CN113902458A - Malicious user identification method and device and computer equipment - Google Patents
Malicious user identification method and device and computer equipment Download PDFInfo
- Publication number
- CN113902458A CN113902458A CN202111479736.8A CN202111479736A CN113902458A CN 113902458 A CN113902458 A CN 113902458A CN 202111479736 A CN202111479736 A CN 202111479736A CN 113902458 A CN113902458 A CN 113902458A
- Authority
- CN
- China
- Prior art keywords
- application program
- simulator
- operating environment
- application
- running environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/018—Certifying business or products
- G06Q30/0185—Product, service or business identity fraud
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Business, Economics & Management (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Development Economics (AREA)
- Accounting & Taxation (AREA)
- Entrepreneurship & Innovation (AREA)
- Economics (AREA)
- Marketing (AREA)
- Finance (AREA)
- Stored Programmes (AREA)
Abstract
The application relates to a method and a device for identifying malicious users and computer equipment. The method comprises the following steps: acquiring running environment information of an application program; judging whether the operating environment of the application program is a simulator or not according to the operating environment information; if the running environment of the application program is a simulator, acquiring user information corresponding to the application program; and if the user information meets the preset malicious user condition, carrying out user prohibition according to the user information. By adopting the method and the device, malicious users can be prevented from utilizing the convenient environment of the simulator to carry out malicious behaviors such as malicious registration and malicious bill swiping on the application program.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for identifying a malicious user, and a computer device.
Background
At present, an android simulator is a simulator capable of simulating the operating environment of an android system on various platforms such as Windows and Linux. After a user installs the android simulator on a computer, various android APPs (applications) can be installed and operated in an android system simulated by the android simulator, and great convenience is brought to daily life. However, a malicious user may utilize the convenient environment of the android simulator to perform malicious behaviors such as malicious registration and malicious billing on the APP. Therefore, a method that can identify malicious users using the android simulator is highly desirable.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method, an apparatus, and a computer device for identifying a malicious user.
In a first aspect, a method for identifying a malicious user is provided, where the method includes:
acquiring running environment information of an application program;
judging whether the operating environment of the application program is a simulator or not according to the operating environment information;
if the running environment of the application program is a simulator, acquiring user information corresponding to the application program;
and if the user information meets the preset malicious user condition, carrying out user prohibition according to the user information.
As an optional implementation, the operating environment information includes: the determining whether the operating environment of the application program is a simulator according to the operating environment information includes:
and if the times of each value of the global variable in the program counter are 0, judging that the running environment of the application program is a simulator.
As an optional implementation, the operating environment information includes: the determining, according to the operating environment information, whether the operating environment of the application is a simulator, of a filename included in an installation path of the application, includes:
and if the preset file name exists in the file names, judging that the running environment of the application program is a simulator.
As an optional implementation, the operating environment information includes: battery power, charged state, wireless network communication technology WIFI, global positioning system GPS, bluetooth, temperature sensor in one or more, according to operation environment information judges whether application's operational environment is the simulator, include:
wherein the content of the first and second substances,a weight representing the charge level of the battery,a characteristic value representing a battery level, if the battery level in the operating environment is a fixed valueIs 1, otherwise is 0;a weight representing the state of charge,a characteristic value representing a state of charge, if the state of charge is not present in the operating environmentIs 1, otherwise is 0;the weight of the WIFI is represented by a weight,a characteristic value representing WIFI, if the WIFI is not present in the operating environment, thenIs 1, otherwise is 0;representing GPSThe weight of the weight is calculated,a characteristic value representing a GPS, if the GPS is not present in the operating environmentIs 1, otherwise is 0;the weight of the bluetooth is represented and,a characteristic value representing Bluetooth, if the Bluetooth is not present in the operating environmentIs 1, otherwise is 0;the weight of the temperature sensor is represented by,a characteristic value representing a temperature sensor, if the temperature sensor is not present in the operating environmentIs 1, otherwise is 0; if it is notAnd if the running environment of the application program is greater than the first preset value, judging that the running environment of the application program is a simulator.
As an optional implementation, the operating environment information includes: one or more of call records, contacts, messages, photo albums, the installation number of application programs and simulator auxiliary application programs, wherein the step of judging whether the running environment of the application program is a simulator or not according to the running environment information comprises the following steps:
wherein the content of the first and second substances,a weight representing the call record is determined,a feature value representing a call log, if the call log is not present in the operating environmentIs 1, otherwise is 0;the weight of the contact is represented and,a characteristic value representing a contact, if the contact is not present in the runtime environment, thenIs 1, otherwise is 0;the weight of the short message is represented,representing the characteristic value of the short message, if the short message does not exist in the operating environment, the characteristic value of the short message is represented, and if the short message does not exist in the operating environment, the characteristic value of the short message is representedIs 1, otherwise is 0;the weight of the photo album is represented and,representing a characteristic value of the album, if said runningThe album is not present in the environment, thenIs 1, otherwise is 0;a weight representing the number of applications installed,a characteristic value representing the installation quantity of the application programs, if the installation quantity of the application programs in the running environment is less than a preset threshold value, the characteristic value is used for judging whether the installation quantity of the application programs is less than a preset threshold valueIs 1, otherwise is 0;representing the weight of the simulator secondary application,a feature value representing a simulator secondary application, if the simulator secondary application is present in the runtime environmentIs 1, otherwise is 0; if it is notAnd if the running environment of the application program is larger than the second preset value, judging that the running environment of the application program is a simulator.
As an optional implementation manner, the user information includes the current detection time, the total current access amount, and the number of page interfaces accessing the application program at the same time; judging whether the user information meets preset malicious user conditions or not, wherein the judging step comprises the following steps:
determining the total number of normal accesses corresponding to the current detection time according to the current detection time and a preset total number of normal accesses determining method;
and if the total current access quantity is greater than the total normal access quantity and the page interface quantity is greater than a preset page interface quantity threshold value, judging that the user information meets a preset malicious user condition.
As an optional implementation manner, according to the current detection time and a preset method for determining the total number of normal accesses, a formula for determining the total number of normal accesses corresponding to the current detection time is as follows:
wherein T represents the current detection time, F represents the total number of normal accesses, A1、A2、A3、B1、B2、B3、T1、T2Is a constant.
As an optional implementation, the method further comprises:
in the installation process of the application program, acquiring the current version number and a first integrity check code of the application program;
and inquiring a second integrity check code corresponding to the current version number in the corresponding relation between the pre-stored version number and the integrity check code, and if the second integrity check code is different from the first integrity check code, preventing the application program from being installed.
In a second aspect, an apparatus for identifying a malicious user is provided, the apparatus comprising:
the first acquisition module is used for acquiring the running environment information of the application program;
the judging module is used for judging whether the running environment of the application program is a simulator or not according to the running environment information;
the second acquisition module is used for acquiring the user information corresponding to the application program if the running environment of the application program is a simulator;
and the forbidding module is used for carrying out user forbidding according to the user information if the user information meets the preset malicious user condition.
As an optional implementation, the operating environment information includes: the determination module is specifically configured to:
and if the times of each value of the global variable in the program counter are 0, judging that the running environment of the application program is a simulator.
As an optional implementation, the operating environment information includes: the determining module is specifically configured to:
and if the preset file name exists in the file names, judging that the running environment of the application program is a simulator.
As an optional implementation, the operating environment information includes: battery power, charged state, wireless network communication technology WIFI, global positioning system GPS, bluetooth, one or more in the temperature sensor, the judging module specifically is used for:
and judging whether the running environment of the application program is a simulator or not according to one or more of the battery electric quantity, the charging state, the WIFI, the GPS, the Bluetooth and the temperature sensor.
As an optional implementation, the operating environment information includes: one or more of call records, contacts, messages, photo albums, installation quantity of application programs and auxiliary application programs of the simulator, wherein the judgment module is specifically used for:
and judging whether the running environment of the application program is a simulator or not according to one or more of the call records, the contacts, the short messages, the photo album, the installation number of the application programs and the auxiliary application programs of the simulator.
As an optional implementation manner, the user information includes the current detection time, the total current access amount, and the number of page interfaces accessing the application program at the same time; the block module further comprises:
the determining module is used for determining the total number of normal accesses corresponding to the current detection time according to the current detection time and a preset total number of normal accesses determining method;
and the judging module is used for judging that the user information meets the preset malicious user condition if the total current access quantity is greater than the total normal access quantity and the page interface quantity is greater than a preset page interface quantity threshold value.
As an optional implementation, the apparatus further comprises:
the third acquisition module is used for acquiring the current version number and the first integrity check code of the application program in the installation process of the application program;
and the stopping module is used for inquiring a second integrity check code corresponding to the current version number in the corresponding relation between the pre-stored version number and the integrity check code, and stopping the installation of the application program if the second integrity check code is different from the first integrity check code.
In a third aspect, a computer device is provided, comprising a memory and a processor, the memory having stored thereon a computer program operable on the processor to, when executed, perform the method steps of the first aspect.
In a fourth aspect, a computer-readable storage medium is provided, having stored thereon a computer program which, when being executed by a processor, carries out the method steps of the first aspect.
The application provides a method, a device and a computer device for identifying malicious users, and the technical scheme provided by the embodiment of the application at least brings the following beneficial effects: after the application program is installed in the terminal or the simulator installed on the terminal, the computer equipment acquires the running environment information of the application program, and then judges whether the running environment of the application program is the simulator or not according to the running environment information. And if the running environment of the application program is the simulator, the computer equipment acquires the user information corresponding to the application program. And if the user information meets the preset malicious user condition, the computer equipment performs user prohibition according to the user information. By the method, the problem that malicious users utilize the convenient environment of the simulator to carry out malicious behaviors such as malicious registration and malicious bill swiping on the application program can be solved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic application environment diagram of a malicious user identification method according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a method for identifying a malicious user according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an apparatus for identifying a malicious user according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. The malicious user identification method provided by the application can be applied to the application environment shown in fig. 1. Wherein the terminal 101 communicates with the server 102 via a network. The terminal 101 may install and run the application directly or through the simulator. The server 102 may obtain the running environment information of the application program, and determine whether the running environment of the application program is a simulator according to the running environment information. If the running environment of the application is a simulator, the server 102 may obtain the user information corresponding to the application. If the user information meets the preset malicious user condition, the server 102 may perform user barring according to the user information. The terminal 101 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the server 102 may be implemented by an independent server or a server cluster formed by a plurality of servers.
A detailed description will be given below of an identification method for a malicious user according to an embodiment of the present application with reference to a specific implementation manner, and fig. 2 is a flowchart of the identification method for a malicious user according to the embodiment of the present application, and as shown in fig. 2, specific steps are as follows:
step 201, obtaining the running environment information of the application program.
In implementation, when a user needs to use a certain application program, the user can download the installation package of the application program through an application store on the terminal or obtain the installation package of the application program in other ways, and install the application program in the terminal or a simulator installed on the terminal. After installation is complete, the user can run the application by clicking on the application icon. In the installation and operation process of the application program, the server can perform information transmission with the terminal to acquire operation environment information, user information and the like of the application program. In order to prevent malicious users from utilizing the convenient environment of the simulator and carrying out malicious behaviors such as malicious registration and malicious bill swiping on the application program, the server can acquire the running environment information of the application program. The running environment information of the application program may include the number of times of each value of the global variable in the program counter, a file name included in an installation path of the application program, a battery level, a charging state, a wireless network communication technology wifi (wireless fidelity), a global Positioning system gps (global Positioning system), bluetooth, a temperature sensor call record, a contact, a short message, an album, an application program installation number, a simulator auxiliary application program, and the like. In addition, the Message Digest Algorithm MD5 (Message Digest Algorithm MD 5) may be used to encrypt the transmission information between the terminal and the server, so as to prevent malicious users from using the simulator to recognize the request information in the transmission information to perform a simulation request.
Step 202, judging whether the running environment of the application program is a simulator or not according to the running environment information.
In implementation, the server determines whether the operating environment of the application is a simulator according to the acquired operating environment information. If the running environment of the application is a non-simulator, no processing is performed. If the running environment of the application is a simulator, step 203 is performed.
For different specific information contained in the operating environment information, the server determines, according to the operating environment information, whether the operating environment of the application program is a simulator or not, and the method is also different, and the embodiment of the application provides four feasible methods, specifically as follows:
in a first mode, the operating environment information includes: the processing procedure that the server judges whether the running environment of the application program is the simulator or not according to the running environment information is as follows: and if the times of each value of the global variable in the program counter are 0, judging that the running environment of the application program is the simulator.
In implementation, the server determines whether the operating environment of the application program is the simulator according to the times of the values of the global variable in the program counter, and if the times of the values of the global variable in the program counter are 0, the server determines that the operating environment of the application program is the simulator. Currently, most real machines use the ARM architecture, while most simulators are the X86 architecture running on a personal computer. Therefore, the distinction between ARM and X86 can be used to determine whether it is a simulator. For simulators using the virtual operating system simulator Qemu (quick emulator), it can be detected by an optimization feature of the Qemu binary translation: a simulator physical CPU (Central Processing Unit) increments a program counter by one after each instruction is executed, and the program counter is always the latest value; qemu updates the program counter when it comes to the time it needs to return the latest value, and does not update every time otherwise. Thus, the program counter will point to the very beginning of a code block, since the program counter needs to be updated each time a branch jump is taken. Then it should also be possible for a virtual CPU to increment the program counter every time an instruction in the code is executed, thus ensuring that the program counter is the latest value. However, since the translated code is executed locally, i.e. emulated CPU, it is only necessary to return a correct value when the original code needs to access the program counter (since this does not affect the normal operation on the host system), and this feature can be used to directly determine whether the operating environment is an emulator. The server may start 2 threads T1 and T2. T1 adds Gi to Gt for a global variable G, which is assigned a value of 1 each time the loop G is completed. T2 reads G cyclically. The number of occurrences of the statistic N (an arbitrary number of Gi to Gt). If the two thread scripts are virtual CPUs, the number statistics in the middle running state can not be obtained, and the task scheduling of T2 can only occur after the execution of T1 is finished, so that the two thread scripts can be compiled into the so shared library, the return value is the number statistics in the middle running state, and if the return value is 0, the virtual CPUs can judge that the running environment of the application program is simulators.
In a second mode, the operating environment information includes: the processing procedure that the server judges whether the running environment of the application program is a simulator or not according to the running environment information is as follows: and if the preset file name exists in the file names, judging that the running environment of the application program is the simulator.
In implementation, the server determines whether the operating environment of the application is a simulator according to a file name included in an installation path of the application, and if the preset file name exists in the file name, the server determines that the operating environment of the application is the simulator. The preset file name is a file name unique to the simulator, such as qemu _ pipe and qemud.
In a third mode, the operating environment information includes: battery power, charged state, WIFI, GPS, bluetooth, temperature sensor in one or more, the server is according to the operational environment information, and whether the operational environment of judgement application is the processing procedure of simulator as follows: and judging whether the running environment of the application program is a simulator or not according to one or more of battery power, charging state, WIFI, GPS, Bluetooth and a temperature sensor.
In implementation, the battery capacity of the simulator is generally a constant value, and the charging state, the WIFI, the GPS, the Bluetooth, the temperature sensor and the like are not available. Therefore, the server can judge whether the running environment of the application program is a simulator according to one or more of battery power, charging state, WIFI, GPS, Bluetooth and temperature sensors. The formula for judging whether the running environment of the application program is a simulator by the server is as follows:
wherein the content of the first and second substances,a weight representing the charge level of the battery,a characteristic value representing the battery level, if the battery level in the operating environment is a fixed valueIs 1, otherwise is 0;a weight representing the state of charge,a characteristic value representing a state of charge, if the state of charge is not present in the operating environmentIs 1, otherwise is 0;the weight of the WIFI is represented by a weight,representing a characteristic value of WIFI, if no WIFI exists in the operating environment, thenIs 1, otherwise is 0;the weight of the GPS is represented by the weight,representing a characteristic value of the GPS, if the GPS is not present in the operating environmentIs 1, otherwise is 0;the weight of the bluetooth is represented and,characteristic values representing bluetooth, if no bluetooth is present in the operating environmentIs 1, otherwise is 0;the weight of the temperature sensor is represented by,representing a characteristic value of a temperature sensor, if the temperature sensor is not present in the operating environmentIs 1, otherwise is 0; if it is notAnd if the running environment of the application program is greater than the first preset value, judging that the running environment of the application program is a simulator.
In a fourth mode, the operating environment information includes: the processing process that the server judges whether the running environment of the application program is the simulator or not according to the running environment information comprises one or more of call records, contacts, short messages, photo albums, the installation number of the application program and the auxiliary application program of the simulator as follows: and judging whether the operating environment of the application program is the simulator or not according to one or more of call records, contacts, messages, photo albums, the installation number of the application programs and auxiliary application programs of the simulator.
In implementation, generally, the simulator does not have call records, contacts, messages, photo albums and the like, the installation number of the application programs is less than the threshold value of the installation number of the real machine application programs set according to industry experience, and the auxiliary application programs of the simulator can be installed. Therefore, the server can judge whether the running environment of the application program is the simulator or not according to one or more of call records, contacts, messages, photo albums, the installation number of the application program and the auxiliary application program of the simulator. The formula for judging whether the running environment of the application program is a simulator by the server is as follows:
wherein the content of the first and second substances,a weight representing the call record is determined,a characteristic value representing a call log, if no call log exists in the operating environmentIs 1, otherwise is 0;the weight of the contact is represented and,representing contactsCharacteristic value, if no contact exists in the operating environment, thenIs 1, otherwise is 0;the weight of the short message is represented,the characteristic value of the short message is represented, if the short message does not exist in the operating environment, the short message is representedIs 1, otherwise is 0;the weight of the photo album is represented and,a characteristic value representing the album, if the album does not exist in the operating environmentIs 1, otherwise is 0;a weight representing the number of applications installed,a characteristic value representing the installation quantity of the application programs, if the installation quantity of the application programs in the running environment is less than a preset threshold valueIs 1, otherwise is 0;representing the weight of the simulator secondary application,characteristic values representing simulator secondary applications, if any, in the runtime environmentIs 1, otherwise is 0; if it is notAnd if the running environment of the application program is larger than the second preset value, judging that the running environment of the application program is a simulator.
Step 203, if the running environment of the application program is the simulator, acquiring the user information corresponding to the application program.
In implementation, if the running environment of the application program is the simulator, the server acquires the user information corresponding to the application program. The user information includes detection time, the total current access amount, the number of page interfaces accessing the application program at the same time, and the like.
And 204, if the user information meets the preset malicious user condition, carrying out user prohibition according to the user information.
In implementation, if the user information meets a preset malicious user condition, the server performs user barring according to the user information. The preset malicious user condition is a judgment condition set according to industry experience, and whether the user is a malicious user can be judged according to the preset malicious user condition and user information. In addition, the user blocking mode can be various, and the embodiment of the application provides three blocking strategies: the method comprises the steps of forbidding a user login account, a forbidding equipment identification and a forbidding access address. In the implementation, two of the three blocking strategies can be combined according to specific situations, or the three blocking strategies can be adopted at the same time. The specific strategy is as follows: the method comprises the steps of blocking a user login account, shielding information of the login account, and limiting normal data access of the login account; the blocking of the device identification restricts normal data access for the device identification. Wherein, the simulator equipment identification is reset after being reinstalled, so that the simulator equipment identification is suggested to be used together with other blocking strategies; the blocking of the access address restricts normal data access of the access address.
As an optional implementation manner, the user information includes the current detection time, the current total number of accesses, and the number of page interfaces accessing the application program at the same time; the processing process of the server for judging whether the user information meets the preset malicious user condition is as follows:
step one, determining a normal access total number corresponding to the current detection time according to the current detection time and a preset normal access total number determination method.
In implementation, the server determines the total number of normal accesses corresponding to the current detection time according to the current detection time and a preset total number of normal accesses determining method. The formula for determining the total number of normal accesses corresponding to the current detection time by the server is as follows:
wherein T represents the current detection time, F represents the total number of normal accesses, A1、A2、A3、B1、B2、B3、T1、T2Is a constant.
And step two, if the total number of current accesses is greater than the total number of normal accesses and the page interface number is greater than a preset page interface number threshold value, judging that the user information meets a preset malicious user condition.
In implementation, if the total number of current accesses is greater than the total number of normal accesses, and the page interface number is greater than a preset page interface number threshold, the server determines that the user information meets a preset malicious user condition. The preset page interface number threshold value is a constant set according to industry experience.
As an optional implementation manner, in order to prevent a user from installing and running a tampered application program, and performing malicious activities such as malicious registration and malicious billing by using the tampered application program, the processing procedure of the server further includes:
step one, in the installation process of the application program, the current version number and the first integrity check code of the application program are obtained.
In implementation, during the installation process of the application program, the server acquires the current version number and the first integrity check code of the application program. The server may determine a first integrity check code of the application program according to the data transmitted by the terminal, where the first integrity check code may reflect integrity information of the application program, and the first integrity check code may be a hash value.
And step two, inquiring a second integrity check code corresponding to the current version number in the corresponding relation between the pre-stored version number and the integrity check code, and if the second integrity check code is different from the first integrity check code, preventing the application program from being installed.
In implementation, the server queries a second integrity check code corresponding to the current version number in a corresponding relationship between a pre-stored version number and the integrity check code, and if the second integrity check code is different from the first integrity check code, the application program is a modified program, and the server directly prevents the application program from being installed. The second integrity check code may be a hash value. In addition, the pseudo-encryption of the installation package of the application program can prevent the analysis of the installation package of the application program, and further prevent the application program from being falsified.
The embodiment of the application provides a method for identifying a malicious user, after an application is installed in a terminal or a simulator installed on the terminal, computer equipment acquires running environment information of the application, and then judges whether the running environment of the application is the simulator or not according to the running environment information. And if the running environment of the application program is the simulator, the computer equipment acquires the user information corresponding to the application program. And if the user information meets the preset malicious user condition, the computer equipment performs user prohibition according to the user information. By the method, the problem that malicious users utilize the convenient environment of the simulator to carry out malicious behaviors such as malicious registration and malicious bill swiping on the application program can be solved.
It should be understood that, although the steps in the flowchart of fig. 2 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 2 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.
It is understood that the same/similar parts between the embodiments of the method described above in this specification can be referred to each other, and each embodiment focuses on the differences from the other embodiments, and it is sufficient that the relevant points are referred to the descriptions of the other method embodiments.
An embodiment of the present application further provides an apparatus for identifying a malicious user, as shown in fig. 3, the apparatus includes:
a first obtaining module 310, configured to obtain operating environment information of an application;
a judging module 320, configured to judge whether the operating environment of the application is a simulator according to the operating environment information;
a second obtaining module 330, configured to obtain user information corresponding to the application program if the running environment of the application program is the simulator;
and the forbidding module 340 is configured to perform user forbidding according to the user information if the user information meets a preset malicious user condition.
As an alternative embodiment, the operation environment information includes: the judging module is specifically configured to:
and if the times of each value of the global variable in the program counter are 0, judging that the running environment of the application program is the simulator.
As an alternative embodiment, the operation environment information includes: the determining module is specifically configured to:
and if the preset file name exists in the file names, judging that the running environment of the application program is the simulator.
As an alternative embodiment, the operation environment information includes: battery power, charged state, wireless network communication technology WIFI, global positioning system GPS, bluetooth, one or more in the temperature sensor, this judging module specifically is used for:
and judging whether the running environment of the application program is a simulator or not according to one or more of battery power, charging state, WIFI, GPS, Bluetooth and a temperature sensor.
As an alternative embodiment, the operation environment information includes: one or more of call records, contacts, messages, photo albums, installation quantity of application programs and simulator auxiliary application programs, wherein the judging module is specifically used for:
and judging whether the operating environment of the application program is the simulator or not according to one or more of call records, contacts, messages, photo albums, the installation number of the application programs and auxiliary application programs of the simulator.
As an optional implementation manner, the user information includes the current detection time, the current total number of accesses, and the number of page interfaces accessing the application program at the same time; the block module further comprises:
the determining module is used for determining the total number of the normal accesses corresponding to the current detection time according to the current detection time and a preset total number of the normal accesses;
and the judging module is used for judging that the user information meets the preset malicious user condition if the total current access quantity is greater than the total normal access quantity and the page interface quantity is greater than a preset page interface quantity threshold value.
As an optional implementation, the apparatus further comprises:
the third acquisition module is used for acquiring the current version number and the first integrity check code of the application program in the installation process of the application program;
and the stopping module is used for inquiring a second integrity check code corresponding to the current version number in the corresponding relation between the pre-stored version number and the integrity check code, and stopping the installation of the application program if the second integrity check code is different from the first integrity check code.
The embodiment of the application provides a malicious user identification device, after an application program is installed in a terminal or a simulator installed on the terminal, computer equipment acquires running environment information of the application program, and then judges whether the running environment of the application program is the simulator or not according to the running environment information. And if the running environment of the application program is the simulator, the computer equipment acquires the user information corresponding to the application program. And if the user information meets the preset malicious user condition, the computer equipment performs user prohibition according to the user information. By the method, the problem that malicious users utilize the convenient environment of the simulator to carry out malicious behaviors such as malicious registration and malicious bill swiping on the application program can be solved.
For specific limitations of the identification device for the malicious user, reference may be made to the above limitations of the identification method for the malicious user, which are not described herein again. The modules in the malicious user identification device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, as shown in fig. 4, and includes a memory and a processor, where the memory stores a computer program that can be executed on the processor, and the processor implements the method steps of the above-mentioned identification of malicious users when executing the computer program.
In an embodiment, a computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the above-mentioned steps of the method of identification of a malicious user.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
It should be further noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for presentation, analyzed data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A method for identifying a malicious user, the method comprising:
acquiring running environment information of an application program;
judging whether the operating environment of the application program is a simulator or not according to the operating environment information;
if the running environment of the application program is a simulator, acquiring user information corresponding to the application program;
and if the user information meets the preset malicious user condition, carrying out user prohibition according to the user information.
2. The method of claim 1, wherein the operating environment information comprises: the determining whether the operating environment of the application program is a simulator according to the operating environment information includes:
and if the times of each value of the global variable in the program counter are 0, judging that the running environment of the application program is a simulator.
3. The method of claim 1, wherein the operating environment information comprises: the determining, according to the operating environment information, whether the operating environment of the application is a simulator, of a filename included in an installation path of the application, includes:
and if the preset file name exists in the file names, judging that the running environment of the application program is a simulator.
4. The method of claim 1, wherein the operating environment information comprises: battery power, charged state, wireless network communication technology WIFI, global positioning system GPS, bluetooth, temperature sensor in one or more, according to operation environment information judges whether application's operational environment is the simulator, include:
wherein the content of the first and second substances,a weight representing the charge level of the battery,a characteristic value representing a battery level, if the battery level in the operating environment is a fixed valueIs 1, otherwise is 0;a weight representing the state of charge,a characteristic value representing a state of charge, if the state of charge is not present in the operating environmentIs 1, otherwise is 0;the weight of the WIFI is represented by a weight,a characteristic value representing WIFI, if the WIFI is not present in the operating environment, thenIs 1, otherwise is 0;the weight of the GPS is represented by the weight,a characteristic value representing a GPS, if the GPS is not present in the operating environmentIs 1, otherwise is 0;the weight of the bluetooth is represented and,a characteristic value representing Bluetooth, if the Bluetooth is not present in the operating environmentIs 1, otherwise is 0;the weight of the temperature sensor is represented by,a characteristic value representing a temperature sensor, if the temperature sensor is not present in the operating environmentIs 1, otherwise is 0; if it is notAnd if the running environment of the application program is greater than the first preset value, judging that the running environment of the application program is a simulator.
5. The method of claim 1, wherein the operating environment information comprises: one or more of call records, contacts, messages, photo albums, the installation number of application programs and simulator auxiliary application programs, wherein the step of judging whether the running environment of the application program is a simulator or not according to the running environment information comprises the following steps:
wherein the content of the first and second substances,a weight representing the call record is determined,a feature value representing a call log, if the call log is not present in the operating environmentIs 1, otherwise is 0;the weight of the contact is represented and,a characteristic value representing a contact, if the contact is not present in the runtime environment, thenIs 1, otherwise is 0;the weight of the short message is represented,representing the characteristic value of the short message, if the short message does not exist in the operating environment, the characteristic value of the short message is represented, and if the short message does not exist in the operating environment, the characteristic value of the short message is representedIs 1, otherwise is 0;the weight of the photo album is represented and,a characteristic value representing an album, if the album does not exist in the operating environment, thenIs 1, otherwise is 0;a weight representing the number of applications installed,a characteristic value representing the installation quantity of the application programs, if the installation quantity of the application programs in the running environment is less than a preset threshold value, the characteristic value is used for judging whether the installation quantity of the application programs is less than a preset threshold valueIs 1, otherwise is 0;representing the weight of the simulator secondary application,a feature value representing a simulator secondary application, if the simulator secondary application is present in the runtime environmentIs 1, otherwise is 0; if it is notAnd if the running environment of the application program is larger than the second preset value, judging that the running environment of the application program is a simulator.
6. The method of claim 1, wherein the user information comprises a current detection time, a total number of current accesses, and a number of page interfaces accessing the application at the same time; judging whether the user information meets preset malicious user conditions or not, wherein the judging step comprises the following steps:
determining the total number of normal accesses corresponding to the current detection time according to the current detection time and a preset total number of normal accesses determining method;
and if the total current access quantity is greater than the total normal access quantity and the page interface quantity is greater than a preset page interface quantity threshold value, judging that the user information meets a preset malicious user condition.
7. The method according to claim 6, wherein according to the current detection time and a preset total number of normal accesses determining method, the formula for determining the total number of normal accesses corresponding to the current detection time is as follows:
wherein T represents the current detection time, F represents the total number of normal accesses, A1、A2、A3、B1、B2、B3、T1、T2Is a constant.
8. The method of claim 1, further comprising:
in the installation process of the application program, acquiring the current version number and a first integrity check code of the application program;
and inquiring a second integrity check code corresponding to the current version number in the corresponding relation between the pre-stored version number and the integrity check code, and if the second integrity check code is different from the first integrity check code, preventing the application program from being installed.
9. An apparatus for identifying a malicious user, the apparatus comprising:
the first acquisition module is used for acquiring the running environment information of the application program;
the judging module is used for judging whether the running environment of the application program is a simulator or not according to the running environment information;
the second acquisition module is used for acquiring the user information corresponding to the application program if the running environment of the application program is a simulator;
and the forbidding module is used for carrying out user forbidding according to the user information if the user information meets the preset malicious user condition.
10. A computer device comprising a memory and a processor, the memory having stored thereon a computer program operable on the processor, wherein the processor, when executing the computer program, performs the steps of the method of any of claims 1 to 8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111479736.8A CN113902458A (en) | 2021-12-07 | 2021-12-07 | Malicious user identification method and device and computer equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111479736.8A CN113902458A (en) | 2021-12-07 | 2021-12-07 | Malicious user identification method and device and computer equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113902458A true CN113902458A (en) | 2022-01-07 |
Family
ID=79025507
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111479736.8A Pending CN113902458A (en) | 2021-12-07 | 2021-12-07 | Malicious user identification method and device and computer equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113902458A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114860348A (en) * | 2022-06-09 | 2022-08-05 | 北京奇艺世纪科技有限公司 | Android simulator identification method and device, electronic equipment and storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103927484A (en) * | 2014-04-21 | 2014-07-16 | 西安电子科技大学宁波信息技术研究院 | Malicious program behavior capture method based on Qemu |
CN107729749A (en) * | 2017-09-30 | 2018-02-23 | 北京梆梆安全科技有限公司 | With reference to system information and the Android simulator detection method and device of ardware feature |
CN107729750A (en) * | 2017-09-30 | 2018-02-23 | 北京梆梆安全科技有限公司 | With reference to configuration information and the Android simulator detection method and device of ardware feature |
CN109117250A (en) * | 2018-07-27 | 2019-01-01 | 平安科技(深圳)有限公司 | A kind of simulator recognition methods, identification equipment and computer-readable medium |
CN109144665A (en) * | 2018-07-27 | 2019-01-04 | 平安科技(深圳)有限公司 | A kind of simulator recognition methods, identification equipment and computer-readable medium |
CN113450149A (en) * | 2021-06-30 | 2021-09-28 | 中国建设银行股份有限公司 | Information processing method and device, electronic equipment and computer readable medium |
-
2021
- 2021-12-07 CN CN202111479736.8A patent/CN113902458A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103927484A (en) * | 2014-04-21 | 2014-07-16 | 西安电子科技大学宁波信息技术研究院 | Malicious program behavior capture method based on Qemu |
CN107729749A (en) * | 2017-09-30 | 2018-02-23 | 北京梆梆安全科技有限公司 | With reference to system information and the Android simulator detection method and device of ardware feature |
CN107729750A (en) * | 2017-09-30 | 2018-02-23 | 北京梆梆安全科技有限公司 | With reference to configuration information and the Android simulator detection method and device of ardware feature |
CN109117250A (en) * | 2018-07-27 | 2019-01-01 | 平安科技(深圳)有限公司 | A kind of simulator recognition methods, identification equipment and computer-readable medium |
CN109144665A (en) * | 2018-07-27 | 2019-01-04 | 平安科技(深圳)有限公司 | A kind of simulator recognition methods, identification equipment and computer-readable medium |
CN113450149A (en) * | 2021-06-30 | 2021-09-28 | 中国建设银行股份有限公司 | Information processing method and device, electronic equipment and computer readable medium |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114860348A (en) * | 2022-06-09 | 2022-08-05 | 北京奇艺世纪科技有限公司 | Android simulator identification method and device, electronic equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101214893B1 (en) | Apparatus and method for detecting similarity amongf applications | |
CN106569859B (en) | Target file loading method and device | |
CA3152837A1 (en) | Simulator detection method and system | |
CN109241731B (en) | Privacy information protection method and device based on virtual application and storage medium | |
CN108733797B (en) | File processing method and related device | |
US20110219454A1 (en) | Methods of identifying activex control distribution site, detecting security vulnerability in activex control and immunizing the same | |
CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
CN107797818A (en) | Application program updating method and device | |
CN109582907A (en) | Method of calibration, device, equipment and the readable storage medium storing program for executing of web page resources integrality | |
CN109446753A (en) | Detect method, apparatus, computer equipment and the storage medium of pirate application program | |
CN111191226A (en) | Method, device, equipment and storage medium for determining program by using privilege-offering vulnerability | |
CN110688168A (en) | Method, device and equipment for improving starting speed of application program and storage medium | |
Tang et al. | Detecting permission over-claim of android applications with static and semantic analysis approach | |
CN110837391B (en) | Application program hot updating method and device, storage medium and electronic equipment | |
CN113902458A (en) | Malicious user identification method and device and computer equipment | |
CN105074670A (en) | Log output control device, method, and program | |
CN104036193A (en) | Local cross-domain vulnerability detection method and device for application program | |
CN106034150B (en) | Application program dynamic pushing method, device and system | |
CN112445705B (en) | Software running system, method and device based on trusted verification and computer equipment | |
Kim et al. | Detecting illegally-copied apps on android devices | |
CN113609478A (en) | IOS platform application program tampering detection method and device | |
Nakamura et al. | Reducing resource consumption of selinux for embedded systems with contributions to open-source ecosystems | |
CN109426546A (en) | Using starting method and device, computer storage medium and equipment | |
CN114489698A (en) | Application program installation method and device | |
CN109409038A (en) | A kind of dynamic link library file cracks risk checking method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220107 |