CN115640576B - Malicious application identification method, terminal equipment and readable storage medium - Google Patents
Malicious application identification method, terminal equipment and readable storage medium Download PDFInfo
- Publication number
- CN115640576B CN115640576B CN202211592979.7A CN202211592979A CN115640576B CN 115640576 B CN115640576 B CN 115640576B CN 202211592979 A CN202211592979 A CN 202211592979A CN 115640576 B CN115640576 B CN 115640576B
- Authority
- CN
- China
- Prior art keywords
- pop
- score
- behavior
- event
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 70
- 230000002159 abnormal effect Effects 0.000 claims abstract description 72
- 230000006399 behavior Effects 0.000 claims description 217
- 230000000875 corresponding effect Effects 0.000 claims description 22
- 230000008859 change Effects 0.000 claims description 12
- 230000005856 abnormality Effects 0.000 claims description 10
- 230000002596 correlated effect Effects 0.000 claims description 5
- 238000012549 training Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 description 10
- 230000003068 static effect Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 244000035744 Hura crepitans Species 0.000 description 4
- 238000004088 simulation Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000009434 installation Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000013145 classification model Methods 0.000 description 2
- 238000004140 cleaning Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 230000008014 freezing Effects 0.000 description 1
- 238000007710 freezing Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000013077 scoring method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
本申请实施例提供了一种恶意应用识别方法、终端设备及可读存储介质。该方法包括:针对目标应用的每一次后台弹窗行为,将后台弹窗行为之前的第一时段内存在弹窗关联事件的后台弹窗行为确定为关联事件弹窗行为;根据关联事件弹窗行为在后台弹窗行为中的占比,确定目标应用的前序异常分值;针对目标应用的每一次后台弹窗行为,根据该后台弹窗行为之后的第二时段内每一目标反馈事件对应的异常分值,确定目标应用的后序异常分值;基于前序异常分值和后序异常分值,判断目标应用是否属于恶意应用。在判断目标应用是否属于恶意应用时,同时考虑了后台弹窗行为与特定系统事件的关联、后台弹窗行为与目标反馈事件的关联,具有较高的准确性。
Embodiments of the present application provide a malicious application identification method, a terminal device, and a readable storage medium. The method includes: for each background pop-up behavior of the target application, determining the background pop-up behavior that has a pop-up related event in the first period before the background pop-up behavior as a related event pop-up behavior; according to the related event pop-up behavior Determine the pre-sequence anomaly score of the target application based on its proportion in the background pop-up behavior; for each background pop-up behavior of the target application, according to the corresponding The abnormal score determines the subsequent abnormal score of the target application; based on the previous abnormal score and the subsequent abnormal score, it is judged whether the target application is a malicious application. When judging whether the target application is a malicious application, the correlation between the background pop-up behavior and specific system events, the correlation between the background pop-up behavior and the target feedback event, and high accuracy are considered.
Description
技术领域technical field
本申请涉及信息安全技术领域,特别是涉及一种恶意应用识别方法、终端设备及可读存储介质。The present application relates to the technical field of information security, in particular to a method for identifying a malicious application, a terminal device and a readable storage medium.
背景技术Background technique
在使用终端的过程中,应用内部自弹广告属于正常商业行为。但是有很多恶意应用的弹窗广告会在其他应用外弹,或是锁屏外弹。In the process of using the terminal, it is a normal business practice to pop up advertisements inside the app. But there are many pop-up ads of malicious apps that pop up outside other apps or outside the lock screen.
传统的解决方法是统计应用在一天中外弹广告的次数,根据这些次数对应用进行分类。The traditional solution is to count the number of times an application pops up advertisements in a day, and classify the applications according to these times.
但这种方法会存在漏识别问题,且恶意应用的某些外弹广告行为统计特性很低,难以识别。However, this method will have the problem of missing identification, and the statistical characteristics of some external pop-up advertisement behaviors of malicious applications are very low, making it difficult to identify.
针对恶意应用难以识别的问题,目前的解决方法包括静态检测方法,根据名单或大数据规则进行应用管控,以及沙箱模拟运行的方法,但这几种解决方法都存在一定的缺陷。For the problem that malicious applications are difficult to identify, the current solutions include static detection methods, application control based on list or big data rules, and sandbox simulation operation methods, but these solutions have certain defects.
其中,静态检测方法根据应用的代码和安装包进行应用识别分类。Wherein, the static detection method performs application identification and classification according to application codes and installation packages.
但静态检测方法更适用于病毒检测,对应用进行检测时不能仅仅因为包含了弹广告的代码就认为应用是恶意应用。However, the static detection method is more suitable for virus detection. When detecting an application, it cannot be considered as a malicious application just because it contains the code of the bomb advertisement.
并且,在对应用进行静态检测时,还存在缺乏应用实际运行的信息数据的问题。Moreover, when performing static detection on an application, there is still a problem of lack of information data on the actual operation of the application.
此外,根据名单或大数据进行应用管控的方法滞后性强,人力耗费大,无法及时管控。In addition, the method of application management and control based on the list or big data has a strong lag, consumes a lot of manpower, and cannot be controlled in a timely manner.
其中,大数据规则往往需要计算大量用户的均值,因此有明显的滞后性。Among them, big data rules often need to calculate the average value of a large number of users, so there is an obvious lag.
而沙箱模拟运行方法不符合真实的行为规律,且目前的应用可以通过反沙箱来规避这种方法。However, the sandbox simulation operation method does not conform to the real behavior rules, and current applications can circumvent this method by anti-sandboxing.
发明内容Contents of the invention
本申请实施例的目的在于提供一种恶意应用识别方法、终端设备及可读存储介质,以提高识别恶意应用的准确性。具体技术方案如下:The purpose of the embodiments of the present application is to provide a method for identifying a malicious application, a terminal device, and a readable storage medium, so as to improve the accuracy of identifying a malicious application. The specific technical scheme is as follows:
第一方面,本申请提供了一种恶意应用识别方法,所述方法包括:In a first aspect, the present application provides a method for identifying a malicious application, the method comprising:
针对目标应用在预设时段内的每一次后台弹窗行为,判断该后台弹窗行为之前的第一时段内是否存在弹窗关联事件,若是,将该后台弹窗行为确定为关联事件弹窗行为;所述弹窗关联事件为弹窗关联分值大于预设关联分值的系统事件;所述弹窗关联分值表征系统事件与后台弹窗行为的关联程度;For each background pop-up behavior of the target application within the preset time period, determine whether there is a pop-up related event in the first period before the background pop-up behavior, and if so, determine the background pop-up behavior as a related event pop-up behavior ; The pop-up associated event is a system event with a pop-up associated score greater than a preset associated score; the pop-up associated score represents the degree of association between the system event and the background pop-up behavior;
根据所述关联事件弹窗行为在所述后台弹窗行为中的占比,确定所述目标应用的前序异常分值;According to the proportion of the associated event pop-up behavior in the background pop-up behavior, determine the pre-sequence abnormality score of the target application;
针对所述目标应用在所述预设时段内的每一次后台弹窗行为,判断该后台弹窗行为之后的第二时段内是否存在目标反馈事件,若是,根据每一目标反馈事件对应的异常分值,确定所述目标应用的后序异常分值;其中,所述目标反馈事件包括预先确定的用户行为事件和/或系统状态变更事件;For each background pop-up behavior of the target application within the preset time period, determine whether there is a target feedback event in the second time period after the background pop-up behavior, and if so, according to the abnormal analysis corresponding to each target feedback event Value, to determine the subsequent abnormal score of the target application; wherein, the target feedback event includes a predetermined user behavior event and/or system state change event;
基于所述前序异常分值和所述后序异常分值,判断所述目标应用是否属于恶意应用。Based on the preceding anomaly score and the subsequent anomaly score, it is determined whether the target application is a malicious application.
在一种可能的实施例中,基于如下方式确定所述后台弹窗行为的弹窗关联分值:In a possible embodiment, the pop-up association score of the background pop-up behavior is determined based on the following manner:
针对所述目标应用在所述预设时段内的每一次后台弹窗行为,获取该后台弹窗行为之前的第三时段内的系统事件;针对任一次后台弹窗行为之前的每一类系统事件,基于下式确定该类系统事件的单次弹窗关联分值:For each background pop-up behavior of the target application within the preset time period, obtain system events in the third period before the background pop-up behavior; for each type of system event before any background pop-up behavior , determine the associated score of a single pop-up window for this type of system event based on the following formula:
其中,为该次后台弹窗行为 A与系统事件的单次弹窗关联分值,为所述后台弹窗行为之前第 j次所述系统事件的预设评分,为第 j次所述系统事件的权重;所述预设评分的大小与 j的大小负相关; in, Behavior A and system events for this background pop-up window The associated score of a single pop-up window, is the preset score of the jth system event before the background pop-up behavior, is the weight of the jth system event; the size of the preset score is negatively correlated with the size of j ;
所述权重满足下式:The weights satisfy the following formula:
其中, T为所述第三时段, t为所述系统事件与所述后台弹窗行为之间的时间差; Wherein, T is the third time period, and t is the time difference between the system event and the background pop-up behavior;
根据任一类系统事件在每一次后台弹窗行为的单次弹窗关联分值,基于下式确定该类系统事件的弹窗关联分值:According to the single pop-up associated score of any type of system event in each background pop-up behavior, the pop-up associated score of this type of system event is determined based on the following formula:
其中,为所述弹窗关联分值。in, A score is associated with the pop-up window.
在一种可能的实施例中,基于如下方式确定所述预设关联分值:In a possible embodiment, the preset association score is determined based on the following manner:
获取第一正常应用样本集;Obtaining the first normal application sample set;
确定所述第一正常应用样本集中每一个正常应用的后台弹窗行为与预先确定的各类系统事件的弹窗关联分值,并基于所确定的弹窗关联分值计算预设比例的分位数,作为所述预设关联分值。Determining the background pop-up behavior of each normal application in the first normal application sample set and the pop-up correlation score of various predetermined system events, and calculating the quantile of the preset ratio based on the determined pop-up correlation score number, as the preset association score.
在一种可能的实施例中,所述前序异常分值是基于下式确定的:In a possible embodiment, the preceding abnormal score is determined based on the following formula:
其中, R1为所述前序异常分值,为预设权重系数, N为所述后台弹窗行为的次数, n为所述关联事件弹窗行为的次数。 Among them, R1 is the abnormal score of the preorder, is a preset weight coefficient, N is the number of pop-up window behaviors in the background, and n is the number of pop-up window behaviors in the associated event.
在一种可能的实施例中,所述根据每一目标反馈事件对应的异常分值,确定所述目标应用的后序异常分值的步骤,包括:In a possible embodiment, the step of determining the subsequent abnormal score of the target application according to the abnormal score corresponding to each target feedback event includes:
对每一类所述目标反馈事件的出现次数与对应的异常分值之积进行求和,获得所述目标应用的反馈事件异常分值;Summing the product of the number of occurrences of each type of the target feedback event and the corresponding abnormal score to obtain the abnormal score of the feedback event of the target application;
将所述反馈事件异常分值与所述后台弹窗行为的次数的比值作为所述后序异常分值。The ratio of the abnormal score of the feedback event to the number of pop-up window behaviors in the background is used as the abnormal score of the subsequent sequence.
在一种可能的实施例中,针对任一类所述目标反馈事件,基于如下方式确定所述异常分值:In a possible embodiment, for any type of target feedback event, the abnormal score is determined based on the following manner:
获取第二正常应用样本集和第一恶意应用样本集;Obtaining the second normal application sample set and the first malicious application sample set;
获取所述第二正常应用样本集中正常应用在发生后台弹窗行为后出现所述目标反馈事件的第一比例,所述第一恶意应用样本集中恶意应用在发生后台弹窗行为后出现所述目标反馈事件的第二比例;Obtaining the first proportion of normal applications in the second normal application sample set that appear the target feedback event after the background pop-up behavior occurs, and the malicious application in the first malicious application sample set that appears the target after the background pop-up behavior occurs The second proportion of feedback events;
将所述第一比例和所述第二比例的比值作为所述异常分值。The ratio of the first proportion to the second proportion is used as the abnormal score.
在一种可能的实施例中,所述基于所述前序异常分值和所述后序异常分值,判断所述目标应用是否属于恶意应用的步骤,包括:In a possible embodiment, the step of judging whether the target application is a malicious application based on the preceding anomaly score and the subsequent anomaly score includes:
判断所述前序异常分值是否大于前序阈值,所述后序异常分值是否大于后序阈值;Judging whether the pre-sequence abnormality score is greater than the pre-sequence threshold, and whether the subsequent-sequence abnormality score is greater than the post-sequence threshold;
若所述前序异常分值大于所述前序阈值,且所述后序异常分值大于所述后序阈值,所述目标应用为高风险恶意应用;If the preceding anomaly score is greater than the preceding threshold, and the subsequent anomaly score is greater than the subsequent threshold, the target application is a high-risk malicious application;
若所述前序异常分值大于所述前序阈值,或所述后序异常分值大于所述后序阈值,所述目标应用为中风险恶意应用;If the preceding anomaly score is greater than the preceding threshold, or the subsequent anomaly score is greater than the subsequent threshold, the target application is a medium-risk malicious application;
否则,所述目标应用不是恶意应用。Otherwise, the target application is not a malicious application.
在一种可能的实施例中,基于如下方式确定所述前序阈值和所述后序阈值:In a possible embodiment, the preceding threshold and the subsequent threshold are determined based on the following manner:
获取第二恶意应用样本集;Obtaining a second malicious application sample set;
确定所述第二恶意应用样本集中每个恶意应用的前序异常分值和后序异常分值;determining a pre-sequence anomaly score and a post-sequence anomaly score of each malicious application in the second malicious application sample set;
从所述第二恶意应用样本集的前序异常分值中选取大于第二阈值的所述前序阈值,从所述第二恶意应用样本集的后序异常分值中选取大于第三阈值的所述后序阈值。Select the pre-sequence threshold greater than the second threshold from the pre-sequence abnormal scores of the second malicious application sample set, and select the sequence greater than the third threshold from the subsequent anomaly scores of the second malicious application sample set The postorder threshold.
在一种可能的实施例中,所述第二恶意应用样本集中任意恶意应用的后台弹窗行为数据小于后台弹窗行为数据用于模型训练时的模型生效阈值。In a possible embodiment, the background pop-up window behavior data of any malicious application in the second malicious application sample set is smaller than the model effective threshold when the background pop-up window behavior data is used for model training.
第二方面,本申请提供了一种终端设备,所述终端设备包括:In a second aspect, the present application provides a terminal device, where the terminal device includes:
第一确定模块,用于针对目标应用在预设时段内的每一次后台弹窗行为,判断该后台弹窗行为之前的第一时段内是否存在弹窗关联事件,若是,将该后台弹窗行为确定为关联事件弹窗行为;所述弹窗关联事件为弹窗关联分值大于预设关联分值的系统事件;所述弹窗关联分值表征系统事件与后台弹窗行为的关联程度;The first determining module is used to determine whether there is a pop-up related event in the first period before the background pop-up behavior for each background pop-up behavior of the target application within a preset period of time, and if so, the background pop-up behavior Determined as a related event pop-up behavior; the pop-up related event is a system event with a pop-up related score greater than a preset related score; the pop-up related score represents the degree of association between the system event and the background pop-up behavior;
第二确定模块,用于根据所述关联事件弹窗行为在所述后台弹窗行为中的占比,确定所述目标应用的前序异常分值;The second determination module is used to determine the pre-sequence abnormal score of the target application according to the proportion of the associated event pop-up behavior in the background pop-up behavior;
第三确定模块,用于针对所述目标应用在所述预设时段内的每一次后台弹窗行为,判断该后台弹窗行为之后的第二时段内是否存在目标反馈事件,若是,根据每一目标反馈事件对应的异常分值,确定所述目标应用的后序异常分值;其中,所述目标反馈事件包括预先确定的用户行为事件和/或系统状态变更事件;The third determination module is used to determine whether there is a target feedback event in the second period after the background pop-up behavior for each background pop-up behavior of the target application within the preset time period, and if so, according to each The abnormal score corresponding to the target feedback event determines the subsequent abnormal score of the target application; wherein the target feedback event includes a predetermined user behavior event and/or system state change event;
判断模块,用于基于所述前序异常分值和所述后序异常分值,判断所述目标应用是否属于恶意应用。A judging module, configured to judge whether the target application is a malicious application based on the preceding anomaly score and the subsequent anomaly score.
第三方面,本申请提供了一种计算机可读存储介质,所述计算机可读存储介质内存储有计算机程序,所述计算机程序被处理器执行时实现上述第一方面任一所述的方法步骤。In a third aspect, the present application provides a computer-readable storage medium, wherein a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the method steps described in any one of the above-mentioned first aspects are implemented. .
本申请实施例有益效果:Beneficial effects of the embodiment of the application:
本申请实施例提供的恶意应用识别方法,基于恶意应用通常会监听系统行为进行后台弹窗行为的特点,根据目标应用在预设时段内的每一次后台弹窗行为之前的第一时段内是否存在弹窗关联事件,在后台弹窗行为中确定出关联事件弹窗行为,然后根据关联事件弹窗行为在后台弹窗行为中的占比确定目标应用的前序异常分值。并基于恶意应用的后台弹窗行为通常会导致用户行为事件和/或系统状态变更事件的特点,根据目标应用在预设时段内的每一次后台弹窗行为之后的目标反馈事件的异常分值,确定目标应用的后序异常分值。从而在根据前序异常分值和后序异常分值判断目标应用是否属于恶意应用时,同时考虑了后台弹窗行为与特定系统事件的关联、后台弹窗行为与目标反馈事件的关联,具有较高的准确性。同时,该方法在判断目标应用是否属于恶意应用时所需的数据量较小,计算功耗较低。The malicious application identification method provided by the embodiment of the present application is based on the fact that malicious applications usually monitor system behaviors to perform background pop-up behaviors, and according to whether the target application exists in the first period before each background pop-up behavior within the preset period. For pop-up related events, determine the related event pop-up behavior in the background pop-up behavior, and then determine the pre-order abnormal score of the target application according to the proportion of the related event pop-up behavior in the background pop-up behavior. And based on the characteristics that the background pop-up behavior of malicious applications usually leads to user behavior events and/or system state change events, according to the abnormal score of the target feedback event after each background pop-up behavior of the target application within a preset period, Determine the post-order anomaly score of the target application. Therefore, when judging whether the target application is a malicious application based on the pre-sequence anomaly score and the post-sequence anomaly score, the association between the background pop-up behavior and specific system events, and the correlation between the background pop-up behavior and the target feedback event are considered at the same time. high accuracy. At the same time, the method requires a small amount of data and low computing power consumption when judging whether the target application is a malicious application.
当然,实施本申请的任一产品或方法并不一定需要同时达到以上所述的所有优点。Of course, implementing any product or method of the present application does not necessarily need to achieve all the above-mentioned advantages at the same time.
附图说明Description of drawings
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,还可以根据这些附图获得其他的实施例。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present application, and those skilled in the art can also obtain other embodiments according to these drawings.
图1为本申请实施例提供的后台弹窗界面的示例图;Fig. 1 is an example diagram of the background pop-up interface provided by the embodiment of the present application;
图2为本申请实施例提供的恶意应用识别方法的流程示意图;FIG. 2 is a schematic flowchart of a malicious application identification method provided by an embodiment of the present application;
图3为本申请实施例提供的任一次后台弹窗行为之前的系统事件的示例图;FIG. 3 is an example diagram of system events before any background pop-up behavior provided by the embodiment of the present application;
图4为本申请实施例提供的终端设备的功能模块结构示意图。FIG. 4 is a schematic structural diagram of functional modules of a terminal device provided in an embodiment of the present application.
具体实施方式Detailed ways
为了便于清楚描述本申请实施例的技术方案,在本申请的实施例中,采用了“第一”、“第二”等字样对功能和作用基本相同的相同项或相似项进行区分。例如,第一指令和第二指令是为了区分不同的用户指令,并不对其先后顺序进行限定。本领域技术人员可以理解“第一”、“第二”等字样并不对数量和执行次序进行限定,并且“第一”、“第二”等字样也并不限定一定不同。In order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" are used to distinguish the same or similar items with basically the same function and effect. For example, the first instruction and the second instruction are for distinguishing different user instructions, and their sequence is not limited. Those skilled in the art can understand that words such as "first" and "second" do not limit the quantity and execution order, and words such as "first" and "second" do not necessarily limit the difference.
需要说明的是,本申请中,“示例性地”或者“例如”等词用于表示作例子、例证或说明。本申请中被描述为“示例性地”或者“例如”的任何实施例或设计方案不应被解释为比其他实施例或设计方案更优选或更具优势。确切而言,使用“示例性地”或者“例如”等词旨在以具体方式呈现相关概念。It should be noted that, in this application, words such as "exemplarily" or "for example" are used as examples, illustrations or illustrations. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as being preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplarily" or "for example" is intended to present related concepts in a concrete manner.
此外,“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B的情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a、b和c中的至少一项(个),可以表示:a,或b,或c,或a和b,或a和c,或b和c,或a、b和c,其中a,b,c可以是单个,也可以是多个。In addition, "at least one" means one or more, and "plurality" means two or more. "And/or" describes the association relationship of associated objects, indicating that there may be three types of relationships, for example, A and/or B, which can mean: A exists alone, A and B exist at the same time, and B exists alone, where A, B can be singular or plural. The character "/" generally indicates that the contextual objects are an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one (one) of a, b and c may represent: a, or b, or c, or a and b, or a and c, or b and c, or a, b and c, where a, b, c can be single or multiple.
为了更清楚地对本申请实施例提供的恶意应用识别方法进行说明,下面先对本申请实施例可能的应用场景进行示例性说明。In order to more clearly describe the method for identifying a malicious application provided by the embodiment of the present application, the following first describes the possible application scenarios of the embodiment of the present application as examples.
作为一个示例,本申请实施例提供的恶意应用识别方法应用于终端,终端可以识别安装的应用是否属于恶意应用。其中,终端包括但不限于手机,平板电脑等,本申请实施例不对终端的范围进行限定。As an example, the method for identifying a malicious application provided in the embodiment of the present application is applied to a terminal, and the terminal can identify whether an installed application is a malicious application. Wherein, the terminal includes but is not limited to a mobile phone, a tablet computer, etc., and this embodiment of the present application does not limit the scope of the terminal.
进一步的,本申请实施例提供的恶意应用识别方法还可以应用于云服务器,识别云侧所服务的终端上安装的应用是否属于恶意应用。Furthermore, the malicious application identification method provided by the embodiment of the present application can also be applied to a cloud server to identify whether an application installed on a terminal served by the cloud side is a malicious application.
以手机为例,用户在使用手机的过程中,手机上安装的部分应用会弹出广告。其中,手机应用自身内部弹广告属于正常商业行为,但部分应用会在其它应用外弹广告,或是在锁屏界面外弹广告,这类应用即恶意应用。应用本申请实施例提供的恶意应用识别方法的手机可以识别手机上的哪些应用是恶意应用。Taking a mobile phone as an example, when the user is using the mobile phone, some applications installed on the mobile phone will pop up advertisements. Among them, playing advertisements inside the mobile phone application itself is a normal business practice, but some applications will display advertisements outside other applications, or outside the lock screen interface. Such applications are malicious applications. A mobile phone applying the malicious application identification method provided in the embodiment of the present application can identify which applications on the mobile phone are malicious applications.
图1为本申请实施例提供的后台弹窗界面的示例图,可以看出图1中示出的手机界面上弹出了广告界面,这一行为即本申请实施例所涉及的后台弹窗行为。FIG. 1 is an example diagram of the background pop-up window interface provided by the embodiment of the present application. It can be seen that an advertisement interface pops up on the mobile phone interface shown in FIG. 1 , and this behavior is the background pop-up window behavior involved in the embodiment of the present application.
为了规避终端出现图1所示的后台弹窗行为,需要对终端上安装的恶意应用进行识别。In order to avoid the background pop-up behavior shown in Figure 1 on the terminal, it is necessary to identify malicious applications installed on the terminal.
传统的解决方法是统计应用在一天中外弹广告的次数,根据这些次数对应用进行分类。The traditional solution is to count the number of times an application pops up advertisements in a day, and classify the applications according to these times.
但这种方法会存在漏识别问题,且恶意应用的某些外弹广告行为统计特性很低,难以识别。However, this method will have the problem of missing identification, and the statistical characteristics of some external pop-up advertisement behaviors of malicious applications are very low, making it difficult to identify.
针对恶意应用难以识别的问题,目前的解决方法包括静态检测方法,根据名单或大数据规则进行应用管控,以及沙箱模拟运行的方法,但这几种解决方法都存在一定的缺陷。For the problem that malicious applications are difficult to identify, the current solutions include static detection methods, application control based on list or big data rules, and sandbox simulation operation methods, but these solutions have certain defects.
其中,静态检测方法根据应用的代码和安装包进行应用识别分类。Wherein, the static detection method performs application identification and classification according to application codes and installation packages.
但静态检测方法更适用于病毒检测,对应用进行检测时不能仅仅因为包含了弹广告的代码就认为应用是恶意应用。However, the static detection method is more suitable for virus detection. When detecting an application, it cannot be considered as a malicious application just because it contains the code of the bomb advertisement.
并且,在对应用进行静态检测时,还存在缺乏应用实际运行的信息数据的问题。Moreover, when performing static detection on an application, there is still a problem of lack of information data on the actual operation of the application.
此外,根据名单或大数据进行应用管控的方法滞后性强,人力耗费大,无法及时管控。In addition, the method of application management and control based on the list or big data has a strong lag, consumes a lot of manpower, and cannot be controlled in a timely manner.
其中,大数据规则往往需要计算大量用户的均值,因此有明显的滞后性。Among them, big data rules often need to calculate the average value of a large number of users, so there is an obvious lag.
而沙箱模拟运行方法不符合真实的行为规律,且目前的应用可以通过反沙箱来规避这种方法。However, the sandbox simulation operation method does not conform to the real behavior rules, and current applications can circumvent this method by anti-sandboxing.
有鉴于此,本申请实施例提供了一种恶意应用识别方法,图2为本申请实施例提供的恶意应用识别方法的流程示意图,如图2所示,该方法包括以下步骤:In view of this, an embodiment of the present application provides a method for identifying a malicious application. FIG. 2 is a schematic flowchart of the method for identifying a malicious application provided in an embodiment of the application. As shown in FIG. 2 , the method includes the following steps:
步骤S201:针对目标应用在预设时段内的每一次后台弹窗行为,判断该后台弹窗行为之前的第一时段内是否存在弹窗关联事件,若是,将该后台弹窗行为确定为关联事件弹窗行为。Step S201: For each background pop-up behavior of the target application within a preset time period, determine whether there is a pop-up related event in the first time period before the background pop-up behavior, and if so, determine the background pop-up behavior as a related event Popup behavior.
其中,弹窗关联事件为弹窗关联分值大于预设关联分值的系统事件,弹窗关联分值表征系统事件与后台弹窗行为的关联程度。Among them, the pop-up related event is a system event with a pop-up related score greater than a preset related score, and the pop-up related score represents the degree of correlation between the system event and the background pop-up behavior.
本申请实施例涉及的后台弹窗行为,具体指发生后台弹窗并访问广告网址的行为。作为一个示例,后台弹窗行为可能包括锁屏后台弹窗,桌面后台弹窗,三方应用上后台弹窗等行为。The background pop-up behavior involved in the embodiment of the present application specifically refers to the behavior of generating a background pop-up window and accessing an advertising website. As an example, the background pop-up window behavior may include lock screen background pop-up windows, desktop background pop-up windows, background pop-up windows on third-party applications, and other behaviors.
本申请实施例提供的恶意应用识别方法,基于目标应用在预设时段的一次或多次后台弹窗行为,判断目标应用是否属于恶意应用。预设时段仅用于确定执行本申请实施例提供的恶意应用识别方法所需的数据范围,使该方法得以执行,本申请实施例不对预设时段进行具体限定。The malicious application identification method provided by the embodiment of the present application judges whether the target application is a malicious application based on one or more background pop-up behaviors of the target application within a preset period of time. The preset time period is only used to determine the range of data required to execute the malicious application identification method provided by the embodiment of the present application, so that the method can be executed, and the embodiment of the present application does not specifically limit the preset time period.
作为一个示例,终端可以提取针对目标应用在一段时间内储存的历史数据,基于这段时间内发生的后台弹窗行为判断目标应用是否属于恶意应用。As an example, the terminal can extract historical data stored for a period of time for the target application, and judge whether the target application is a malicious application based on background pop-up behaviors that occur during this period.
在实际应用中,恶意应用通常会监听终端上发生的特定系统事件,从而针对性弹窗。示例性的,一些恶意应用在监听到锁屏操作时,会进行针对性弹窗。In practical applications, malicious applications usually monitor specific system events that occur on the terminal to target pop-up windows. Exemplarily, when some malicious applications monitor the lock screen operation, they will perform targeted pop-up windows.
因此,本申请实施例根据系统事件与后台弹窗行为和关联程度,将关联系数大于预设分值的系统事件推断为可能被目标应用监听的系统事件,即弹窗关联事件。其中,关联程度即系统事件被后台弹窗行为对应的目标应用监听的可能性的高低。Therefore, the embodiment of the present application deduces system events with a correlation coefficient greater than a preset score as system events that may be monitored by the target application, that is, pop-up related events, according to the degree of association between system events and background pop-up window behavior. Wherein, the correlation degree refers to the possibility of the system event being monitored by the target application corresponding to the background pop-up behavior.
如果目标应用的任一次后台弹窗行为之前的第一时段内发生了弹窗关联事件,则推断该次后台弹窗行为是目标应用基于对系统事件的监听而进行的后台弹窗行为,即关联事件弹窗行为。If a pop-up related event occurs within the first period of time before any background pop-up behavior of the target application, it is inferred that the background pop-up behavior is a background pop-up behavior performed by the target application based on monitoring system events, that is, association Event popup behavior.
应当理解,后台弹窗行为通常与很久之前发生的系统事件无关,也就不需要基于这些系统事件判断后台弹窗行为是否是关联事件弹窗行为。因此,第一时段即恶意应用基于对系统事件的监听进行针对性弹窗时,被监听的系统事件可能发生的时段,本申请实施例不第一时段进行具体限定。It should be understood that the background pop-up behavior is generally not related to system events that occurred long ago, and it is not necessary to judge whether the background pop-up behavior is a related event pop-up behavior based on these system events. Therefore, the first time period is the time period during which the monitored system event may occur when the malicious application pops up a window based on the monitoring of the system event. The embodiment of the present application does not specifically limit the first time period.
作为一个示例,系统事件包括但不限于以下一项或多项:As an example, system events include, but are not limited to, one or more of the following:
Home(主页)按键,手势上划,解锁屏幕,充电连接,充电断开,亮屏,息屏,wifi(无线局域网)断开连接,应用安装,应用卸载。Home (home) button, swipe up gesture, unlock screen, charging connection, charging disconnection, screen on, off screen, wifi (wireless local area network) disconnection, app installation, app uninstallation.
步骤S202:根据关联事件弹窗行为在后台弹窗行为中的占比,确定目标应用的前序异常分值。Step S202: According to the proportion of the related event pop-up behavior in the background pop-up behavior, determine the pre-order anomaly score of the target application.
具体的,关联事件弹窗行为在后台弹窗行为中的占比越高,目标应用的前序异常分值越高。Specifically, the higher the proportion of the associated event pop-up behavior in the background pop-up behavior, the higher the pre-order anomaly score of the target application.
值得注意的是,目标应用在后台弹窗行为之前如果发生多个弹窗关联事件,目标应用属于恶意应用的风险程度并不会有明显提高。It is worth noting that if the target application has multiple pop-up related events before the background pop-up behavior, the risk of the target application being a malicious application will not increase significantly.
因此,本申请实施例提供的恶意应用识别方法,在确定目标应用的前序异常分值时更关注每次后台弹窗行为基于对系统事件的监听发生的可能性,所以并不对后台弹窗行为之前的弹窗关联事件进行计数,而是仅考虑了关联事件弹窗行为在后台弹窗行为中的占比,从而降低计算功耗。Therefore, the malicious application identification method provided by the embodiment of the present application pays more attention to the possibility of each background pop-up behavior based on the monitoring of system events when determining the pre-order anomaly score of the target application, so it does not evaluate the background pop-up behavior. The previous pop-up related events are counted, but only the proportion of the related event pop-up behavior in the background pop-up behavior is considered, thereby reducing computing power consumption.
步骤S203:针对目标应用在预设时段内的每一次后台弹窗行为,判断该后台弹窗行为之后的第二时段内是否存在目标反馈事件,若是,根据每一目标反馈事件对应的异常分值,确定目标应用的后序异常分值。Step S203: For each background pop-up behavior of the target application within the preset time period, determine whether there is a target feedback event in the second time period after the background pop-up behavior, and if so, according to the abnormal score corresponding to each target feedback event , to determine the post-order anomaly score of the target application.
其中,目标反馈事件包括预先确定的用户行为事件和/或系统状态变更事件。Wherein, the target feedback event includes a predetermined user behavior event and/or system state change event.
在实际应用中,后台弹窗行为会引发终端的系统状态变更,或是降低用户使用终端时的用户体验,从而使用户作出一些反馈行为来改善用户体验。In practical applications, background pop-up behavior will cause changes in the system status of the terminal, or reduce the user experience of the user when using the terminal, so that the user can make some feedback behaviors to improve the user experience.
示例性的,后台弹窗行为可能会占用系统资源导致卡顿,而用户看到弹窗广告后可能会卸载应用来避免后台弹窗行为再次出现。Exemplarily, the pop-up behavior in the background may occupy system resources and cause freezing, and the user may uninstall the application after seeing the pop-up advertisement to avoid the pop-up behavior in the background from happening again.
因此,本申请实施例预先确定了可能由后台弹窗行为导致的用户行为事件和/或系统状态变更事件作为目标反馈事件,根据后台弹窗行为之后的目标反馈事件的异常分值,确定目标应用的后序异常分值。Therefore, the embodiment of the present application predetermines user behavior events and/or system state change events that may be caused by background pop-up behaviors as target feedback events, and determines the target application according to the abnormal score of the target feedback event after the background pop-up behavior Subsequent outlier score of .
作为一个示例,用户行为事件包括但不限于以下一项或多项:As an example, user behavior events include, but are not limited to, one or more of the following:
后台清理,卸载应用,推出后台清除应用,关机重启。Background cleaning, uninstalling applications, launching background cleaning applications, shutting down and restarting.
作为一个示例,系统状态变更事件包括但不限于以下一项或多项:As an example, system state change events include, but are not limited to, one or more of the following:
系统高负载,卡顿,耗电量增加,内存占用提升,进程数增加。The system is heavily loaded, freezes, power consumption increases, memory usage increases, and the number of processes increases.
应当理解,终端的系统状态通常是实时发生变化的,因此,可以将系数状态变更达到一定程度的事件认为是后台弹窗行为可能导致的系统状态变更事件。示例性的,可以将耗电量增加一定百分比,或是内存占用提升一定值认为是系统状态变更事件。It should be understood that the system state of the terminal usually changes in real time. Therefore, the event that the coefficient state changes to a certain extent can be regarded as a system state change event that may be caused by the pop-up window behavior in the background. Exemplarily, an increase in power consumption by a certain percentage, or an increase in memory usage by a certain value may be regarded as a system state change event.
与前文的第一时段相类似,第二时段即后台弹窗行为导致的目标反馈事件可能发生的时段,本申请实施例不对第二时段进行具体限定。Similar to the first time period above, the second time period is the time period during which the target feedback event caused by pop-up window behavior in the background may occur, and the embodiment of the present application does not specifically limit the second time period.
步骤S204:基于前序异常分值和后序异常分值,判断目标应用是否属于恶意应用。Step S204: Based on the preceding anomaly score and the subsequent anomaly score, determine whether the target application is a malicious application.
具体的,前序异常分值和后序异常分值越高,目标应用属于恶意应用的可能性越高。Specifically, the higher the pre-sequence anomaly score and the subsequent anomaly score, the higher the possibility that the target application is a malicious application.
本申请实施例提供的恶意应用识别方法,The malicious application identification method provided in the embodiment of the present application,
基于恶意应用通常会监听系统行为进行后台弹窗行为的特点,根据目标应用在预设时段内的每一次后台弹窗行为之前的第一时段内是否存在弹窗关联事件,在后台弹窗行为中确定出关联事件弹窗行为,然后根据关联事件弹窗行为在后台弹窗行为中的占比确定目标应用的前序异常分值。并基于恶意应用的后台弹窗行为通常会导致用户行为事件和/或系统状态变更事件的特点,根据目标应用在预设时段内的每一次后台弹窗行为之后的目标反馈事件的异常分值,确定目标应用的后序异常分值。从而在根据前序异常分值和后序异常分值判断目标应用是否属于恶意应用时,同时考虑了后台弹窗行为与特定系统事件的关联、后台弹窗行为与目标反馈事件的关联,具有较高的准确性。同时,该方法在判断目标应用是否属于恶意应用时所需的数据量较小,计算功耗较低。Based on the characteristics that malicious applications usually monitor system behaviors to perform background pop-up behaviors, according to whether there is a pop-up related event in the first period before each background pop-up behavior of the target application within the preset period, in the background pop-up behavior The associated event pop-up behavior is determined, and then the pre-order abnormal score of the target application is determined according to the proportion of the associated event pop-up behavior in the background pop-up behavior. And based on the characteristics that the background pop-up behavior of malicious applications usually leads to user behavior events and/or system state change events, according to the abnormal score of the target feedback event after each background pop-up behavior of the target application within a preset period, Determine the post-order anomaly score of the target application. Therefore, when judging whether the target application is a malicious application based on the pre-sequence anomaly score and the post-sequence anomaly score, the association between the background pop-up behavior and specific system events, and the correlation between the background pop-up behavior and the target feedback event are considered at the same time. high accuracy. At the same time, the method requires a small amount of data and low computing power consumption when judging whether the target application is a malicious application.
在本申请的一个实施例中,基于如下方式确定后台弹窗行为的弹窗关联分值,具体包括以下步骤:In one embodiment of the present application, the pop-up association score of background pop-up behavior is determined based on the following method, which specifically includes the following steps:
步骤一:针对目标应用在预设时段内的每一次后台弹窗行为,获取该后台弹窗行为之前的第三时段内的系统事件。Step 1: For each background pop-up behavior of the target application within a preset time period, obtain system events in the third period before the background pop-up behavior.
步骤二:针对任一次后台弹窗行为之前的每一类系统事件,基于下式确定该类系统事件的单次弹窗关联分值:Step 2: For each type of system event before any background pop-up behavior, determine the single pop-up associated score of this type of system event based on the following formula:
其中,为该次后台弹窗行为 A与系统事件的单次弹窗关联分值,为后台弹窗行为之前第 j次系统事件的预设评分,为第 j次系统事件的权重;预设评分的大小与 j的大小负相关; in, Behavior A and system events for this background pop-up window The associated score of a single pop-up window, It is the default score of the jth system event before the background pop-up behavior, is the weight of the jth system event; the size of the preset score is negatively correlated with the size of j ;
权重满足下式:The weight satisfies the following formula:
其中, T为第三时段, t为系统事件与后台弹窗行为之间的时间差; Among them, T is the third time period, and t is the time difference between the system event and the pop-up window behavior in the background;
应当理解,一次系统事件的发生距离后台弹窗行为越近,与后台弹窗行为之间的时间差越短,这次系统事件与后台弹窗行为之间的关联性越强,因此这次系统事件的 score和 weight值更高。 It should be understood that the closer the occurrence of a system event to the pop-up behavior in the background, the shorter the time difference between it and the pop-up behavior in the background, and the stronger the correlation between this system event and the pop-up behavior in the background. Therefore, this system event The score and weight values are higher.
作为一个示例,距离 A最近一次的系统事件的 score设为2,其它次该类系统事件的 score均设为1。 As an example, the score of the system event closest to A is set to 2, and the scores of other such system events are all set to 1.
步骤三:根据任一类系统事件在每一次后台弹窗行为的单次弹窗关联分值,基于下式确定该类系统事件的弹窗关联分值:Step 3: According to the single pop-up associated score of any type of system event in each background pop-up behavior, determine the pop-up associated score of this type of system event based on the following formula:
其中,为弹窗关联分值。in, Associate the score with the popup.
为了便于理解,下面结合具体的示例对弹窗关联分值的确定进行说明,将目标应用的某次后台弹窗行为记为 A 1 ,将充电连接这一系统行为记为 S i 。 For ease of understanding, the determination of pop-up related scores will be described below with specific examples. A certain background pop-up behavior of the target application is recorded as A 1 , and the system behavior of charging connection is recorded as S i .
图3为本申请实施例提供的任一次后台弹窗行为之前的系统事件的示例图,图示的 S 1 为 A 1 之前的第三时段 T内发生的第一次充电连接事件, S 2 为 A 1 之前发生的第二次充电连接事件, S … 为 A 1 之前发生的其它次充电连接事件, S 1 , S 2 与 A 1 之间的时间差分别为 t1和 t2。 FIG. 3 is an example diagram of system events before any background pop-up window behavior provided by the embodiment of the present application. The illustrated S1 is the first charging connection event that occurred in the third period T before A1 , and S2 is The second charging connection event that occurred before A1 , S ... is other charging connection events that occurred before A1 , and the time differences between S1 , S2 and A1 are t1 and t2 respectively.
在计算图3所示的时, S 1 , S 2 和 S … 的 score分别为2,1,1, weight分别为 (T-t1)/T, (T-t2)/T, (T-t…)/T,基于此可以计算出 S i 的。 In the calculation shown in Figure 3 the When , the scores of S 1 , S 2 and S ... are 2, 1, 1 respectively, and the weights are (T-t1)/T , (T-t2)/T , (Tt...)/T , based on which it can be calculated Out of Si .
算出 S i 针对某次后台弹窗行为的之后,对各次后台弹窗行为的单次弹窗关联分值进行求和,就可以得出 S i 的弹窗关联分值。 Calculate S i for a background pop-up window behavior Afterwards, the pop-up correlation score of each background pop-up behavior is summed to obtain the pop-up correlation score of S i .
作为一个示例,假设预设时段内发生了三次后台弹窗行为 A 1 , A 2 和 A 3 ,则 S i 的弹窗关联分值为。 As an example, assuming that there are three background pop-up behaviors A 1 , A 2 and A 3 within the preset time period, the pop-up correlation score of S i is .
在计算出各类系统事件与目标软件的后台弹窗行为之间的弹窗关联分值后,结合前文步骤S201的描述,将弹窗关联分值大于预设关联分值的系统事件,确定为目标应用的弹窗关联事件。After calculating the pop-up correlation scores between various system events and the background pop-up behavior of the target software, combined with the description of the previous step S201, the system events whose pop-up correlation scores are greater than the preset correlation scores are determined as The pop-up event associated with the target application.
示例性的,将预设关联值记为 Thresh,假设有三类系统事件 S i , S m 和, S n 且,,,则目标应用的关联弹窗事件包括 S i 和 S m 。 Exemplarily, the preset correlation value is recorded as Thresh , assuming that there are three types of system events S i , S m and S n and , , , the associated pop-up events of the target application include S i and S m .
在本申请的一个实施例中,第三时段大于第一时段。In one embodiment of the present application, the third period of time is greater than the first period of time.
本申请实施例通过获取目标应用每次后台弹窗行为之前的系统事件,根据这些系统事件的次序和与后台弹窗行为之间的时间差确定系统事件的弹窗关联分值,具有较高的准确性。从而在将弹窗关联分值大于预设关联分值的系统事件确定为弹窗关联事件时,确定出的弹窗关联事件被目标应用监听的可能性较高,具有较高的准确性。The embodiment of the present application obtains the system events before each background pop-up behavior of the target application, and determines the pop-up correlation score of the system event according to the sequence of these system events and the time difference with the background pop-up behavior, which has high accuracy. sex. Therefore, when a system event with a pop-up related score greater than a preset related score is determined as a pop-up related event, the determined pop-up related event has a high probability of being monitored by a target application and has high accuracy.
在本申请的一个实施例中,基于如下方式确定预设关联分值:In one embodiment of the present application, the preset correlation score is determined based on the following method:
获取第一正常应用样本集;obtaining the first normal application sample set;
确定第一正常应用样本集中每一个正常应用的后台弹窗行为与预先确定的各类系统事件的弹窗关联分值,并基于所确定的弹窗关联分值计算预设比例的分位数,作为预设关联分值。Determining the background pop-up window behavior of each normal application in the first normal application sample set and the predetermined pop-up window correlation score of various system events, and calculating the quantile of the preset ratio based on the determined pop-up window correlation score, As a default associated score.
应当理解,正常应用中也存在与系统行为相关的后台弹窗事件,因此可以以正常应用为样本确定预设关联分值。具体的,计算第一正常应用样本集中包括的弹窗关联分值时,计算方法可以参考前文的说明。It should be understood that background pop-up events related to system behavior also exist in normal applications, so the preset correlation score can be determined using normal applications as samples. Specifically, when calculating the pop-up window correlation score included in the first normal application sample set, the calculation method may refer to the foregoing description.
每类系统事件针对每个正常应用都有一个弹窗关联分值,可以从这些弹窗关联分值中选取一个作为预设关联分值。作为一个示例,从第一正常应用样本集的弹窗关联分值中选取前75%分位数作为预设关联分值。Each type of system event has a pop-up correlation score for each normal application, and one of these pop-up correlation scores can be selected as a default correlation score. As an example, the top 75% quantile is selected from the pop-up window association scores of the first normal application sample set as the preset association score.
由于本申请实施例提供的恶意应用识别方法用于识别恶意应用,如果将正常应用识别为恶意应用,将对用户体验造成明显影响。因此,从正常应用样本集的弹窗关联分值中选取预设比例的分位数作为预设关联分值,可以避免将正常应用误识别为恶意应用,提高恶意应用识别方法的实用性。Since the method for identifying a malicious application provided in the embodiment of the present application is used to identify a malicious application, if a normal application is identified as a malicious application, user experience will be significantly affected. Therefore, selecting the quantile of the preset proportion from the pop-up correlation scores of the normal application sample set as the preset correlation score can avoid misidentifying normal applications as malicious applications and improve the practicability of malicious application identification methods.
在本申请的一个实施例中,前序异常分值是基于下式确定的:In one embodiment of the present application, the preorder anomaly score is determined based on the following formula:
其中, R1为前序异常分值,为预设权重系数, N为后台弹窗行为的次数, n为关联事件弹窗行为的次数。 Among them, R1 is the preorder abnormal score, is the preset weight coefficient, N is the number of pop-up window behaviors in the background, and n is the number of pop-up window behaviors associated with events.
具体的,。specific, .
在判断目标应用是否属于恶意应用时,由于关联事件弹窗行为对目标应用恶意程度的影响更大,因此可以设置一个权重系数来提高关联事件弹窗行为对前序异常分值的影响,提高计算前序异常分值时的准确性。When judging whether the target application is a malicious application, since the pop-up behavior of the associated event has a greater impact on the malicious degree of the target application, a weight coefficient can be set to increase the impact of the pop-up behavior of the associated event on the pre-sequence anomaly score, and improve the calculation Accuracy when preorder outlier scores.
在本申请的一个实施例中,根据每一目标反馈事件对应的异常分值,确定目标应用的后序异常分值,具体可以通过以下步骤实现:In one embodiment of the present application, according to the abnormal score corresponding to each target feedback event, the subsequent abnormal score of the target application is determined, which can be specifically achieved through the following steps:
对每一类目标反馈事件的出现次数与对应的异常分值之积进行求和,获得目标应用的反馈事件异常分值;Sum the product of the number of occurrences of each type of target feedback event and the corresponding abnormal score to obtain the abnormal score of the feedback event of the target application;
将反馈事件异常分值与后台弹窗行为的次数的比值作为后序异常分值。The ratio of the abnormal score of the feedback event to the number of pop-up window behaviors in the background is used as the abnormal score of the subsequent sequence.
在实际的应用场景中,根据后台弹窗行为的恶意程度不同,可能会引发不同的目标反馈事件。In actual application scenarios, different target feedback events may be triggered depending on the degree of maliciousness of the background pop-up behavior.
因此,可以根据实际情况为不同的目标反馈事件确定不同的异常分值,异常分值的大小与目标反馈事件通常对应的后台弹窗行为的恶意程度正相关。Therefore, different anomaly scores can be determined for different target feedback events according to the actual situation, and the size of the anomaly score is positively correlated with the maliciousness of the background pop-up window behavior usually corresponding to the target feedback event.
示例性的,如果用户在后台弹窗行为之后无法卸载目标应用,甚至找不到后台弹窗行为对应的目标应用,用户可能会选择直接重启终端,这种后台弹窗行为的恶意程度较高。Exemplarily, if the user cannot uninstall the target application after the pop-up behavior in the background, or even cannot find the target application corresponding to the pop-up behavior in the background, the user may choose to restart the terminal directly. This kind of pop-up behavior in the background is more malicious.
因此,如果后台弹窗行为之后发生了重启,可能表示后台弹窗行为的恶意程度较高,可以为重启确定较高的异常分值。Therefore, if a restart occurs after the pop-up behavior in the background, it may indicate that the pop-up behavior in the background is more malicious, and a higher abnormal score can be determined for the restart.
作为一个示例,在确定目标反馈事件对应的异常分值时,关机重启计分x0,卸载应用计分x1,推出后台清除应用计分x2,后台清理计分x3,其它目标反馈事件均计分x4。As an example, when determining the abnormal score corresponding to the target feedback event, shutdown and restart score x 0 , uninstall the application score x 1 , launch the background clear application score x 2 , background cleanup score x 3 , and other target feedback events Average score x 4 .
示例性的,x0=15,x1=10,x2=3,x3=2,x4=1。Exemplarily, x 0 =15, x 1 =10, x 2 =3, x 3 =2, x 4 =1.
具体的,目标应用的后台弹窗行为之后发生的目标反馈事件越多,目标反馈事件对应的异常分值越大,目标应用的后序异常分值越高。Specifically, the more target feedback events that occur after the background pop-up behavior of the target application, the greater the abnormal score corresponding to the target feedback event, and the higher the subsequent abnormal score of the target application.
以前文中示例的异常分值计分方法为例,在这种情况下,目标应用的后序异常分值满足下式:Take the abnormal score scoring method in the example above as an example. In this case, the subsequent abnormal score of the target application satisfies the following formula:
其中, R2为后序异常分值,为关机重启的次数,为卸载应用的次数,为推出后台清除应用的次数,为后台清理的次数,为其它目标反馈事件的次数。 Among them, R2 is the post-order abnormal score, is the number of shutdown restarts, is the number of times the app was uninstalled, is the number of times the app was cleared from the background when launched, is the number of background cleanups, The number of times the event was fed back for other targets.
本申请实施例在计算目标应用的后序异常分值时,同时考虑了后台弹窗行为后发生目标反馈事件的次数,以及目标反馈事件可能反映出的后台弹窗行为的恶意程度,计算出的后序异常分值具有较高的准确性。In the embodiment of the present application, when calculating the subsequent abnormal score of the target application, the number of target feedback events that occur after the pop-up behavior in the background is taken into account, as well as the malicious degree of the pop-up behavior in the background that may be reflected by the target feedback event, the calculated Subsequent outlier scores have higher accuracy.
在本申请的一个实施例中,针对任一类目标反馈事件,基于如下方式确定异常分值:In one embodiment of the present application, for any type of target feedback event, the abnormal score is determined based on the following method:
获取第二正常应用样本集和第一恶意应用样本集;Obtaining the second normal application sample set and the first malicious application sample set;
获取第二正常应用样本集中正常应用在发生后台弹窗行为后出现目标反馈事件的第一比例,第一恶意应用样本集中恶意应用在发生后台弹窗行为后出现目标反馈事件的第二比例;Obtain the first proportion of normal applications in the second normal application sample set that have target feedback events after background pop-up behaviors occur, and the second proportion of malicious applications in the first malicious application sample set that have target feedback events after background pop-up behaviors occur;
将第一比例和第二比例的比值作为异常分值。The ratio of the first proportion to the second proportion is taken as the abnormal score.
以卸载应用为示例,假设第二正常应用样本集中正常应用在发生后台弹窗行为后发生卸载的比例为a,第一恶意应用样本集中恶意应用在发生后台弹窗行为后发生卸载的比例为b,则卸载应用这一目标反馈事件对应的异常分值为a/b。Taking uninstalling apps as an example, assume that the proportion of normal applications in the second normal application sample set that is uninstalled after the background pop-up behavior occurs is a, and the proportion of malicious applications in the first malicious application sample set that is uninstalled after the background pop-up behavior occurs is b , then the abnormal score corresponding to the target feedback event of uninstalling the application is a/b.
本申请实施例基于应用样本中正常应用与恶意应用分别在发生后台弹窗行为后出现目标反馈事件的比例,确定目标反馈事件对应的异常分值,具有较高的准确性。In the embodiment of the present application, based on the proportions of normal applications and malicious applications in application samples that appear target feedback events after background pop-up behaviors occur, the abnormal score corresponding to target feedback events is determined with high accuracy.
在本申请的一个实施例中,基于前序异常分值和后序异常分值,判断目标应用是否属于恶意应用,具体通过以下步骤实现:In one embodiment of the present application, based on the pre-sequence anomaly score and the post-sequence anomaly score, it is determined whether the target application is a malicious application, specifically through the following steps:
判断所述前序异常分值是否大于前序阈值,所述后序异常分值是否大于后序阈值;Judging whether the pre-sequence abnormality score is greater than the pre-sequence threshold, and whether the subsequent-sequence abnormality score is greater than the post-sequence threshold;
若前序异常分值大于前序阈值,且后序异常分值大于后序阈值,目标应用为高风险恶意应用;If the pre-sequence anomaly score is greater than the pre-sequence threshold, and the post-sequence anomaly score is greater than the post-sequence threshold, the target application is a high-risk malicious application;
若前序异常分值大于前序阈值,或后序异常分值大于后序阈值,目标应用为中风险恶意应用;If the pre-sequence anomaly score is greater than the pre-sequence threshold, or the subsequent anomaly score is greater than the post-sequence threshold, the target application is a medium-risk malicious application;
否则,目标应用不是恶意应用。Otherwise, the target app is not malicious.
本申请实施例提供的恶意应用识别方法,在目标应用的前序异常分值和后序异常分值都较高,即前序异常分值大于前序阈值,且后序异常分值大于后序阈值的情况下,才推断目标应用为高风险恶意应用。在目标应用的前序异常分值和后序异常分值中仅有一项较高,即前序异常分值大于前序阈值,或后序异常分值大于后序阈值情况下,仅推断目标应用为中风险恶意应用。能够避免将中风险恶意应用误识别为高风险恶意应用,提高了恶意应用识别方法的实用性。In the malicious application identification method provided by the embodiment of the present application, both the pre-sequence anomaly score and the post-sequence anomaly score of the target application are relatively high, that is, the pre-sequence anomaly score is greater than the pre-sequence threshold, and the post-sequence anomaly score is greater than the post-sequence anomaly score. When the threshold is exceeded, it is inferred that the target application is a high-risk malicious application. If only one of the pre-sequence anomaly score and the post-sequence anomaly score of the target application is higher, that is, the pre-sequence anomaly score is greater than the pre-sequence threshold, or the post-sequence anomaly score is greater than the post-sequence threshold, only the target application is inferred It is a medium-risk malicious application. It can avoid misidentifying a medium-risk malicious application as a high-risk malicious application, and improves the practicability of the method for identifying a malicious application.
在本申请的另一个实施例中,可以通过已经确定出前序异常分值和后序异常分值的正常应用样本和恶意应用样本训练分类模型,然后用训练好的分类模型来判断目标应用是否属于恶意应用。In another embodiment of the present application, the classification model can be trained by using normal application samples and malicious application samples whose pre-sequence anomaly score and post-sequence anomaly score have been determined, and then use the trained classification model to judge whether the target application belongs to Malicious application.
在本申请的一个实施例中,基于如下方式确定前序阈值和后序阈值:In one embodiment of the present application, the pre-sequence threshold and the post-sequence threshold are determined based on the following manner:
获取第二恶意应用样本集;Obtaining a second malicious application sample set;
确定第二恶意应用样本集中每个恶意应用的前序异常分值和后序异常分值;determining the pre-sequence anomaly score and the post-sequence anomaly score of each malicious application in the second malicious application sample set;
从第二恶意应用样本集的前序异常分值中选取大于第二阈值的前序阈值,从第二恶意应用样本集的后序异常分值中选取大于第三阈值的后序阈值。A pre-order threshold greater than the second threshold is selected from the pre-order anomaly scores of the second malicious application sample set, and a post-order threshold greater than the third threshold is selected from the post-order anomaly scores of the second malicious application sample set.
具体的,可以参考前文中步骤S201-步骤S203的说明计算第二恶意应用样本集中每个恶意应用的前序异常分值和后序异常分值,从这些分值中选取前序阈值和后序阈值。Specifically, you can refer to the description of steps S201-S203 above to calculate the pre-sequence anomaly score and post-sequence anomaly score of each malicious application in the second malicious application sample set, and select the pre-sequence threshold and post-sequence threshold from these scores. threshold.
作为一个示例,从第二恶意应用样本集的前序异常分值中选取前75%分位数作为前序阈值,从后序异常分值中选取前75%分位数作为后序阈值。As an example, the first 75% quantile is selected from the pre-order anomaly scores of the second malicious application sample set as the pre-order threshold, and the first 75% quantile is selected from the post-order anomaly scores as the post-order threshold.
本申请实施例通过计算恶意应用样本集中每个恶意应用的前序异常分值和后序异常分值,从中选取较大值作为前序阈值和后序阈值,确定出的前序阈值和后序阈值准确性较高。从而在根据前序阈值和后序阈值判断目标应用是否属于恶意应用时准确性较高,并且能够避免正常应用被误识别为恶意应用,提高了恶意应用识别方法的准确性和实用性。The embodiment of the present application calculates the pre-order anomaly score and the post-order anomaly score of each malicious application in the malicious application sample set, and selects a larger value as the pre-order threshold and the post-order threshold to determine the pre-order threshold and post-order threshold. The threshold accuracy is higher. Therefore, when judging whether a target application is a malicious application according to the pre-sequence threshold and the post-sequence threshold, the accuracy is relatively high, and normal applications can be prevented from being mistakenly identified as malicious applications, thereby improving the accuracy and practicability of the method for identifying malicious applications.
在本申请的一个实施例中,第二恶意应用样本集中任意恶意应用的后台弹窗行为数据小于后台弹窗行为数据用于模型训练时的模型生效阈值。In an embodiment of the present application, the background pop-up window behavior data of any malicious application in the second malicious application sample set is smaller than the model effective threshold when the background pop-up window behavior data is used for model training.
其中,模型生效阈值可以根据badcase(坏案例)分析得到。Among them, the effective threshold of the model can be obtained according to the bad case (bad case) analysis.
具体的,数据量充足的目标应用的识别一般可以通过模型解决,而本申请实施例提供的恶意应用识别方法则同样适用于识别低频次后台弹窗行为的目标应用,因此,以数据量较低的恶意应用为样本确定前序阈值和后序阈值更符合本申请实施例的应用场景。Specifically, the identification of target applications with sufficient data volume can generally be solved by models, and the malicious application identification method provided by the embodiment of the present application is also suitable for identifying target applications with low-frequency background pop-up behaviors. Therefore, with a low data volume The malicious application determines the pre-sequence threshold and the post-sequence threshold for the sample, which is more in line with the application scenario of the embodiment of the present application.
对于前述恶意应用识别方法,本申请还提供了一种终端设备,图4为本申请实施例提供的终端设备的功能模块结构示意图,参考图4,该终端设备包括:For the aforementioned malicious application identification method, the present application also provides a terminal device. FIG. 4 is a schematic structural diagram of the functional modules of the terminal device provided in the embodiment of the present application. Referring to FIG. 4 , the terminal device includes:
第一确定模块401,用于针对目标应用在预设时段内的每一次后台弹窗行为,判断该后台弹窗行为之前的第一时段内是否存在弹窗关联事件,若是,将该后台弹窗行为确定为关联事件弹窗行为;弹窗关联事件为弹窗关联分值大于预设关联分值的系统事件;弹窗关联分值表征系统事件与后台弹窗行为的关联程度;The
第二确定模块402,用于根据关联事件弹窗行为在所述后台弹窗行为中的占比,确定目标应用的前序异常分值;The
第三确定模块403,用于针对目标应用在预设时段内的每一次后台弹窗行为,判断该后台弹窗行为之后的第二时段内是否存在目标反馈事件,若是,根据每一目标反馈事件对应的异常分值,确定目标应用的后序异常分值;其中,目标反馈事件包括预先确定的用户行为事件和/或系统状态变更事件;The third determining
判断模块404,用于基于前序异常分值和后序异常分值,判断目标应用是否属于恶意应用。A judging
在本申请的一个实施例中,基于如下方式确定后台弹窗行为的弹窗关联分值:In one embodiment of the present application, the pop-up association score of background pop-up behavior is determined based on the following method:
针对目标应用在所述预设时段内的每一次后台弹窗行为,获取该后台弹窗行为之前的第三时段内的系统事件;For each background pop-up behavior of the target application within the preset time period, obtain system events in the third period before the background pop-up behavior;
针对任一次后台弹窗行为之前的每一类系统事件,基于下式确定该类系统事件的单次弹窗关联分值:For each type of system event before any background pop-up behavior, determine the single pop-up correlation score of this type of system event based on the following formula:
其中,为该次后台弹窗行为 A与系统事件的单次弹窗关联分值,为后台弹窗行为之前第 j次系统事件的预设评分,为第 j次系统事件的权重;预设评分的大小与 j的大小负相关; in, Behavior A and system events for this background pop-up window The associated score of a single pop-up window, It is the default score of the jth system event before the background pop-up behavior, is the weight of the jth system event; the size of the preset score is negatively correlated with the size of j ;
权重满足下式:The weight satisfies the following formula:
其中, T为第三时段, t为系统事件与后台弹窗行为之间的时间差; Among them, T is the third time period, and t is the time difference between the system event and the pop-up window behavior in the background;
根据任一类系统事件在每一次后台弹窗行为的单次弹窗关联分值,基于下式确定该类系统事件的弹窗关联分值:According to the single pop-up associated score of any type of system event in each background pop-up behavior, the pop-up associated score of this type of system event is determined based on the following formula:
其中,为弹窗关联分值。in, Associate the score with the popup.
在本申请的一个实施例中,基于如下方式确定预设关联分值:In one embodiment of the present application, the preset correlation score is determined based on the following method:
获取第一正常应用样本集;Obtaining the first normal application sample set;
确定第一正常应用样本集中每一个正常应用的后台弹窗行为与预先确定的各类系统事件的弹窗关联分值,并基于所确定的弹窗关联分值计算预设比例的分位数,作为预设关联分值。Determining the background pop-up window behavior of each normal application in the first normal application sample set and the predetermined pop-up window correlation score of various system events, and calculating the quantile of the preset ratio based on the determined pop-up window correlation score, As a default associated score.
在本申请的一个实施例中,第二确定模块402具体用于基于下式确定前序异常分值:In one embodiment of the present application, the
其中, R1为前序异常分值,为预设权重系数, N为后台弹窗行为的次数, n为关联事件弹窗行为的次数。 Among them, R1 is the preorder abnormal score, is the preset weight coefficient, N is the number of pop-up window behaviors in the background, and n is the number of pop-up window behaviors associated with events.
在本申请的一个实施例中,第三确定模块403具体用于:In an embodiment of the present application, the
对每一类目标反馈事件的出现次数与对应的异常分值之积进行求和,获得目标应用的反馈事件异常分值;Sum the product of the number of occurrences of each type of target feedback event and the corresponding abnormal score to obtain the abnormal score of the feedback event of the target application;
将反馈事件异常分值与后台弹窗行为的次数的比值作为后序异常分值。The ratio of the abnormal score of the feedback event to the number of pop-up window behaviors in the background is used as the abnormal score of the subsequent order.
在本申请的一个实施例中,针对任一类目标反馈事件,基于如下方式确定异常分值:In one embodiment of the present application, for any type of target feedback event, the abnormal score is determined based on the following method:
获取第二正常应用样本集和第一恶意应用样本集;Obtaining the second normal application sample set and the first malicious application sample set;
获取第二正常应用样本集中正常应用在发生后台弹窗行为后出现目标反馈事件的第一比例,第一恶意应用样本集中恶意应用在发生后台弹窗行为后出现目标反馈事件的第二比例;Obtain the first proportion of normal applications in the second normal application sample set that have target feedback events after background pop-up behaviors occur, and the second proportion of malicious applications in the first malicious application sample set that have target feedback events after background pop-up behaviors occur;
将第一比例和第二比例的比值作为异常分值。The ratio of the first proportion to the second proportion is taken as the abnormal score.
在本申请的一个实施例中,判断模块404具体用于:In an embodiment of the present application, the judging
判断前序异常分值是否大于前序阈值,后序异常分值是否大于后序阈值;Determine whether the pre-sequence abnormal score is greater than the pre-sequence threshold, and whether the post-sequence abnormal score is greater than the post-sequence threshold;
若前序异常分值大于前序阈值,且后序异常分值大于后序阈值,目标应用为高风险恶意应用;If the pre-sequence anomaly score is greater than the pre-sequence threshold, and the post-sequence anomaly score is greater than the post-sequence threshold, the target application is a high-risk malicious application;
若前序异常分值大于前序阈值,或后序异常分值大于后序阈值,目标应用为中风险恶意应用;If the pre-sequence anomaly score is greater than the pre-sequence threshold, or the subsequent anomaly score is greater than the post-sequence threshold, the target application is a medium-risk malicious application;
否则,目标应用不是恶意应用。Otherwise, the target app is not malicious.
在本申请的一个实施例中,基于如下方式确定所述前序阈值和所述后序阈值:In one embodiment of the present application, the preceding threshold and the subsequent threshold are determined based on the following manner:
获取第二恶意应用样本集;Obtaining a second malicious application sample set;
确定第二恶意应用样本集中每个恶意应用的前序异常分值和后序异常分值;determining the pre-sequence anomaly score and the post-sequence anomaly score of each malicious application in the second malicious application sample set;
从第二恶意应用样本集的前序异常分值中选取大于第二阈值的前序阈值,从第二恶意应用样本集的后序异常分值中选取大于第三阈值的后序阈值。A pre-order threshold greater than the second threshold is selected from the pre-order anomaly scores of the second malicious application sample set, and a post-order threshold greater than the third threshold is selected from the post-order anomaly scores of the second malicious application sample set.
在本申请的一个实施例中,第二恶意应用样本集中任意恶意应用的后台弹窗行为数据小于后台弹窗行为数据用于模型训练时的模型生效阈值。In an embodiment of the present application, the background pop-up window behavior data of any malicious application in the second malicious application sample set is smaller than the model effective threshold when the background pop-up window behavior data is used for model training.
具体实现中,本申请还提供一种计算机存储介质,其中,该计算机存储介质可存储有程序,其中,在所述程序运行时控制所述计算机可读存储介质所在设备执行上述实施例中的部分或全部步骤。所述的存储介质可为磁碟、光盘、只读存储记忆体(英文:read-onlymemory,简称:ROM)或随机存储记忆体(英文:random access memory,简称:RAM)等。In a specific implementation, the present application also provides a computer storage medium, wherein the computer storage medium can store a program, wherein when the program is running, the device where the computer-readable storage medium is located is controlled to execute the parts in the above-mentioned embodiments or all steps. The storage medium may be a magnetic disk, an optical disk, a read-only memory (English: read-only memory, ROM for short), or a random access memory (English: random access memory, RAM for short), etc.
具体实现中,本申请实施例还提供了一种计算机程序产品,所述计算机程序产品包含可执行指令,当所述可执行指令在计算机上执行时,使得计算机执行上述方法实施例中的部分或全部步骤。In a specific implementation, an embodiment of the present application also provides a computer program product, the computer program product includes executable instructions, and when the executable instructions are executed on a computer, the computer executes part or part of the above method embodiments. All steps.
本申请公开的机制的各实施例可以被实现在硬件、软件、固件或这些实现方法的组合中。本申请的实施例可实现为在可编程系统上执行的计算机程序或程序代码,该可编程系统包括至少一个处理器、存储系统(包括易失性和非易失性存储器和/或存储元件)、至少一个输入设备以及至少一个输出设备。Various embodiments of the mechanisms disclosed in this application may be implemented in hardware, software, firmware, or a combination of these implementation methods. Embodiments of the present application may be implemented as a computer program or program code executed on a programmable system comprising at least one processor, a storage system (including volatile and non-volatile memory and/or storage elements) , at least one input device, and at least one output device.
可将程序代码应用于输入指令,以执行本申请描述的各功能并生成输出信息。可以按已知方式将输出信息应用于一个或多个输出设备。为了本申请的目的,处理系统包括具有诸如例如数字信号处理器(Digital Signal Processor,DSP)、微控制器、专用集成电路(Application SpecificIntegrated Circuit ,ASIC)或微处理器之类的处理器的任何系统。Program code can be applied to input instructions to perform the functions described herein and to generate output information. The output information may be applied to one or more output devices in known manner. For the purposes of this application, a processing system includes any system having a processor such as, for example, a Digital Signal Processor (DSP), a microcontroller, an Application Specific Integrated Circuit (ASIC), or a microprocessor .
程序代码可以用高级程序化语言或面向对象的编程语言来实现,以便与处理系统通信。在需要时,也可用汇编语言或机器语言来实现程序代码。事实上,本申请中描述的机制不限于任何特定编程语言的范围。在任一情形下,该语言可以是编译语言或解释语言。The program code can be implemented in a high-level procedural language or an object-oriented programming language to communicate with the processing system. Program code can also be implemented in assembly or machine language, if desired. In fact, the mechanisms described in this application are not limited in scope to any particular programming language. In either case, the language may be a compiled or interpreted language.
在一些情况下,所公开的实施例可以以硬件、固件、软件或其任何组合来实现。所公开的实施例还可以被实现为由一个或多个暂时或非暂时性机器可读(例如,计算机可读)存储介质承载或存储在其上的指令,其可以由一个或多个处理器读取和执行。例如,指令可以通过网络或通过其他计算机可读介质分发。因此,机器可读介质可以包括用于以机器(例如,计算机)可读的形式存储或传输信息的任何机制,包括但不限于,软盘、光盘、光碟、光盘只读存储器(Compact Disc Read Only Memory,CD-ROMs)、磁光盘、只读存储器(ReadOnlyMemory,ROM)、随机存取存储器(RAM)、可擦除可编程只读存储器(ErasableProgrammable Read Only Memory ,EPROM)、电可擦除可编程只读存储器(ElectricallyErasable Programmable Read Only Memory ,EEPROM)、磁卡或光卡、闪存、或用于利用因特网以电、光、声或其他形式的传播信号来传输信息(例如,载波、红外信号数字信号等)的有形的机器可读存储器。因此,机器可读介质包括适合于以机器(例如,计算机)可读的形式存储或传输电子指令或信息的任何类型的机器可读介质。In some cases, the disclosed embodiments may be implemented in hardware, firmware, software, or any combination thereof. The disclosed embodiments can also be implemented as instructions carried by or stored on one or more transitory or non-transitory machine-readable (e.g., computer-readable) storage media, which can be executed by one or more processors read and execute. For example, instructions may be distributed over a network or via other computer-readable media. Thus, a machine-readable medium may include any mechanism for storing or transmitting information in a form readable by a machine (e.g., a computer), including, but not limited to, floppy disks, compact discs, compact discs, Compact Disc Read Only Memory , CD-ROMs), magneto-optical disk, read-only memory (ReadOnlyMemory, ROM), random access memory (RAM), erasable programmable read-only memory (ErasableProgrammable Read Only Memory, EPROM), electrically erasable programmable only memory Read memory (Electrically Erasable Programmable Read Only Memory, EEPROM), magnetic card or optical card, flash memory, or use the Internet to transmit information by means of electricity, light, sound or other forms of propagation signals (for example, carrier waves, infrared signals, digital signals, etc.) tangible machine-readable storage. Thus, a machine-readable medium includes any type of machine-readable medium suitable for storing or transmitting electronic instructions or information in a form readable by a machine (eg, a computer).
在附图中,可以以特定布置和/或顺序示出一些结构或方法特征。然而,应该理解,可能不需要这样的特定布置和/或排序。而是,在一些实施例中,这些特征可以以不同于说明书附图中所示的方式和/或顺序来布置。另外,在特定图中包括结构或方法特征并不意味着暗示在所有实施例中都需要这样的特征,并且在一些实施例中,可以不包括这些特征或者可以与其他特征组合。In the drawings, some structural or methodological features may be shown in a particular arrangement and/or order. However, it should be understood that such specific arrangements and/or orderings may not be required. Rather, in some embodiments, these features may be arranged in a different manner and/or order than shown in the figures of the description. Additionally, the inclusion of structural or methodological features in a particular figure does not imply that such features are required in all embodiments, and in some embodiments these features may not be included or may be combined with other features.
需要说明的是,本申请各设备实施例中提到的各单元/模块都是逻辑单元/模块,在物理上,一个逻辑单元/模块可以是一个物理单元/模块,也可以是一个物理单元/模块的一部分,还可以以多个物理单元/模块的组合实现,这些逻辑单元/模块本身的物理实现方式并不是最重要的,这些逻辑单元/模块所实现的功能的组合才是解决本申请所提出的技术问题的关键。此外,为了突出本申请的创新部分,本申请上述各设备实施例并没有将与解决本申请所提出的技术问题关系不太密切的单元/模块引入,这并不表明上述设备实施例并不存在其它的单元/模块。It should be noted that each unit/module mentioned in each device embodiment of this application is a logical unit/module. Physically, a logical unit/module can be a physical unit/module, or a physical unit/module. A part of the module can also be realized with a combination of multiple physical units/modules, the physical implementation of these logical units/modules is not the most important, the combination of functions realized by these logical units/modules is the solution The key to the technical issues raised. In addition, in order to highlight the innovative part of this application, the above-mentioned device embodiments of this application do not introduce units/modules that are not closely related to solving the technical problems proposed by this application, which does not mean that the above-mentioned device embodiments do not exist other units/modules.
需要说明的是,在本专利的示例和说明书中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that in the examples and descriptions of this patent, relative terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply There is no such actual relationship or order between these entities or operations. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the statement "comprising a" does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.
虽然通过参照本申请的某些优选实施例,已经对本申请进行了图示和描述,但本领域的普通技术人员应该明白,可以在形式上和细节上对其作各种改变,而不偏离本申请的精神和范围。Although this application has been shown and described with reference to certain preferred embodiments thereof, those skilled in the art will understand that various changes in form and details may be made therein without departing from this disclosure. The spirit and scope of the application.
Claims (11)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211592979.7A CN115640576B (en) | 2022-12-13 | 2022-12-13 | Malicious application identification method, terminal equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211592979.7A CN115640576B (en) | 2022-12-13 | 2022-12-13 | Malicious application identification method, terminal equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115640576A CN115640576A (en) | 2023-01-24 |
| CN115640576B true CN115640576B (en) | 2023-05-09 |
Family
ID=84949302
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211592979.7A Active CN115640576B (en) | 2022-12-13 | 2022-12-13 | Malicious application identification method, terminal equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115640576B (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8707334B2 (en) * | 2008-05-20 | 2014-04-22 | Microsoft Corporation | Computer system event detection and targeted assistance |
| CN104346569B (en) * | 2013-07-31 | 2019-02-22 | 北京猎豹移动科技有限公司 | Method and device for identifying malicious advertisements in mobile terminal and mobile terminal |
| US11023923B2 (en) * | 2014-05-22 | 2021-06-01 | Facebook, Inc. | Detecting fraud in connection with adverstisements |
| US20220038496A1 (en) * | 2018-09-28 | 2022-02-03 | Malwarebytes Inc. | Intelligent Pop-Up Blocker |
| CN115408696B (en) * | 2022-11-02 | 2023-04-07 | 荣耀终端有限公司 | Application identification method and electronic equipment |
-
2022
- 2022-12-13 CN CN202211592979.7A patent/CN115640576B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN115640576A (en) | 2023-01-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9832214B2 (en) | Method and apparatus for classifying and combining computer attack information | |
| US9832211B2 (en) | Computing device to detect malware | |
| US9357397B2 (en) | Methods and systems for detecting malware and attacks that target behavioral security mechanisms of a mobile device | |
| US8572007B1 (en) | Systems and methods for classifying unknown files/spam based on a user actions, a file's prevalence within a user community, and a predetermined prevalence threshold | |
| Jerome et al. | Using opcode-sequences to detect malicious Android applications | |
| US10853489B2 (en) | Data-driven identification of malicious files using machine learning and an ensemble of malware detection procedures | |
| US10853487B2 (en) | Path-based program lineage inference analysis | |
| WO2016209528A1 (en) | Methods and systems for automatic extraction of behavioral features from mobile applications | |
| CN110912884A (en) | Detection method, detection equipment and computer storage medium | |
| CN104598825A (en) | An Android Malware Detection Method Based on Improved Bayesian Algorithm | |
| US9658908B2 (en) | Failure symptom report device and method for detecting failure symptom | |
| CN111596971B (en) | Application cleaning method and device, storage medium and electronic equipment | |
| WO2019057363A1 (en) | Apparatus and method for rare failure prediction | |
| KR101421136B1 (en) | A method and apparatus for modeling the behavior of a computer program for testing malicious programs | |
| CN109726555B (en) | Virus detection processing method, virus prompting method and related equipment | |
| CN111224928A (en) | Prediction method, device, device and storage medium for network attack behavior | |
| CN115640576B (en) | Malicious application identification method, terminal equipment and readable storage medium | |
| US9171171B1 (en) | Generating a heat map to identify vulnerable data users within an organization | |
| CN103501300A (en) | Method, terminal and server for detecting phishing attack | |
| US11093957B2 (en) | Techniques to quantify effectiveness of site-wide actions | |
| CN109726550B (en) | Abnormal operation behavior detection method and device and computer readable storage medium | |
| CN115499287B (en) | Event analysis method and device | |
| TWI869013B (en) | Information fraud prevention system and method thereof | |
| KR101872406B1 (en) | Method and apparatus for quantitavely determining risks of malicious code | |
| US10921167B1 (en) | Methods and apparatus for validating event scenarios using reference readings from sensors associated with predefined event scenarios |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: Unit 3401, unit a, building 6, Shenye Zhongcheng, No. 8089, Hongli West Road, Donghai community, Xiangmihu street, Futian District, Shenzhen, Guangdong 518040 Patentee after: Honor Terminal Co.,Ltd. Country or region after: China Address before: 3401, unit a, building 6, Shenye Zhongcheng, No. 8089, Hongli West Road, Donghai community, Xiangmihu street, Futian District, Shenzhen, Guangdong Patentee before: Honor Device Co.,Ltd. Country or region before: China |