physical unit, may be a part of one physical unit, and may be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, elements that are not so closely related to solving the technical problems proposed by the present invention are not introduced in the present embodiment, but this does not indicate that other elements are not present in the present embodiment.
The sixth embodiment of the present invention relates to an information monitoring apparatus 600, which may include, but is not limited to, the following units, as shown in fig. 10.
An intercepting unit 601, configured to intercept, at a system layer, an uplink message sent by each application, and forward the uplink message to an application layer;
a detecting unit 602, configured to detect an uplink message in an application layer;
the processing unit 603 intercepts the uplink message and notifies the user when the uplink message includes the user privacy information.
In a specific embodiment, the intercepting unit 601 may further determine, according to a preset white list, whether the source application of the uplink message exists in the white list, if the source application of the uplink message exists in the white list, directly send the uplink message, and if the source application of the uplink message does not exist in the white list, forward the uplink message to the application layer.
In a specific embodiment, the white list is pre-set by one or more of the following methods: the system automatically sets a white list and a user-defined white list; the system automatically sets the white list to include one or more of the following applications: application without networking authority, system application and manufacturer setting application; the user-defined whitelist is manually added by the user.
In a specific embodiment, the detecting unit 602 is specifically configured to, before the application layer detects the uplink message, determine whether the uplink message is encrypted, if the uplink message is encrypted, send the uplink message, and if the uplink message is not encrypted, detect the uplink message in the application layer.
In a specific embodiment, the detecting unit 602 is specifically configured to detect the uplink message by using a pre-trained word-embedded reduced-dimension bayesian classification algorithm as a main algorithm; if the probability that the uplink message detected by the main algorithm contains the user privacy information is smaller than a first preset threshold value, judging that the uplink message does not contain the user privacy information; if the probability that the uplink message detected by the main algorithm contains the user privacy information is larger than a second preset threshold value, judging that the uplink message contains the user privacy information; if the probability that the uplink message detected by the main algorithm contains the user privacy information is larger than a first preset threshold and smaller than a second preset threshold, performing secondary detection on the uplink message by adopting an auxiliary detection algorithm; the first preset threshold is smaller than the second preset threshold.
In a specific embodiment, the auxiliary detection algorithm is a one-dimensional convolutional neural network.
In a specific embodiment, the processing unit 603 is specifically configured to send an uplink message through the VPN service when the VPN service is opened.
Since the first embodiment corresponds to the present embodiment, the present embodiment can be implemented in cooperation with the first embodiment. The related technical details mentioned in the first embodiment are still valid in this embodiment, and the technical effects that can be achieved in the first embodiment can also be achieved in this embodiment, and are not described herein again in order to reduce the repetition. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the first embodiment.
A seventh embodiment of the present invention is directed to a terminal, as shown in fig. 11, including at least one processor 701; and, a memory 702 communicatively coupled to the at least one processor 701; the memory 702 stores instructions executable by the at least one processor 701, and the instructions are executed by the at least one processor 701, so that the at least one processor 701 can execute the information monitoring method.
Where the memory and processor are connected by a bus, the bus may comprise any number of interconnected buses and bridges, the buses connecting together one or more of the various circuits of the processor and the memory. The bus may also connect various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor is transmitted over a wireless medium via an antenna, which further receives the data and transmits the data to the processor.
The processor is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And the memory may be used to store data used by the processor in performing operations.
A sixth embodiment of the present invention relates to a computer-readable storage medium storing a computer program. The computer program realizes the above-described method embodiments when executed by a processor.
That is, as can be understood by those skilled in the art, all or part of the steps in the method for implementing the embodiments described above may be implemented by a program instructing related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.

Claims (10)

1. An information monitoring method, comprising:
intercepting an uplink message sent by a target application at a system layer, forwarding the uplink message to an application layer, and detecting the uplink message at the application layer;
and when the uplink message contains user privacy information, intercepting the uplink message and informing a user.
2. The information monitoring method according to claim 1, wherein before forwarding the uplink message to an application layer, the method further comprises: judging whether the source application of the uplink message exists in the white list or not according to a preset white list, and sending the uplink message when the source application of the uplink message exists in the white list; and when the source application of the uplink message does not exist in the white list, executing the forwarding of the uplink message to an application layer.
3. The information monitoring method of claim 2, wherein the white list is pre-set by one or more of: the system automatically sets a white list and a user-defined white list;
wherein, the system automatically sets the white list to include one or more of the following applications: application without networking authority, system application and manufacturer setting application;
the user-defined white list is manually added by a user.
4. The information monitoring method according to any one of claims 1 to 3, wherein before the detecting, by the application layer, the uplink message, further comprising: and judging whether the uplink message is encrypted, if the uplink message is encrypted, sending the uplink message, and if the uplink message is not encrypted, executing the detection of the uplink message in the application layer.
5. The information monitoring method according to claim 1, wherein the detecting the uplink message at the application layer includes:
adopting a pre-trained word embedding dimension-reducing Bayesian classification algorithm as a main algorithm to detect the uplink message;
if the probability that the uplink message detected by the main algorithm contains the user privacy information is smaller than a first preset threshold value, judging that the uplink message does not contain the user privacy information; if the probability that the uplink message detected by the main algorithm contains the user privacy information is larger than a second preset threshold value, judging that the uplink message contains the user privacy information;
if the probability that the uplink message detected by the main algorithm contains the user privacy information is larger than the first preset threshold and smaller than a second preset threshold, performing secondary detection on the uplink message by adopting an auxiliary detection algorithm;
wherein the first preset threshold is smaller than the second preset threshold.
6. The information monitoring method of claim 5, wherein the auxiliary detection algorithm is a one-dimensional convolutional neural network.
7. The information monitoring method according to claim 1, wherein the detecting the uplink message at the application layer further comprises: and starting the VPN service, and sending the uplink message through the VPN service when the uplink message does not contain the user privacy information.
8. An application information monitoring apparatus, comprising:
the intercepting unit is used for intercepting the uplink messages sent by each application at a system layer and forwarding the uplink messages to an application layer;
a detection unit, configured to detect the uplink message in the application layer;
and the processing unit intercepts the uplink message and informs the user when the uplink message contains user privacy information.
9. A terminal, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the information monitoring method of any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the information monitoring method according to any one of claims 1 to 7.
CN201910745305.8A 2019-08-13 2019-08-13 Information monitoring method and device, terminal and storage medium Pending CN112396071A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910745305.8A CN112396071A (en) 2019-08-13 2019-08-13 Information monitoring method and device, terminal and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910745305.8A CN112396071A (en) 2019-08-13 2019-08-13 Information monitoring method and device, terminal and storage medium

Publications (1)

Publication Number Publication Date
CN112396071A true CN112396071A (en) 2021-02-23

Family

ID=74601181

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910745305.8A Pending CN112396071A (en) 2019-08-13 2019-08-13 Information monitoring method and device, terminal and storage medium

Country Status (1)

Country Link
CN (1) CN112396071A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113407956A (en) * 2021-05-31 2021-09-17 江铃汽车股份有限公司 Data control method and system, readable storage medium and vehicle
CN113554108A (en) * 2021-07-30 2021-10-26 贵州电网有限责任公司 Auditory privacy information classification method for power grid inspection robot

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113407956A (en) * 2021-05-31 2021-09-17 江铃汽车股份有限公司 Data control method and system, readable storage medium and vehicle
CN113554108A (en) * 2021-07-30 2021-10-26 贵州电网有限责任公司 Auditory privacy information classification method for power grid inspection robot

Similar Documents

Publication Publication Date Title
US10592783B2 (en) Risky transaction identification method and apparatus
US9183384B1 (en) Leveraging indexed document matching to automatically train SVM classifiers
WO2017084586A1 (en) Method , system, and device for inferring malicious code rule based on deep learning method
US10637826B1 (en) Policy compliance verification using semantic distance and nearest neighbor search of labeled content
CN110795703B (en) Data theft prevention method and related product
US20230353585A1 (en) Malicious traffic identification method and related apparatus
CN112396071A (en) Information monitoring method and device, terminal and storage medium
US11302108B2 (en) Rotation and scaling for optical character recognition using end-to-end deep learning
CN112948578B (en) DGA domain name open set classification method, device, electronic equipment and medium
AU2021103604A4 (en) Soft threshold defense method for adversarial examples of remote sensing images
US20210406568A1 (en) Utilizing multiple stacked machine learning models to detect deepfake content
CN117811845B (en) Threat detection and model training method, threat detection and model training device, threat detection system, electronic equipment and medium
CN117454380B (en) Malicious software detection method, training method, device, equipment and medium
Zhang et al. Many-objective optimization based intrusion detection for in-vehicle network security
An et al. A novel HTTP anomaly detection framework based on edge intelligence for the Internet of Things (IoT)
US20230325651A1 (en) Information processing apparatus for improving robustness of deep neural network by using adversarial training and formal method
CN115348184B (en) Internet of things data security event prediction method and system
CN113992419B (en) System and method for detecting and processing abnormal behaviors of user
US20210397638A1 (en) System and method for cyberbullying detection
Charninda et al. Content based hybrid sms spam filtering system
Li et al. FusionTC: Encrypted App Traffic Classification Using Decision‐Level Multimodal Fusion Learning of Flow Sequence
US11907658B2 (en) User-agent anomaly detection using sentence embedding
CN117834297B (en) Attack detection method, device, system, electronic equipment and readable storage medium
KR101074675B1 (en) System for information resource distributed detection using text mining technique
CN116628181B (en) User control preference sensing method and system based on Internet of things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination