CN115038089A - Multi-terminal data monitoring and collecting method based on information extraction - Google Patents

Abstract

The invention belongs to the technical field of communication, and provides a multi-terminal data monitoring and collecting method based on information extraction.A multi-terminal data monitoring network is formed by connecting a server terminal and mobile equipment; opening a monitoring process in the mobile equipment; when a monitoring process captures a network request signal of the mobile equipment, acquiring a security log in a log file of the mobile equipment; the deep links in the security logs are obtained, so that log equipment which is low in use frequency and suspected of tampering is filtered, the fluctuation of monitoring access degree calculation provided by the mobile equipment is reduced, the accuracy of the monitoring access degree is improved, and the monitoring stability and the security of the mobile equipment are improved.

Description

Multi-terminal data monitoring and collecting method based on information extraction

Technical Field

The invention belongs to the technical field of communication, and particularly relates to a multi-terminal data monitoring and collecting method based on information extraction.

Background

The existing data monitoring is widely applied to a data security scene, and data can be collected and utilized in a targeted manner through information extraction. For example, in the process of performing data monitoring operation on a deep link of a mobile device by a user, according to different application scenarios, when the operation process needs to be transferred from one client to another client, data monitoring often has no continuity, and after logging on the client again, due to different system-level APP log data contents, a monitored object is often lost or the deep link cannot be monitored accurately.

In order to solve the problem, the existing method is that after a configuration file of a monitor is added into a target APP, the monitor can read system-level APP log data, a deep link is taken by an information extraction method, and then user identification of an operator or information or attributes of other operators are added to the deep link, so that the deep link has user attributes of the operators, when operation needs to be transferred from one client to another client, the deep link with the user attributes is only sent to an APP of another client, and the APP of the other client does not need to require the operator to log in again or supplement the existing information or attributes, so that the operation time is greatly saved, and the operation redundancy is reduced; however, when the monitoring program reads the APP log data of the system level, a large amount of system resources and time are consumed for constructing the rule model for information extraction, and at present, no method exists for compressing the time for multi-port data monitoring, so that the monitoring accuracy of the multi-port data monitoring network is improved, and the security of deep linking cannot be guaranteed.

Disclosure of Invention

The present invention is directed to a method for collecting and monitoring multi-port data based on information extraction, so as to solve one or more technical problems in the prior art, and to provide at least one useful choice or creation condition.

In order to achieve the above object, the present invention provides a multi-port data monitoring and collecting method based on information extraction, which specifically includes the following steps:

s100, a server side and mobile equipment are connected to form a multi-terminal data monitoring network; opening a monitoring process in the mobile equipment;

s200, when a monitoring process captures a network request signal of the mobile equipment, acquiring a security log in a log file of the mobile equipment;

s300, acquiring the deep link in the security log.

Further, in S100, the multi-port data monitoring network includes at least a server and a mobile device, where the mobile device includes a mobile device installed with an IOS system, a hongmeng system, or an android system; each mobile device is connected with the server side through a wired network and/or a wireless network.

Preferably, the wired network and/or the wireless network includes at least a USB data line connection, WiFi, bluetooth, etc. network.

Further, in S100, the method for opening a listening process in a mobile device includes: and if the mobile equipment is the android system, starting a debugging mode of the android system, authorizing the server end through an ADB command of the android system, and starting to monitor the deep link in the log file in the mobile equipment after starting a monitoring process in the mobile equipment.

Further, in S100, the method for opening a listening process in a mobile device includes: if the mobile device is an IOS or Hongmon system, the configuration file associated with the listening process is added to the mobile device and recompiled before beginning to listen to the deep link in the log file in the mobile device.

Further, the deep link includes different client codes as part of its parameters, and the client codes are transmitted to the application program at the time of jumping, and at this time, the application program can recognize without requiring the visitor to log in again, for example, the deep links issued to the respective clients each include the identifier of custId = xxx (xxx is the ID number of the user) as the client code. Therefore, the user can be allowed to provide deep links with corresponding customer codes, and end-to-end customer behavior tracking service can be provided for the user.

Further, a deep link is a URI (network Uniform resource identifier) that specifies a particular application, the resource content that the application will access, and the particular user interface that should be instantiated when the application is launched using the deep link.

Further, each deep link is linked to a respective application such that when a user interacts with a link referencing a particular resource on a mobile device, the particular resource is presented in the application that is installed on the mobile device and that provides the highest ranked user experience for presenting the particular resource.

Further, in S200, the network request signal is a request signal for automatically bypassing a top page of the linked website according to the deep link and jumping to a specific content page when the user clicks a link flag in the APP of the mobile device; when the mobile equipment sends a network request signal, acquiring a deep link in the network request signal, writing the deep link into a log file of the mobile equipment, bypassing a linked website home page through the deep link, and directly linking to a paging, wherein a monitoring process captures the network request signal of the mobile equipment at the moment; the network request signal includes a deep link.

In an application scenario of multi-end operation, often, each client is concentrated in the same geographical area, or is concentrated in the communication range of the same base station, and a log file is easily monitored by a malicious program or a website with a trojan backdoor and is updated or tampered as a trojan link or a malicious link, so that a safe log file needs to be identified when the log file is acquired, specifically:

further, in S200, after the listening process captures the network request signal of the mobile device, the method for obtaining the security log in the log file of the mobile device includes:

s201, if the time when the monitoring process of the current mobile device captures the network request signal is T1, and the time when the server corresponding to the monitoring process of the current mobile device finishes receiving the log files of the mobile device is T2, the time period from T1 to T2 is T3; taking the number of data packets between the chained website corresponding to the deep link of the log file and the current mobile device in the time period T3 as the monitoring access degree, or taking the website traffic of the chained website corresponding to the deep link of the log file in the time period T3 as the monitoring access degree (the monitoring access degree is taken as an abnormal website capable of accurately avoiding high frequency, and the monitoring accuracy is improved);

s202, setting 2 empty sets as a transaction set F1 and a comparison set F2 respectively; acquiring the moment when each monitoring access degree in the time period T3 is greater than 0 as a monitoring moment; calculating the average value of the interval duration between the monitoring moments in the time period T3 as TGY; taking i as a sequence number of the monitoring time in the time period T3, wherein i belongs to [1, N1-1], and N1 is the number of the monitoring time in the time period T3;

traversing each monitoring time in the time period T3 within the value range of i, wherein the traversing method specifically comprises the following steps: judging whether the i +2 th monitoring time after the i-th monitoring time T4 in the time period T3 occurs in the time period from T4 to T4+2 XTGY, if so, adding the average value of the i-th monitoring access D1 in the time period T3, the i + 1-th monitoring access D2 in the time period T3 and the i + 2-th monitoring access D3 in the time period T3 into a set F1, and if not, sequentially adding D1, D2 and D2 into a set F2 (the average value of the abnormal monitoring access of the high frequency in T3 in the set F1, and the normal monitoring access in T3 in the set F2);

s203, F1(j) represents the j element of F1, j belongs to [1, N2], and N2 is the number of elements in the set F1;

traversing the values of the elements in the set F1 in the value range of j, if all the elements F1(j) satisfy the condition: f2Mean ≧ F1(j) ≧ F2Min or the condition: f1(j) is more than or equal to F2Min + ASS multiplied by F2Max, the log file is marked as a safety log; otherwise, marking the log file as an in-doubt log;

wherein ASS = exp (F1Min ÷ F1Mean)/exp (F1Mean ÷ F1 Max);

wherein, ASS is a steady state access coefficient and is used for expressing the index ratio of the high-frequency abnormal monitoring access degree in the set; f2Mean is the Mean of all elements in set F2; f2Min represents the minimum value in set F2; f2Max represents the maximum value in set F2; f1Mean is the Mean of all elements in set F1; f1Min represents the minimum value in the set F1; f1Max represents the maximum value in the set F1.

Therefore, the method filters the doubt logs which possibly cause the information safety hidden danger so as to improve the accuracy of the subsequent calculation of the information extraction degree.

Preferably, in S200, the following steps are included:

s204, if the log file is marked as an in-doubt log, the total number of the monitoring access degrees which are larger than F1Max in the set F2 is Toa1, the total number of the monitoring access degrees which are smaller than F1Min in the set F2 is Toa2, and when Toa1 is smaller than or equal to Toa2, the sum of the monitoring access degrees which are larger than F1Max in the set F2 is calculated as a monitoring high-frequency index; calculating the sum of each monitoring visit degree smaller than F1Min in the set F2 as a monitoring low-frequency index; and when the monitoring high-frequency index is smaller than the monitoring low-frequency index, marking the in-doubt log as a safety log (the monitoring low-frequency index and the monitoring low-frequency index can effectively show the safety of the website corresponding to the link in the log according to the trend change of the monitoring visit degree).

Because the linked website corresponding to the deep link in the in-doubt log may be a false attack website or a trojan horse website, the log file of the linked website corresponding to the normal deep link needs to be screened and distinguished in the following manner, specifically:

preferably, in S200, the following steps are included:

s204, calculating an information extraction degree of each in-doubt log, specifically:

taking the number of the in-doubt logs acquired by the server side in the time period T3 as N3, and taking log (h) as an h-th in-doubt log, wherein h belongs to [1, N3], so that each in-doubt log (h) corresponds to one abnormal set F1 and a contrast set F2, and F1(j) is used as F1 j-th element, wherein j belongs to [1, N2], and N2 is the number of elements of a set F1; f2(k) represents the k element of F2, k belongs to [2, N4], and N4 is the number of elements in the set F2;

the formula for calculating the information extraction degree logsafe (h) of the h-th in-doubt log (h) is as follows:

；

exp is a function for solving indexes, PeakGap is a difference value of transaction, PeakGap = | F2Max-F1Max |; f1Max represents the maximum value in set F1, and F2Max represents the maximum value in set F2;

s205, calculating the average value Ymean of the information extraction degrees of all the in-doubt logs, and screening out all the in-doubt logs with the information extraction degrees smaller than or equal to Ymean and marking the in-doubt logs as safety logs.

The beneficial effects are that: the calculation of the information extraction degree is helpful for obtaining the stability level of the intensity of the in-doubt logs in the multi-terminal data monitoring network under the condition of communication data packet overflow or abnormal access flow, namely screening out the in-doubt logs with the information extraction degree smaller than or equal to the average value of the information extraction degrees of all the in-doubt logs from the in-doubt logs through the calculation of the information extraction degree as stable safety logs, and judging whether the communication data packets or the access flow can generate strong fluctuation or not from all the monitored in-doubt logs so as to identify the safety of the safety log data.

The invention also provides a multi-terminal data monitoring and collecting system based on information extraction, which comprises: the processor executes the computer program to realize the steps in the multi-terminal data monitoring and acquisition method based on information extraction, the multi-terminal data monitoring and acquisition system based on information extraction can be operated in computing equipment such as desktop computers, notebook computers, palm computers, cloud data centers and the like, the operable system can include, but is not limited to, a processor, a memory and a server cluster, and the processor executes the computer program to operate in the units of the following systems:

the monitoring network construction unit is used for connecting the server side and the mobile equipment to form a multi-terminal data monitoring network; opening a monitoring process in the mobile equipment;

the intelligent log identification unit is used for acquiring a security log in a log file of the mobile equipment after a monitoring process captures a network request signal of the mobile equipment;

and the link analysis unit is used for acquiring the deep link in the security log.

The invention has the beneficial effects that: according to the multi-terminal data monitoring and collecting method based on information extraction, mobile equipment with log files not being frequently accessed and tampered in a short time is intelligently screened out, so that log equipment with low use frequency and suspected tampering is filtered out, the fluctuation of monitoring access degree calculation provided by the mobile equipment is reduced, the accuracy of monitoring access degree is improved, and the monitoring stability and safety of the mobile equipment are improved.

Drawings

The above and other features of the present invention will become more apparent by describing in detail embodiments thereof with reference to the attached drawings in which like reference numerals designate the same or similar elements, it being apparent that the drawings in the following description are merely exemplary of the present invention and other drawings can be obtained by those skilled in the art without inventive effort, wherein:

FIG. 1 is a flow chart of a multi-port data monitoring and collecting method based on information extraction;

fig. 2 is a structural diagram of a multi-port data monitoring and acquiring system based on information extraction.

Detailed Description

The conception, the specific structure and the technical effects of the present invention will be clearly and completely described in conjunction with the embodiments and the accompanying drawings to fully understand the objects, the schemes and the effects of the present invention. It should be noted that, in the present application, the embodiments and features of the embodiments may be combined with each other without conflict. The same reference numbers will be used throughout the drawings to refer to the same or like parts.

Fig. 1 is a flowchart of a method for collecting multi-port data snooping based on information extraction according to the present invention, and fig. 1 is a flowchart illustrating a method for collecting multi-port data snooping based on information extraction according to an embodiment of the present invention, which is a detailed description of a preferred embodiment. It should be emphasized that the following description is merely exemplary in nature and is in no way intended to limit the scope of the invention or its applications.

S100, a server side and mobile equipment are connected to form a multi-terminal data monitoring network; opening a monitoring process in the mobile equipment;

s200, when a monitoring process captures a network request signal of the mobile equipment, acquiring a security log in a log file of the mobile equipment;

s300, acquiring the deep link in the security log.

Further, in S100, the multi-port data monitoring network includes at least a server and a mobile device, where the mobile device includes a mobile device installed with an IOS, a hongmeng system, or an android system; each mobile device is connected with the server side through a wired network and/or a wireless network.

Preferably, the wired network and/or the wireless network includes at least a USB data line connection, WiFi, bluetooth, etc. network.

Further, in S100, the method for opening a listening process in a mobile device includes: and if the mobile equipment is the android system, starting a debugging mode of the android system, authorizing the server end through an ADB command of the android system, and starting to monitor the deep link in the log file in the mobile equipment after starting a monitoring process in the mobile equipment.

Further, in S100, the method for opening a listening process in a mobile device includes: if the mobile device is an IOS or Hongmon system, the configuration file associated with the listening process is added to the mobile device and recompiled before beginning to listen to the deep link in the log file in the mobile device.

Further, the deep link includes different client codes as part of its parameters, and the client codes are transmitted to the application program at the time of jumping, and at this time, the application program can recognize without requiring the visitor to log in again, for example, the deep links issued to the respective clients each include the identifier of custId = xxx (xxx is the ID number of the user) as the client code. Therefore, the user can be allowed to provide deep links with corresponding customer codes, and end-to-end customer behavior tracking service can be provided for the user.

Further, a deep link is a URI (network Uniform resource identifier) that specifies a particular application, the resource content that the application will access, and the particular user interface that should be instantiated when the application is launched using the deep link.

Further, each deep link is linked to a respective application such that when a user interacts with a link referencing a particular resource on a mobile device, the particular resource is presented in the application that is installed on the mobile device and that provides the highest ranked user experience for presenting the particular resource.

Further, in S200, the network request signal is a request signal for automatically bypassing the top page of the linked website according to the deep link and jumping to a specific content page when the user clicks the link flag in the APP of the mobile device; when the mobile equipment sends a network request signal, acquiring a deep link in the network request signal, writing the deep link into a log file of the mobile equipment, bypassing a linked website home page through the deep link, and directly linking to a paging, wherein a monitoring process captures the network request signal of the mobile equipment at the moment; the network request signal includes a deep link.

In an application scenario of multi-end operation, often, each client is concentrated in the same geographical area, or is concentrated in the communication range of the same base station, and a log file is easily monitored by a malicious program or a website with a trojan backdoor and is updated or tampered as a trojan link or a malicious link, so that a safe log file needs to be identified when the log file is acquired, specifically:

further, in S200, after the listening process captures the network request signal of the mobile device, the method for obtaining the security log in the log file of the mobile device includes:

s201, if the time when the monitoring process of the current mobile device captures the network request signal is T1 and the time when the server end corresponding to the monitoring process of the current mobile device finishes receiving the log file of the mobile device is T2, the time period from T1 to T2 is T3; taking the number of data packets between the chained website corresponding to the deep link of the log file and the current mobile device in the time period T3 as the monitoring access degree, or taking the website traffic of the chained website corresponding to the deep link of the log file in the time period T3 as the monitoring access degree (the monitoring access degree is taken as an abnormal website capable of accurately avoiding high frequency, and the monitoring accuracy is improved);

s202, setting 2 empty sets as a transaction set F1 and a comparison set F2 respectively; acquiring the moment when each monitoring access degree in the time period T3 is greater than 0 as a monitoring moment; the monitoring access degree corresponding to the ith monitoring time in the time period T3 is Ld 1; the monitoring access degree corresponding to the i +1 th monitoring time in the time period T3 is Ld 2; calculating the average value of the interval duration between the monitoring moments in the time period T3 as TGY; wherein i is the sequence number of the monitoring time in the time period T3, i belongs to [1, N1-1], and N1 is the number of the monitoring time in the time period T3;

traversing each monitoring moment in the time period T3 in the value range of i, wherein the traversing method specifically comprises the following steps: judging whether the i +2 th monitoring time after the i-th monitoring time T4 in the time period T3 occurs in the time period from T4 to T4+2 XTGY, if so, adding the average value of the i-th monitoring access degree D1 in the time period T3, the i + 1-th monitoring access degree D2 in the time period T3 and the i + 2-th monitoring access degree D3 in the time period T3 into a set F1, and if not, sequentially adding D1, D2 and D2 into a set F2 (the average value of the abnormal monitoring access degrees of the high frequency in T3 in the set F1 and the normal monitoring access degree in T3 in the set F2);

s203, F1(j) represents the j element of F1, j belongs to [1, N2], and N2 is the number of elements in the set F1;

traversing the values of the elements in the set F1 in the value range of j, if all the elements F1(j) satisfy the condition: f2Mean ≧ F1(j) ≧ F2Min or the condition: f1(j) is more than or equal to F2Min + ASS multiplied by F2Max, the log file is marked as a safety log; otherwise, marking the log file as an in-doubt log;

wherein ASS = exp (F1Min ÷ F1Mean)/exp (F1Mean ÷ F1 Max);

wherein, ASS is a steady state access coefficient and is used for expressing the index ratio of the high-frequency abnormal monitoring access degree in the set; f2Mean is the Mean of all elements in set F2; f2Min represents the minimum value in the set F2; f2Max represents the maximum value in set F2; f1Mean is the Mean of all elements in set F1; f1Min represents the minimum value in the set F1; f1Max represents the maximum value in the set F1.

Therefore, the method filters the doubt logs which possibly cause the information safety hidden danger so as to improve the accuracy of the subsequent calculation of the information extraction degree.

Preferably, in S200, the following steps are included:

s204, if the log file is marked as an in-doubt log, the total number of the monitoring access degrees which are larger than F1Max in the set F2 is Toa1, the total number of the monitoring access degrees which are smaller than F1Min in the set F2 is Toa2, and when Toa1 is smaller than or equal to Toa2, the sum of the monitoring access degrees which are larger than F1Max in the set F2 is calculated as a monitoring high-frequency index; calculating the sum of each monitoring visit degree smaller than F1Min in the set F2 as a monitoring low-frequency index; when the interception high frequency index is less than the interception low frequency index, the in-doubt log is marked as a safe log.

Because the linked website corresponding to the deep link in the in-doubt log may be a false attack website or a trojan horse website, the log file of the linked website corresponding to the normal deep link needs to be screened and distinguished in the following manner, specifically:

preferably, in S200, the following steps are included:

s204, calculating the information extraction degree of each doubt log, specifically:

the number of in-doubt logs acquired by a server in a time period T3 is N3, log (h) represents the h-th in-doubt log, h belongs to [1, N3], each in-doubt log (h) corresponds to an abnormal set F1 and a contrast set F2, F1(j) represents the j-th element of F1, j belongs to [1, N2], and N2 is the number of elements of a set F1; f2(k) represents the k element of F2, k belongs to [2, N4], and N4 is the number of elements in the set F2;

the formula for calculating the information extraction degree logsafe (h) of the h-th in-doubt log (h) is as follows:

；

exp is a function of solving an index, PeakGap is a difference of transaction, PeakGap = | F2Max-F1Max |; f1Max represents the maximum value in the set F1, and F2Max represents the maximum value in the set F2;

s205, calculating the average value Ymean of the information extraction degrees of all the in-doubt logs, and screening out all the in-doubt logs with the information extraction degrees smaller than or equal to Ymean and marking the in-doubt logs as safety logs.

The beneficial effects are that: the calculation of the information extraction degree is helpful for obtaining the stability level of the intensity of the in-doubt logs in the multi-terminal data monitoring network under the condition of communication data packet overflow or abnormal access flow, namely screening out the in-doubt logs with the information extraction degree smaller than or equal to the average value of the information extraction degrees of all the in-doubt logs from the in-doubt logs through the calculation of the information extraction degree as stable safety logs, and judging whether the communication data packets or the access flow can generate strong fluctuation or not from all the monitored in-doubt logs so as to identify the safety of the safety log data.

As shown in fig. 2, the multi-port data monitoring and collecting system based on information extraction according to the embodiment of the present invention includes: the processor, the memory and the computer program stored in the memory and capable of running on the processor, when the processor executes the computer program, the steps in the above-mentioned embodiment of the multi-terminal data monitoring and collecting method based on information extraction are realized, and the processor executes the computer program to run in the following system units:

the monitoring network construction unit is used for connecting the server side and the mobile equipment to form a multi-terminal data monitoring network; opening a monitoring process in the mobile equipment;

the intelligent log identification unit is used for acquiring a security log in a log file of the mobile equipment after a monitoring process captures a network request signal of the mobile equipment;

and the link analysis unit is used for acquiring the deep link in the security log.

The multi-terminal data monitoring and collecting system based on information extraction can be operated in computing equipment such as desktop computers, notebook computers, palm computers and cloud data centers. The multi-terminal data monitoring and acquisition system based on information extraction comprises, but is not limited to, a processor and a memory. Those skilled in the art will appreciate that the example is merely an example of a multi-port data monitoring and collecting method based on information extraction, and does not constitute a limitation of a multi-port data monitoring and collecting method based on information extraction, and may include more or less components than a certain proportion, or some components in combination, or different components, for example, the multi-port data monitoring and collecting system based on information extraction may further include an input and output device, a network access device, a bus, and the like.

The multi-terminal data monitoring and acquisition system based on information extraction comprises: the processor executes the computer program to implement the steps in the embodiment of the multi-terminal data monitoring and acquiring method based on information extraction, the multi-terminal data monitoring and acquiring system based on information extraction may be operated in a computing device such as a desktop computer, a notebook computer, a palm computer, a cloud data center, and the like, and the operable system may include, but is not limited to, a processor, a memory, and a server cluster.

The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete component Gate or transistor logic, discrete hardware components, etc. The general processor can be a microprocessor or the processor can also be any conventional processor and the like, the processor is a control center of the multi-terminal data monitoring and acquisition system based on information extraction, and various interfaces and lines are utilized to connect all subareas of the whole multi-terminal data monitoring and acquisition system based on information extraction.

The memory can be used for storing the computer program and/or the module, and the processor realizes various functions of the multi-terminal data monitoring and collecting method based on information extraction by running or executing the computer program and/or the module stored in the memory and calling the data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.

Although the present invention has been described in considerable detail and with reference to certain illustrated embodiments, it is not intended to be limited to any such details or embodiments or any particular embodiment, so as to effectively encompass the intended scope of the invention. Furthermore, the foregoing describes the invention in terms of embodiments foreseen by the inventor for which an enabling description was available, notwithstanding that insubstantial modifications of the invention, not presently foreseen, may nonetheless represent equivalent modifications thereto.

Claims (6)

1. A multi-terminal data monitoring and collecting method based on information extraction is characterized by comprising the following steps:

s100, a server side and mobile equipment are connected to form a multi-terminal data monitoring network; opening a monitoring process in the mobile equipment;

s200, when a monitoring process captures a network request signal of the mobile equipment, acquiring a security log in a log file of the mobile equipment;

s300, acquiring the deep link in the security log.

2. The multi-terminal data monitoring and collecting method based on information extraction according to claim 1, wherein in S100, the multi-terminal data monitoring network includes at least a server terminal and a mobile device, and the mobile device includes a mobile device installed with an IOS, a hongmeng system, or an android system; each mobile device is connected with the server end through a wired network and/or a wireless network; the wired network and/or the wireless network comprise a USB data line connection, WiFi and Bluetooth network.

3. The multi-port data monitoring and collecting method based on information extraction as claimed in claim 2, wherein in S200, the network request signal is a request signal for automatically bypassing a top page of a linked website according to deep linking and jumping to a specific content page when a user clicks a link flag in an APP of a mobile device; when the mobile equipment sends a network request signal, acquiring a deep link in the network request signal, writing the deep link into a log file of the mobile equipment, and directly linking to a paging by bypassing a linked website home page through the deep link; the network request signal includes a deep link.

4. The method for collecting multi-port data monitoring based on information extraction as claimed in claim 1, wherein in S200, after the monitoring process captures the network request signal of the mobile device, the method for obtaining the security log in the log file of the mobile device comprises:

s201, if the time when the monitoring process of the current mobile device captures the network request signal is T1 and the time when the server end corresponding to the monitoring process of the current mobile device finishes receiving the log file of the mobile device is T2, the time period from T1 to T2 is T3; taking the number of data packets between the chained website corresponding to the deep link of the log file and the current mobile device in a time period T3 as the monitoring accessibility, or taking the website traffic of the chained website corresponding to the deep link in the log file in a time period T3 as the monitoring accessibility;

s202, setting 2 empty sets as a transaction set F1 and a comparison set F2 respectively; acquiring the moment when each monitoring access degree in the time period T3 is greater than 0 as a monitoring moment; calculating the average value of the interval duration between the monitoring moments in the time period T3 as TGY; taking i as the sequence number of the monitoring time in the time period T3, wherein i belongs to [1, N1-1], and N1 is the number of the monitoring time in the time period T3;

traversing each monitoring time in the time period T3 within the value range of i, wherein the traversing method specifically comprises the following steps: judging whether the i +2 th monitoring time after the i-th monitoring time T4 in the time period T3 occurs in the time period from T4 to T4+2 XTGY, if so, adding the average value of the i-th monitoring access degree D1 in the time period T3, the i + 1-th monitoring access degree D2 in the time period T3 and the i + 2-th monitoring access degree D3 in the time period T3 into the set F1, and if not, sequentially adding D1, D2 and D2 into the set F2;

s203, F1(j) represents the j th element of the set F1, j belongs to [1, N2], and N2 is the number of elements of the set F1;

traversing the values of the elements in the set F1 in the value range of j, if all the elements F1(j) satisfy the condition: f2Mean ≧ F1(j) ≧ F2Min or the condition: f1(j) is more than or equal to F2Min + ASS multiplied by F2Max, and the log file is marked as a safety log; otherwise, marking the log file as an in-doubt log;

wherein ASS = exp (F1Min ÷ F1Mean)/exp (F1Mean ÷ F1 Max);

wherein ASS is a steady state access coefficient; f2Mean is the Mean of all elements in set F2; f2Min represents the minimum value in the set F2; f2Max represents the maximum value in set F2; f1Mean is the Mean of all elements in set F1; f1Min represents the minimum value in the set F1; f1Max represents the maximum value in the set F1.

5. The multi-port data listening and collecting method based on information extraction as claimed in claim 4, wherein in S200, the following steps are included:

s204, if the log file is marked as an in-doubt log, the total number of the monitoring access degrees which are larger than F1Max in the set F2 is recorded as Toa1, the total number of the monitoring access degrees which are smaller than F1Min in the set F2 is recorded as Toa2, and when Toa1 is smaller than or equal to Toa2, the sum of the monitoring access degrees which are larger than F1Max in the set F2 is calculated as a monitoring high-frequency index; calculating the sum of each monitoring visit degree smaller than F1Min in the set F2 as a monitoring low-frequency index; when the snoop high frequency index is less than the snoop low frequency index, the in-doubt log is marked as a secure log.

6. The multi-port data listening and collecting method based on information extraction as claimed in claim 4, wherein in S200, the following steps are included:

s204, calculating the information extraction degree of each doubt log, specifically:

the number of in-doubt logs acquired by a server in a time period T3 is N3, log (h) represents the h-th in-doubt log, h belongs to [1, N3], each in-doubt log (h) corresponds to an abnormal set F1 and a contrast set F2, F1(j) represents the j-th element of F1, j belongs to [1, N2], and N2 is the number of elements of a set F1; f2(k) represents the k-th element of F2, k belongs to [2, N4], and N4 is the number of elements in the set F2;

the formula for calculating the information extraction degree logsafe (h) of the h-th in-doubt log (h) is as follows:

；

exp is a function for solving indexes, PeakGap is a difference value of transaction, PeakGap = | F2Max-F1Max |; f1Max represents the maximum value in the set F1, and F2Max represents the maximum value in the set F2;

s205, calculating the average value Ymean of the information extraction degrees of all the in-doubt logs, and screening out all the in-doubt logs with the information extraction degrees smaller than or equal to Ymean and marking the in-doubt logs as safety logs.

Images