CN115640576B - Malicious application identification method, terminal equipment and readable storage medium - Google Patents
Malicious application identification method, terminal equipment and readable storage medium Download PDFInfo
- Publication number
- CN115640576B CN115640576B CN202211592979.7A CN202211592979A CN115640576B CN 115640576 B CN115640576 B CN 115640576B CN 202211592979 A CN202211592979 A CN 202211592979A CN 115640576 B CN115640576 B CN 115640576B
- Authority
- CN
- China
- Prior art keywords
- popup
- score
- behavior
- background
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 230000002159 abnormal effect Effects 0.000 claims abstract description 61
- 230000005856 abnormality Effects 0.000 claims abstract description 46
- 230000006399 behavior Effects 0.000 claims description 174
- 230000009471 action Effects 0.000 claims description 24
- 230000008859 change Effects 0.000 claims description 13
- 238000010200 validation analysis Methods 0.000 claims description 5
- 238000012549 training Methods 0.000 claims description 4
- 230000000875 corresponding effect Effects 0.000 description 16
- 230000015654 memory Effects 0.000 description 15
- 238000001514 detection method Methods 0.000 description 10
- 238000004364 calculation method Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 230000003068 static effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 244000035744 Hura crepitans Species 0.000 description 4
- 238000004140 cleaning Methods 0.000 description 4
- 238000004590 computer program Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000004088 simulation Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 208000006011 Stroke Diseases 0.000 description 2
- 241000700605 Viruses Species 0.000 description 2
- 238000013145 classification model Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 241000135164 Timea Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003211 malignant effect Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000013077 scoring method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the application provides a malicious application identification method, terminal equipment and a readable storage medium. The method comprises the following steps: determining a background popup behavior with popup related events in a first period before the background popup behavior as related event popup behavior aiming at each background popup behavior of the target application; determining a preamble anomaly score of the target application according to the duty ratio of the associated event popup behavior in the background popup behavior; aiming at each background popup behavior of the target application, determining a subsequent abnormal score of the target application according to the abnormal score corresponding to each target feedback event in a second period after the background popup behavior; and judging whether the target application belongs to the malicious application or not based on the preamble abnormality score and the follow-up abnormality score. When judging whether the target application belongs to the malicious application, the correlation between the background popup behavior and the specific system event and the correlation between the background popup behavior and the target feedback event are considered, so that the method has higher accuracy.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a malicious application identification method, a terminal device, and a readable storage medium.
Background
In the process of using the terminal, the application internal self-bulletin advertisement belongs to normal business behavior. But many malicious applications may pop-up outside of other applications or lock screen.
The traditional solution is to count the number of out-of-service advertisements applied during the day and categorize the applications based on these numbers.
However, the method has the problem of missing identification, and some external elastic advertisement behaviors applied maliciously have low statistical properties and are difficult to identify.
Aiming at the problem that malicious applications are difficult to identify, the current solutions comprise a static detection method, application management and control according to lists or big data rules and a sandbox simulation operation method, but the solutions have certain defects.
The static detection method carries out application identification classification according to the codes of the applications and the installation packages.
However, the static detection method is more suitable for virus detection, and the application cannot be considered as a malicious application simply because the code of the bulletin board is included in the application for detection.
In addition, there is a problem that information data for actually running an application is lacking when the application is statically detected.
In addition, the method for performing application control according to the list or the big data is high in hysteresis and high in labor consumption, and cannot be timely controlled.
Among them, big data rules often require calculation of the average of a large number of users, and thus have significant hysteresis.
The sandbox simulation running method does not accord with the real behavior rule, and the current application can avoid the method through the anti-sandbox.
Disclosure of Invention
An object of the embodiments of the present application is to provide a malicious application identification method, a terminal device, and a readable storage medium, so as to improve accuracy of identifying malicious applications. The specific technical scheme is as follows:
in a first aspect, the present application provides a malicious application identification method, the method including:
judging whether a popup window associated event exists in a first period before a background popup window behavior aiming at each background popup window behavior of a target application in a preset period, and if so, determining the background popup window behavior as an associated event popup window behavior; the popup association event is a system event with a popup association score greater than a preset association score; the popup association score represents the association degree of the system event and the background popup behavior;
determining a preamble anomaly score of the target application according to the duty ratio of the associated event popup behavior in the background popup behavior;
judging whether a target feedback event exists in a second period after the background popup behavior aiming at each background popup behavior of the target application in the preset period, if so, determining a subsequent abnormal score of the target application according to an abnormal score corresponding to each target feedback event; wherein the target feedback event comprises a predetermined user behavior event and/or a system state change event;
And judging whether the target application belongs to a malicious application or not based on the preamble abnormality score and the follow-up abnormality score.
In one possible embodiment, the popup association score for the background popup behavior is determined based on:
aiming at each background popup action of the target application in the preset period, acquiring a system event in a third period before the background popup action; for each type of system event before any background popup behavior, determining a single popup association score for the type of system event based on the following formula:
wherein ,
for this background popup behaviorAAnd system event->
Is a single shot window associated score of (1),
is the first place before the background popup behaviorjA preset score of the system event, +.>
Is the firstjWeights of the system events; the magnitude and the magnitude of the preset scorejIs inversely related to the magnitude of (a);
the weight satisfies the following formula:
wherein ,Tfor the third period of time in question,tis a time difference between the system event and the background popup behavior;
according to the single popup correlation score of the popup behavior of any kind of system event in each background, determining the popup correlation score of the kind of system event based on the following formula:
wherein ,
and associating scores for the popup windows.
In one possible embodiment, the preset association score is determined based on:
acquiring a first normal application sample set;
and determining the popup association scores of the background popup behavior of each normal application in the first normal application sample set and various predetermined system events, and calculating the score of a preset proportion based on the determined popup association scores to serve as the preset association score.
In one possible embodiment, the preamble anomaly score is determined based on the following equation:
wherein ,R1for the preamble anomaly score,
for the preset weight coefficient, the weight coefficient is set,Nfor the number of background popup actions,nand popup the number of times of the window behaviors for the associated event.
In a possible embodiment, the step of determining the subsequent anomaly score of the target application according to the anomaly score corresponding to each target feedback event includes:
summing the product of the occurrence times of each type of the target feedback event and the corresponding abnormal score to obtain the feedback event abnormal score of the target application;
and taking the ratio of the feedback event abnormal score to the number of times of the background popup behavior as the subsequent abnormal score.
In one possible embodiment, for any of the types of target feedback events, the anomaly score is determined based on:
acquiring a second normal application sample set and a first malicious application sample set;
acquiring a first proportion of the target feedback events of the normal applications in the second normal application sample set after the background popup behavior occurs, and a second proportion of the target feedback events of the malicious applications in the first malicious application sample set after the background popup behavior occurs;
and taking the ratio of the first proportion to the second proportion as the abnormality score.
In a possible embodiment, the step of determining whether the target application belongs to a malicious application based on the preamble abnormality score and the subsequent abnormality score includes:
judging whether the preamble abnormal score is larger than a preamble threshold value or not, and judging whether the postamble abnormal score is larger than a postamble threshold value or not;
if the preamble anomaly score is greater than the preamble threshold and the postamble anomaly score is greater than the postamble threshold, the target application is a high-risk malicious application;
if the preamble anomaly score is greater than the preamble threshold, or the postamble anomaly score is greater than the postamble threshold, the target application is a risk application;
Otherwise, the target application is not a malicious application.
In one possible embodiment, the preamble threshold and the postamble threshold are determined based on the following:
acquiring a second malicious application sample set;
determining a leading anomaly score and a trailing anomaly score for each malicious application in the second malicious application sample set;
selecting the preamble threshold value larger than a second threshold value from preamble abnormality scores of the second malicious application sample set, and selecting the postamble threshold value larger than a third threshold value from postamble abnormality scores of the second malicious application sample set.
In one possible embodiment, the background popup behavior data of any malicious application in the second malicious application sample set is less than a model validation threshold when the background popup behavior data is used for model training.
In a second aspect, the present application provides a terminal device, including:
the first determining module is used for judging whether a popup window associated event exists in a first period before the background popup window according to each background popup window behavior of the target application in a preset period, and if so, determining the background popup window behavior as an associated event popup window behavior; the popup association event is a system event with a popup association score greater than a preset association score; the popup association score represents the association degree of the system event and the background popup behavior;
The second determining module is used for determining the preamble abnormality score of the target application according to the duty ratio of the associated event popup behavior in the background popup behavior;
the third determining module is used for judging whether a target feedback event exists in a second period after the background popup for each background popup of the target application in the preset period, if so, determining a subsequent abnormal score of the target application according to an abnormal score corresponding to each target feedback event; wherein the target feedback event comprises a predetermined user behavior event and/or a system state change event;
and the judging module is used for judging whether the target application belongs to a malicious application or not based on the preamble abnormal score and the follow-up abnormal score.
In a third aspect, the present application provides a computer-readable storage medium having a computer program stored therein, which when executed by a processor, implements the method steps of any of the first aspects described above.
The beneficial effects of the embodiment of the application are that:
according to the malicious application identification method, based on the characteristic that malicious applications can monitor system behaviors to conduct background popup behaviors, whether popup related events exist in a first period before each background popup in a preset period of a target application is determined in the background popup behaviors, and then the preamble anomaly score of the target application is determined according to the duty ratio of the related event popup behaviors in the background popup behaviors. And determining a subsequent abnormal score of the target application based on the abnormal score of the target feedback event after each background popup action of the target application in a preset period based on the characteristic that the background popup action of the malicious application generally causes a user action event and/or a system state change event. Therefore, when judging whether the target application belongs to the malicious application according to the preamble abnormal score and the follow-up abnormal score, the correlation between the background popup behavior and the specific system event and the correlation between the background popup behavior and the target feedback event are considered, and the method has higher accuracy. Meanwhile, the method has the advantages that the data volume required for judging whether the target application belongs to the malicious application is small, and the calculation power consumption is low.
Of course, not all of the above-described advantages need be achieved simultaneously in practicing any one of the products or methods of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following description will briefly introduce the drawings that are required to be used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other embodiments may also be obtained according to these drawings to those skilled in the art.
Fig. 1 is an exemplary diagram of a background popup interface provided in an embodiment of the present application;
fig. 2 is a flow chart of a malicious application identification method provided in an embodiment of the present application;
FIG. 3 is an example diagram of system events prior to any background popup behavior provided by embodiments of the present application;
fig. 4 is a schematic structural diagram of a functional module of a terminal device according to an embodiment of the present application.
Detailed Description
In order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, the words "first", "second", etc. are used to distinguish the same item or similar items having substantially the same function and effect. For example, the first instruction and the second instruction are for distinguishing different user instructions, and the sequence of the instructions is not limited. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ.
In this application, the terms "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
Furthermore, "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a alone, a and B together, and B alone, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, and c may represent: a, b, or c, or a and b, or a and c, or b and c, or a, b and c, wherein a, b and c can be single or multiple.
In order to more clearly describe the malicious application identification method provided by the embodiment of the present application, a possible application scenario of the embodiment of the present application is first described in the following.
As an example, the malicious application identification method provided by the embodiment of the present application is applied to a terminal, and the terminal can identify whether an installed application belongs to a malicious application. The terminal includes, but is not limited to, a mobile phone, a tablet computer, etc., and the scope of the terminal is not limited by the embodiment of the application.
Furthermore, the malicious application identification method provided by the embodiment of the application can be applied to the cloud server to identify whether the application installed on the terminal served by the cloud side belongs to a malicious application.
Taking a mobile phone as an example, in the process of using the mobile phone, part of applications installed on the mobile phone can pop up advertisements. The mobile phone application internally bullets advertisements belonging to normal business behaviors, but part of the applications can bullets advertisements outside other applications or outside a screen locking interface, and the applications are malicious applications. The mobile phone applying the malicious application identification method provided by the embodiment of the application can identify which applications on the mobile phone are malicious applications.
Fig. 1 is an exemplary diagram of a background popup interface provided in an embodiment of the present application, and it can be seen that an advertisement interface is popped up on the mobile phone interface shown in fig. 1, which is the background popup behavior related to the embodiment of the present application.
In order to avoid the background popup behavior shown in fig. 1, malicious applications installed on the terminal need to be identified.
The traditional solution is to count the number of out-of-service advertisements applied during the day and categorize the applications based on these numbers.
However, the method has the problem of missing identification, and some external elastic advertisement behaviors applied maliciously have low statistical properties and are difficult to identify.
Aiming at the problem that malicious applications are difficult to identify, the current solutions comprise a static detection method, application management and control according to lists or big data rules and a sandbox simulation operation method, but the solutions have certain defects.
The static detection method carries out application identification classification according to the codes of the applications and the installation packages.
However, the static detection method is more suitable for virus detection, and the application cannot be considered as a malicious application simply because the code of the bulletin board is included in the application for detection.
In addition, there is a problem that information data for actually running an application is lacking when the application is statically detected.
In addition, the method for performing application control according to the list or the big data is high in hysteresis and high in labor consumption, and cannot be timely controlled.
Among them, big data rules often require calculation of the average of a large number of users, and thus have significant hysteresis.
The sandbox simulation running method does not accord with the real behavior rule, and the current application can avoid the method through the anti-sandbox.
In view of this, an embodiment of the present application provides a malicious application identification method, and fig. 2 is a schematic flow chart of the malicious application identification method provided in the embodiment of the present application, as shown in fig. 2, the method includes the following steps:
step S201: and judging whether a popup window associated event exists in a first period before the background popup window according to each background popup window action of the target application in a preset period, and if so, determining the background popup window action as an associated event popup window action.
The popup association events are system events with popup association scores larger than a preset association score, and the popup association scores represent association degrees of the system events and background popup behaviors.
The background popup behavior related to the embodiment of the application specifically refers to the behavior of generating a background popup and accessing an advertisement website. As one example, the background popup behavior may include a lock screen background popup, a desktop background popup, a three-way application on a background popup, and the like.
According to the malicious application identification method provided by the embodiment of the application, whether the target application belongs to the malicious application is judged based on one or more background popup behaviors of the target application in a preset period. The preset period is only used for determining a data range required for executing the malicious application identification method provided by the embodiment of the application, so that the method is executed, and the embodiment of the application does not specifically limit the preset period.
As an example, the terminal may extract historical data stored for a target application over a period of time, and determine whether the target application belongs to a malicious application based on background popup behavior occurring during the period of time.
In practical applications, malicious applications typically monitor specific system events occurring on the terminal, thereby targeted popup. Illustratively, some malicious applications may perform targeted popup when listening to a lock operation.
Therefore, according to the system event, the background popup window behavior and the association degree, the embodiment of the application deduces the system event with the association coefficient larger than the preset score as the system event which is possibly monitored by the target application, namely the popup window association event. The association degree is the probability that the system event is monitored by the target application corresponding to the background popup behavior.
If a popup associated event occurs within a first period of time before any one of the background popup behaviors of the target application, then it is inferred that this background popup behavior is a background popup behavior by the target application based on monitoring of system events, i.e., an associated event popup behavior.
It should be appreciated that the background popup behavior is generally independent of system events that occurred long ago, and that it is not necessary to determine whether the background popup behavior is an associated event popup behavior based on these system events. Therefore, the first period, that is, the period in which the monitored system event may occur when the malicious application performs targeted popup on the monitoring of the system event, is not specifically limited in the embodiment of the present application.
As one example, system events include, but are not limited to, one or more of the following:
home button, gesture swipe, unlock screen, charge connect, charge disconnect, light screen, rest screen, wifi (wireless local area network) disconnect, application install, application uninstall.
Step S202: and determining the preamble anomaly score of the target application according to the duty ratio of the associated event popup behavior in the background popup behavior.
Specifically, the higher the duty ratio of the associated event popup behavior in the background popup behavior, the higher the preamble abnormality score of the target application.
It is noted that if multiple popup window related events occur before the target application performs the background popup window, the risk level of the target application belonging to the malicious application is not significantly improved.
Therefore, the malicious application identification method provided by the embodiment of the application focuses on the possibility that each background popup behavior is based on monitoring occurrence of system events when the preamble anomaly score of the target application is determined, so that popup related events before the background popup behavior are not counted, but only the duty ratio of the related event popup behavior in the background popup behavior is considered, and therefore calculation power consumption is reduced.
Step S203: and judging whether a target feedback event exists in a second period after the background popup behavior aiming at each background popup behavior of the target application in a preset period, if so, determining a subsequent abnormal score of the target application according to the abnormal score corresponding to each target feedback event.
Wherein the target feedback event comprises a predetermined user behavior event and/or a system state change event.
In practical applications, the background popup behavior may cause a system state change of the terminal, or reduce user experience when the user uses the terminal, so that the user makes some feedback behavior to improve user experience.
For example, the background popup behavior may occupy system resources to cause a jam, and the user may uninstall the application after seeing the popup advertisement to avoid the reappearance of the background popup behavior.
Therefore, the embodiment of the application pre-determines the user behavior event and/or the system state change event possibly caused by the background popup behavior as the target feedback event, and determines the subsequent abnormal score of the target application according to the abnormal score of the target feedback event after the background popup behavior.
As one example, user behavior events include, but are not limited to, one or more of the following:
and (5) cleaning the background, unloading the application, pushing out the background cleaning application, and restarting the machine.
As one example, system state change events include, but are not limited to, one or more of the following:
the system has high load, is blocked, increases power consumption, increases memory occupation, and increases the number of processes.
It should be appreciated that the system state of the terminal is typically changed in real time, and thus, an event that changes the coefficient state to a certain extent may be considered a system state change event that may be caused by the background popup behavior. For example, a percentage increase in power consumption or a memory footprint increase by a certain value may be considered a system state change event.
Similar to the first period, the second period is a period in which a target feedback event caused by the background popup behavior may occur, which is not specifically limited in the embodiment of the present application.
Step S204: and judging whether the target application belongs to the malicious application or not based on the preamble abnormality score and the follow-up abnormality score.
Specifically, the higher the preamble abnormality score and the following abnormality score, the higher the likelihood that the target application belongs to a malicious application.
The malicious application identification method provided by the embodiment of the application,
based on the characteristic that malicious applications can monitor system behaviors to perform background popup behaviors, determining associated event popup behaviors in the background popup behaviors according to whether popup related events exist in a first period before each background popup behavior of a target application in a preset period, and then determining a preamble anomaly score of the target application according to the duty ratio of the associated event popup behaviors in the background popup behaviors. And determining a subsequent abnormal score of the target application based on the abnormal score of the target feedback event after each background popup action of the target application in a preset period based on the characteristic that the background popup action of the malicious application generally causes a user action event and/or a system state change event. Therefore, when judging whether the target application belongs to the malicious application according to the preamble abnormal score and the follow-up abnormal score, the correlation between the background popup behavior and the specific system event and the correlation between the background popup behavior and the target feedback event are considered, and the method has higher accuracy. Meanwhile, the method has the advantages that the data volume required for judging whether the target application belongs to the malicious application is small, and the calculation power consumption is low.
In one embodiment of the present application, the popup association score of the background popup behavior is determined based on the following manner, and specifically includes the following steps:
step one: and acquiring a system event in a third period before the background popup behavior aiming at each background popup behavior of the target application in a preset period.
Step two: for each type of system event before any background popup behavior, determining a single popup association score for the type of system event based on the following formula:
wherein ,
for this background popup behaviorAAnd system event->
Is a single shot window associated score of (1),
front of background popup behaviorjPreset score of subsystem event,/->
Is the firstjThe weight of the subsystem event; the magnitude and the preset scorejIs inversely related to the magnitude of (a);
the weights satisfy the following formula:
wherein ,Tfor the third period of time,tis the time difference between the system event and the background popup behavior;
it should be appreciated that the closer a system event occurs to the background popup behavior, the shorter the time difference between the background popup behavior, the stronger the correlation between the system event and the background popup behavior, and therefore the system eventscoreAndweightthe value is higher.
As an example, distance AThe last system eventscoreSet to 2, other times of such system eventsscoreAll set to 1.
Step three: according to the single popup correlation score of the popup behavior of any kind of system event in each background, determining the popup correlation score of the kind of system event based on the following formula:
wherein ,
associated scores for the popup.
For ease of understanding, the determination of the popup relevance score will be described below in connection with specific examples, with some background popup behavior of the target application being noted asA 1 The system behavior of the charging connection is recorded asS i 。
FIG. 3 is an exemplary diagram of system events prior to any background popup behavior provided by embodiments of the present application, illustratingS 1 Is thatA 1 A third previous period of timeTA first charge connection event occurs within the network,S 2 is thatA 1 A second charge connection event that occurred before,S … is thatA 1 Other charge connection events that have occurred before,S 1 ,S 2 and (3) withA 1 Time difference betweenIs thatt1Andt2。
in calculating the graph shown in FIG. 3
In the time-course of which the first and second contact surfaces,S 1 ,S 2 andS … a kind of electronic devicescoreRespectively 2,1,weightrespectively is(T-t1)/T,(T-t2)/T,(T-t…)/TBased on which can be calculatedS i Is->
。
Calculation ofS i Against a certain background popup behavior
Then, the single popup correlation scores of the background popup behaviors are summed to obtainS i Is a bullet window associated score.
As an example, assume that three background pop behaviors occur within a preset period of timeA 1 ,A 2 AndA 3 thenS i Is of the bullet window association score of
。
After calculating the popup association scores between the various system events and the background popup behavior of the target software, determining the system event with the popup association score greater than the preset association score as the popup association event of the target application in combination with the description of the previous step S201.
Illustratively, the preset association value is recorded asThreshAssume that there are three types of system eventsS i ,S m and ,S n and is also provided with
,/>
,/>
Then the associated popup event for the target application includesS i AndS m 。
in one embodiment of the present application, the third period is greater than the first period.
According to the embodiment of the application, the system events before each background popup behavior of the target application are acquired, and the popup association scores of the system events are determined according to the sequence of the system events and the time difference between the sequence of the system events and the background popup behavior, so that the application has higher accuracy. Therefore, when the system event with the popup correlation score being larger than the preset correlation score is determined as the popup correlation event, the determined popup correlation event is higher in possibility of being monitored by the target application, and higher in accuracy.
In one embodiment of the present application, the preset association score is determined based on the following:
Acquiring a first normal application sample set;
and determining the popup correlation scores of the background popup behaviors of each normal application in the first normal application sample set and various predetermined system events, and calculating the score of the preset proportion based on the determined popup correlation scores to serve as the preset correlation score.
It should be appreciated that there are also background popup events in normal applications that are related to system behavior, so the preset association scores may be determined for samples in normal applications. Specifically, when calculating the popup correlation score included in the first normal application sample set, the calculation method may refer to the foregoing description.
Each class of system events has a popup correlation score for each normal application, and one of the popup correlation scores may be selected as a preset correlation score. As one example, the first 75% quantile is selected from the bullet correlation scores of the first normal application sample set as the preset correlation score.
Because the malicious application identification method provided by the embodiment of the application is used for identifying the malicious application, if the normal application is identified as the malicious application, the user experience is obviously affected. Therefore, the quantile of the preset proportion is selected from the popup association scores of the normal application sample set to serve as the preset association score, so that the situation that the normal application is mistakenly identified as the malicious application can be avoided, and the practicability of the malicious application identification method is improved.
In one embodiment of the present application, the preamble anomaly score is determined based on the following equation:
wherein ,R1as the preamble abnormality score,
for the preset weight coefficient, the weight coefficient is set,Nas the number of background popup actions,nfor the number of associated event popup actions.
In particular, the method comprises the steps of,
。
when judging whether the target application belongs to a malicious application, because the influence of the related event popup behavior on the malicious degree of the target application is larger, a weight coefficient can be set to improve the influence of the related event popup behavior on the preamble anomaly score, and the accuracy in calculating the preamble anomaly score is improved.
In one embodiment of the present application, determining the subsequent anomaly score of the target application according to the anomaly score corresponding to each target feedback event may be specifically implemented by the following steps:
summing the product of the occurrence times of each type of target feedback event and the corresponding abnormal score to obtain the feedback event abnormal score of the target application;
and taking the ratio of the feedback event abnormal score to the number of times of background popup behaviors as a subsequent abnormal score.
In an actual application scenario, different target feedback events may be triggered according to different malicious degrees of the background popup window behaviors.
Therefore, different abnormal scores can be determined for different target feedback events according to actual conditions, and the magnitude of the abnormal scores is positively correlated with the malicious degree of background popup window behaviors which are usually corresponding to the target feedback events.
For example, if the user cannot uninstall the target application after the background popup, and even cannot find the target application corresponding to the background popup, the user may choose to directly restart the terminal, and the malicious degree of the background popup is high.
Thus, if a restart occurs after the background popup behavior, it may indicate that the background popup behavior is more malicious, and a higher anomaly score may be determined for the restart.
As one example, in determining the anomaly score corresponding to the target feedback event, the shutdown restart score x 0 Uninstalling application score x 1 Push out background clear application score x 2 Background cleaning score x 3 Other target feedback events are scored x 4 。
Exemplary, x 0 =15,x 1 =10,x 2 =3,x 3 =2,x 4 =1。
Specifically, the more target feedback events occur after the background popup behavior of the target application, the greater the abnormal score corresponding to the target feedback event, and the higher the subsequent abnormal score of the target application.
Taking the anomaly score scoring method exemplified above as an example, in this case, the subsequent anomaly score of the target application satisfies the following equation:
wherein ,R2for the subsequent anomaly score,
for the number of shutdown restarts, +.>
For uninstalling the number of applications +.>
To push out the number of background clear applications, +.>
For the number of background cleaning, +.>
The number of events is fed back for other targets.
When the subsequent abnormal score of the target application is calculated, the number of times of the target feedback event after the background popup behavior and the malicious degree of the background popup behavior possibly reflected by the target feedback event are considered, and the calculated subsequent abnormal score has higher accuracy.
In one embodiment of the present application, for any type of targeted feedback event, the anomaly score is determined based on the following:
acquiring a second normal application sample set and a first malicious application sample set;
acquiring a first proportion of target feedback events of normal applications in a second normal application sample set after a background popup behavior occurs, and a second proportion of target feedback events of malicious applications in the first malicious application sample set after the background popup behavior occurs;
the ratio of the first proportion to the second proportion is taken as an abnormality score.
Taking the unloading application as an example, assuming that the unloading ratio of the normal application in the second normal application sample set after the background popup behavior occurs is a, the unloading ratio of the malicious application in the first malicious application sample set after the background popup behavior occurs is b, and the abnormal score corresponding to the target feedback event of the unloading application is a/b.
According to the embodiment of the application sample, the abnormal score corresponding to the target feedback event is determined based on the proportion of the target feedback event after the background popup behavior occurs to the normal application and the malicious application in the application sample, and the method and the device have higher accuracy.
In one embodiment of the present application, based on the preamble anomaly score and the following anomaly score, it is determined whether the target application belongs to a malicious application, specifically by:
judging whether the preamble abnormal score is larger than a preamble threshold value or not, and judging whether the postamble abnormal score is larger than a postamble threshold value or not;
if the preamble anomaly score is greater than the preamble threshold and the postamble anomaly score is greater than the postamble threshold, the target application is a high-risk malicious application;
if the preamble abnormality score is greater than the preamble threshold, or the postamble abnormality score is greater than the postamble threshold, the target application is a stroke risk application;
otherwise, the target application is not a malicious application.
According to the malicious application identification method provided by the embodiment of the application, when the preamble abnormality score and the postamble abnormality score of the target application are both high, namely the preamble abnormality score is larger than the preamble threshold value and the postamble abnormality score is larger than the postamble threshold value, the target application is inferred to be the high-risk malicious application. And only deducing that the target application is a dangerous and malignant application under the condition that only one of the preamble abnormality score and the follow-up abnormality score of the target application is higher, namely the preamble abnormality score is larger than a preamble threshold or the follow-up abnormality score is larger than a follow-up threshold. The false identification of the dangerous and malicious application as the high-risk malicious application can be avoided, and the practicability of the malicious application identification method is improved.
In another embodiment of the present application, the classification model may be trained by normal application samples and malicious application samples for which the preamble anomaly score and the following anomaly score have been determined, and then the trained classification model is used to determine whether the target application belongs to a malicious application.
In one embodiment of the present application, the preamble threshold and the successor threshold are determined based on the following:
acquiring a second malicious application sample set;
determining a preamble anomaly score and a postamble anomaly score for each malicious application in the second malicious application sample set;
and selecting a preamble threshold value larger than a second threshold value from preamble abnormality scores of the second malicious application sample set, and selecting a postorder threshold value larger than a third threshold value from postorder abnormality scores of the second malicious application sample set.
Specifically, the previous anomaly score and the subsequent anomaly score of each malicious application in the second malicious application sample set may be calculated with reference to the descriptions of step S201 to step S203 in the foregoing, and the previous threshold and the subsequent threshold may be selected from these scores.
As one example, the first 75% quantile is selected from the preamble anomaly scores of the second malicious application sample set as the preamble threshold and the first 75% quantile is selected from the postamble as the postamble threshold.
According to the embodiment of the application, the preamble abnormality score and the postamble abnormality score of each malicious application in the malicious application sample set are calculated, larger values are selected from the preamble abnormality score and the postamble abnormality score as the preamble threshold and the postamble threshold, and the determined preamble threshold and postamble threshold are high in accuracy. Therefore, the accuracy is higher when judging whether the target application belongs to the malicious application according to the preamble threshold and the postamble threshold, and the situation that the normal application is mistakenly identified as the malicious application can be avoided, so that the accuracy and the practicability of the malicious application identification method are improved.
In one embodiment of the present application, the background popup behavior data of any malicious application in the second malicious application sample set is less than the model validation threshold when the background popup behavior data is used for model training.
The model validation threshold can be obtained according to bad case analysis.
Specifically, the identification of the target application with sufficient data volume can be generally solved through a model, and the malicious application identification method provided by the embodiment of the application is also suitable for identifying the target application with low-frequency background popup behavior, so that the preamble threshold and the postamble threshold are determined by taking the malicious application with lower data volume as a sample to better accord with the application scene of the embodiment of the application.
For the foregoing malicious application identification method, the present application further provides a terminal device, fig. 4 is a schematic functional module structure of the terminal device provided in the embodiment of the present application, and referring to fig. 4, the terminal device includes:
the first determining module 401 is configured to determine, for each background popup behavior of the target application in a preset period, whether a popup related event exists in a first period before the background popup behavior, and if so, determine the background popup behavior as a related event popup behavior; the popup association event is a system event with a popup association score greater than a preset association score; the popup association score represents the association degree of the system event and the background popup behavior;
a second determining module 402, configured to determine a preamble anomaly score of a target application according to a duty ratio of an associated event popup behavior in the background popup behavior;
a third determining module 403, configured to determine, for each background popup behavior of the target application in a preset period, whether a target feedback event exists in a second period after the background popup behavior, if so, determine a subsequent abnormal score of the target application according to an abnormal score corresponding to each target feedback event; wherein the target feedback event comprises a predetermined user behavior event and/or a system state change event;
A judging module 404, configured to judge whether the target application belongs to a malicious application based on the preamble abnormality score and the subsequent abnormality score.
In one embodiment of the present application, the popup relevance score for background popup behavior is determined based on:
aiming at each background popup action of the target application in the preset time period, acquiring a system event in a third time period before the background popup action;
for each type of system event before any background popup behavior, determining a single popup association score for the type of system event based on the following formula:
wherein ,
for this background popup behaviorAAnd system event->
Is a single shot window associated score of (1),
front of background popup behaviorjPreset score of subsystem event,/->
Is the firstjThe weight of the subsystem event; the magnitude and the preset scorejIs inversely related to the magnitude of (a);
the weights satisfy the following formula:
wherein ,Tfor the third period of time,tis the time difference between the system event and the background popup behavior;
according to the single popup correlation score of the popup behavior of any kind of system event in each background, determining the popup correlation score of the kind of system event based on the following formula:
wherein ,
associated scores for the popup.
In one embodiment of the present application, the preset association score is determined based on the following:
Acquiring a first normal application sample set;
and determining the popup correlation scores of the background popup behaviors of each normal application in the first normal application sample set and various predetermined system events, and calculating the score of the preset proportion based on the determined popup correlation scores to serve as the preset correlation score.
In one embodiment of the present application, the second determining module 402 is specifically configured to determine the preamble anomaly score based on the following formula:
wherein ,R1as the preamble abnormality score,
for the preset weight coefficient, the weight coefficient is set,Nas the number of background popup actions,nfor the number of associated event popup actions.
In one embodiment of the present application, the third determining module 403 is specifically configured to:
summing the product of the occurrence times of each type of target feedback event and the corresponding abnormal score to obtain the feedback event abnormal score of the target application;
and taking the ratio of the feedback event abnormal score to the number of times of background popup behaviors as a subsequent abnormal score.
In one embodiment of the present application, for any type of targeted feedback event, the anomaly score is determined based on the following:
acquiring a second normal application sample set and a first malicious application sample set;
acquiring a first proportion of target feedback events of normal applications in a second normal application sample set after a background popup behavior occurs, and a second proportion of target feedback events of malicious applications in the first malicious application sample set after the background popup behavior occurs;
The ratio of the first proportion to the second proportion is taken as an abnormality score.
In one embodiment of the present application, the determining module 404 is specifically configured to:
judging whether the preamble abnormal score is larger than a preamble threshold value or not, and judging whether the postamble abnormal score is larger than a postamble threshold value or not;
if the preamble anomaly score is greater than the preamble threshold and the postamble anomaly score is greater than the postamble threshold, the target application is a high-risk malicious application;
if the preamble abnormality score is greater than the preamble threshold, or the postamble abnormality score is greater than the postamble threshold, the target application is a stroke risk application;
otherwise, the target application is not a malicious application.
In one embodiment of the present application, the preamble threshold and the successor threshold are determined based on the following:
acquiring a second malicious application sample set;
determining a preamble anomaly score and a postamble anomaly score for each malicious application in the second malicious application sample set;
and selecting a preamble threshold value larger than a second threshold value from preamble abnormality scores of the second malicious application sample set, and selecting a postorder threshold value larger than a third threshold value from postorder abnormality scores of the second malicious application sample set.
In one embodiment of the present application, the background popup behavior data of any malicious application in the second malicious application sample set is less than the model validation threshold when the background popup behavior data is used for model training.
In a specific implementation, the application further provides a computer storage medium, where the computer storage medium may store a program, where when the program runs, the program controls a device where the computer readable storage medium is located to execute some or all of the steps in the foregoing embodiments. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), a random-access memory (random access memory, RAM), or the like.
In a specific implementation, the embodiment of the application further provides a computer program product, where the computer program product contains executable instructions, and when the executable instructions are executed on a computer, the executable instructions cause the computer to perform some or all of the steps in the above method embodiments.
Embodiments of the mechanisms disclosed herein may be implemented in hardware, software, firmware, or a combination of these implementations. Embodiments of the present application may be implemented as a computer program or program code that is executed on a programmable system including at least one processor, a storage system (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device.
Program code may be applied to input instructions to perform the functions described herein and generate output information. The output information may be applied to one or more output devices in a known manner. For purposes of this application, a processing system includes any system having a processor such as, for example, a digital signal processor (Digital Signal Processor, DSP), microcontroller, application specific integrated circuit (Application SpecificIntegrated Circuit, ASIC), or microprocessor.
The program code may be implemented in a high level procedural or object oriented programming language to communicate with a processing system. Program code may also be implemented in assembly or machine language, if desired. Indeed, the mechanisms described in the present application are not limited in scope to any particular programming language. In either case, the language may be a compiled or interpreted language.
In some cases, the disclosed embodiments may be implemented in hardware, firmware, software, or any combination thereof. The disclosed embodiments may also be implemented as instructions carried by or stored on one or more transitory or non-transitory machine-readable (e.g., computer-readable) storage media, which may be read and executed by one or more processors. For example, the instructions may be distributed over a network or through other computer readable media. Thus, a machine-readable medium may include any mechanism for storing or transmitting information in a form readable by a machine (e.g., a computer), including, but not limited to, floppy diskettes, optical disks, compact disk Read-only memories (Compact Disc Read Only Memory, CD-ROMs), magneto-optical disks, read-only memories (ROMs), random Access Memories (RAMs), erasable programmable Read-only memories (Erasable Programmable Read Only Memory, EPROMs), electrically erasable programmable Read-only memories (ElectricallyErasable Programmable Read Only Memory, EEPROMs), magnetic or optical cards, flash memory, or tangible machine-readable memory for transmitting information (e.g., carrier waves, infrared signal digital signals, etc.) using the internet in an electrical, optical, acoustical or other form of propagated signal. Thus, a machine-readable medium includes any type of machine-readable medium suitable for storing or transmitting electronic instructions or information in a form readable by a machine (e.g., a computer).
In the drawings, some structural or methodological features may be shown in a particular arrangement and/or order. However, it should be understood that such a particular arrangement and/or ordering may not be required. Rather, in some embodiments, these features may be arranged in a different manner and/or order than shown in the drawings of the specification. Additionally, the inclusion of structural or methodological features in a particular figure is not meant to imply that such features are required in all embodiments, and in some embodiments, may not be included or may be combined with other features.
It should be noted that, in the embodiments of the present application, each unit/module is a logic unit/module, and in physical aspect, one logic unit/module may be one physical unit/module, or may be a part of one physical unit/module, or may be implemented by a combination of multiple physical units/modules, where the physical implementation manner of the logic unit/module itself is not the most important, and the combination of functions implemented by the logic unit/module is the key to solve the technical problem posed by the present application. Furthermore, to highlight the innovative part of the present application, the above-described device embodiments of the present application do not introduce units/modules that are less closely related to solving the technical problems presented by the present application, which does not indicate that the above-described device embodiments do not have other units/modules.
It should be noted that in the examples and descriptions of this patent, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
While the present application has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present application.
Claims (11)
1. A malicious application identification method, comprising:
judging whether a popup window associated event exists in a first period before a background popup window behavior aiming at each background popup window behavior of a target application in a preset period, and if so, determining the background popup window behavior as an associated event popup window behavior; the popup association event is a system event with a popup association score greater than a preset association score; the popup association score represents the association degree of the system event and the background popup behavior;
determining a preamble anomaly score of the target application according to the duty ratio of the associated event popup behavior in the background popup behavior;
judging whether a target feedback event exists in a second period after the background popup behavior aiming at each background popup behavior of the target application in the preset period, if so, determining a subsequent abnormal score of the target application according to an abnormal score corresponding to each target feedback event; wherein the target feedback event comprises a predetermined user behavior event and/or a system state change event;
and judging whether the target application belongs to a malicious application or not based on the preamble abnormality score and the follow-up abnormality score.
2. The method of claim 1, wherein the popup correlation score for the background popup behavior is determined based on:
aiming at each background popup action of the target application in the preset period, acquiring a system event in a third period before the background popup action;
for each type of system event before any background popup behavior, determining a single popup association score for the type of system event based on the following formula:
wherein ,
for this background popup behaviorAAnd system event->
Single bullet associated score, +.>
Is the first place before the background popup behaviorjA preset score of the system event, +.>
Is the firstjWeights of the system events; the magnitude and the magnitude of the preset scorejIs inversely related to the magnitude of (a);
the weight satisfies the following formula:
wherein ,Tfor the third period of time in question,tis a time difference between the system event and the background popup behavior;
according to the single popup correlation score of the popup behavior of any kind of system event in each background, determining the popup correlation score of the kind of system event based on the following formula:
wherein ,
and associating scores for the popup windows.
3. The method of claim 1, wherein the preset association score is determined based on:
Acquiring a first normal application sample set;
and determining the popup association scores of the background popup behavior of each normal application in the first normal application sample set and various predetermined system events, and calculating the score of a preset proportion based on the determined popup association scores to serve as the preset association score.
4. The method of claim 1, wherein the preamble anomaly score is determined based on the following equation:
wherein ,R1for the preamble anomaly score,
for the preset weight coefficient, the weight coefficient is set,Nfor the number of background popup actions,nand popup the number of times of the window behaviors for the associated event.
5. The method of claim 1, wherein the step of determining the subsequent anomaly score for the target application based on the anomaly score for each target feedback event comprises:
summing the product of the occurrence times of each type of the target feedback event and the corresponding abnormal score to obtain the feedback event abnormal score of the target application;
and taking the ratio of the feedback event abnormal score to the number of times of the background popup behavior as the subsequent abnormal score.
6. The method of claim 5, wherein for any type of the target feedback event, determining the anomaly score corresponding to the target feedback event is based on:
Acquiring a second normal application sample set and a first malicious application sample set;
acquiring a first proportion of the target feedback events of the normal applications in the second normal application sample set after the background popup behavior occurs, and a second proportion of the target feedback events of the malicious applications in the first malicious application sample set after the background popup behavior occurs;
and taking the ratio of the first proportion to the second proportion as an abnormal score corresponding to the target feedback event.
7. The method of claim 1, wherein the step of determining whether the target application belongs to a malicious application based on the preamble anomaly score and the postamble anomaly score comprises:
judging whether the preamble abnormal score is larger than a preamble threshold value or not, and judging whether the postamble abnormal score is larger than a postamble threshold value or not;
if the preamble anomaly score is greater than the preamble threshold and the postamble anomaly score is greater than the postamble threshold, the target application is a high-risk malicious application;
if the preamble anomaly score is greater than the preamble threshold, or the postamble anomaly score is greater than the postamble threshold, the target application is a risk application;
Otherwise, the target application is not a malicious application.
8. The method of claim 7, wherein the preamble threshold and the successor threshold are determined based on:
acquiring a second malicious application sample set;
determining a leading anomaly score and a trailing anomaly score for each malicious application in the second malicious application sample set;
selecting the preamble threshold value larger than a second threshold value from preamble abnormality scores of the second malicious application sample set, and selecting the postamble threshold value larger than a third threshold value from postamble abnormality scores of the second malicious application sample set.
9. The method of claim 8, wherein background popup behavior data for any malicious application in the second malicious application sample set is less than a model validation threshold when background popup behavior data is used for model training.
10. A terminal device, characterized in that the terminal device comprises:
the first determining module is used for judging whether a popup window associated event exists in a first period before the background popup window according to each background popup window behavior of the target application in a preset period, and if so, determining the background popup window behavior as an associated event popup window behavior; the popup association event is a system event with a popup association score greater than a preset association score; the popup association score represents the association degree of the system event and the background popup behavior;
The second determining module is used for determining the preamble abnormality score of the target application according to the duty ratio of the associated event popup behavior in the background popup behavior;
the third determining module is used for judging whether a target feedback event exists in a second period after the background popup for each background popup of the target application in the preset period, if so, determining a subsequent abnormal score of the target application according to an abnormal score corresponding to each target feedback event; wherein the target feedback event comprises a predetermined user behavior event and/or a system state change event;
and the judging module is used for judging whether the target application belongs to a malicious application or not based on the preamble abnormal score and the follow-up abnormal score.
11. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored program, wherein the program, when run, controls a device in which the computer readable storage medium is located to perform the method of any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211592979.7A CN115640576B (en) | 2022-12-13 | 2022-12-13 | Malicious application identification method, terminal equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211592979.7A CN115640576B (en) | 2022-12-13 | 2022-12-13 | Malicious application identification method, terminal equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115640576A CN115640576A (en) | 2023-01-24 |
| CN115640576B true CN115640576B (en) | 2023-05-09 |
Family
ID=84949302
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211592979.7A Active CN115640576B (en) | 2022-12-13 | 2022-12-13 | Malicious application identification method, terminal equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115640576B (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8707334B2 (en) * | 2008-05-20 | 2014-04-22 | Microsoft Corporation | Computer system event detection and targeted assistance |
| CN104346569B (en) * | 2013-07-31 | 2019-02-22 | 北京猎豹移动科技有限公司 | Method and device for identifying malicious advertisements in mobile terminal and mobile terminal |
| US11023923B2 (en) * | 2014-05-22 | 2021-06-01 | Facebook, Inc. | Detecting fraud in connection with adverstisements |
| US20220038496A1 (en) * | 2018-09-28 | 2022-02-03 | Malwarebytes Inc. | Intelligent Pop-Up Blocker |
| CN115408696B (en) * | 2022-11-02 | 2023-04-07 | 荣耀终端有限公司 | Application identification method and electronic equipment |
-
2022
- 2022-12-13 CN CN202211592979.7A patent/CN115640576B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN115640576A (en) | 2023-01-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11620384B2 (en) | Independent malware detection architecture | |
| CN105590055B (en) | Method and device for identifying user credible behaviors in network interaction system | |
| US10262132B2 (en) | Model-based computer attack analytics orchestration | |
| US9413773B2 (en) | Method and apparatus for classifying and combining computer attack information | |
| CN103020522B (en) | For correcting anti-virus record to minimize the system and method for Malware flase drop | |
| US12013950B2 (en) | Methods and apparatus for detecting malicious re-training of an anomaly detection system | |
| US20170289178A1 (en) | Systems and methods for detecting security threats | |
| CN110912884A (en) | Detection method, detection equipment and computer storage medium | |
| US11551137B1 (en) | Machine learning adversarial campaign mitigation on a computing device | |
| EP3264310A1 (en) | Computer attack model management | |
| CN103019687A (en) | Method and device for displaying pop window information | |
| CN110457595B (en) | Emergency alarm method, device, system, electronic equipment and storage medium | |
| CN110868378A (en) | Phishing mail detection method and device, electronic equipment and storage medium | |
| WO2020219174A1 (en) | Predicting a next alert in a pattern of alerts to identify a security incident | |
| CN109495521A (en) | A kind of anomalous traffic detection method and device | |
| CN113626717B (en) | Public opinion monitoring method and device, electronic equipment and storage medium | |
| CN112532455B (en) | Abnormal root cause positioning method and device | |
| CN115378713A (en) | Block chain application early warning defense method, storage medium and electronic equipment | |
| CN111753191A (en) | Advertisement popup intercepting method and device, electronic equipment and storage medium | |
| CN103019906A (en) | Method, device and system for popup information display | |
| CN115640576B (en) | Malicious application identification method, terminal equipment and readable storage medium | |
| CN113222736A (en) | Abnormal user detection method and device, electronic equipment and storage medium | |
| US11621966B1 (en) | Detection of malicious user accounts of an online service using feature analysis | |
| CN114091586A (en) | Account identification model determining method, device, equipment and medium | |
| KR101872406B1 (en) | Method and apparatus for quantitavely determining risks of malicious code |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |