CN115758364A - Security detection method, device, equipment and medium - Google Patents

Security detection method, device, equipment and medium Download PDF

Info

Publication number
CN115758364A
CN115758364A CN202211555864.0A CN202211555864A CN115758364A CN 115758364 A CN115758364 A CN 115758364A CN 202211555864 A CN202211555864 A CN 202211555864A CN 115758364 A CN115758364 A CN 115758364A
Authority
CN
China
Prior art keywords
program
page
historical
screenshots
screenshot
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211555864.0A
Other languages
Chinese (zh)
Inventor
陈伟平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202211555864.0A priority Critical patent/CN115758364A/en
Publication of CN115758364A publication Critical patent/CN115758364A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application discloses a security detection method, a security detection device, security detection equipment and a security detection medium, and relates to the field of data security. The security detection method is executed by a security program, and the method includes: acquiring a program screenshot corresponding to a display interface of a tested program; determining a page type of the program screenshot based on a page classification model, wherein the page classification model is obtained by training according to a plurality of historical program screenshots of at least one application program; determining a simulation trigger operation corresponding to the display interface based on the page type, executing the simulation trigger operation on the display interface, and acquiring response data of the tested program to the simulation trigger operation; and determining whether the tested program has potential safety hazard or not according to the response data. The embodiment provides a security detection method for an application program, so as to enhance security management on the application program, ensure safe use of the application program, and protect security of user data.

Description

Security detection method, device, equipment and medium
Technical Field
The present application relates to the field of data security, and in particular, to a security detection method, apparatus, device, and medium.
Background
As the demand of people increases, more applications are installed on terminals.
For a certain application program, it is usually necessary to monitor a control element on a display interface of the application program, and when a trigger operation exists on the control element, a trigger behavior corresponding to the trigger operation is executed. In some implementation scenarios, some triggering actions performed by the application may present a security risk, such as violating privacy protection policies, violating user data acquisition, and the like. In order to realize the safe use of the application program and the protection of the user data, the application program is generally required to be subjected to security detection.
Disclosure of Invention
The embodiment of the application provides a safety detection method, a device, equipment and a medium, and can provide a new safety detection method which plays roles of ensuring the safe use of an application program and protecting user data, and the technical scheme is as follows:
according to an aspect of the present application, there is provided a security detection method, which is performed by a security program, the method including:
acquiring a program screenshot corresponding to a display interface of a tested program;
determining a page type of the program screenshot based on a page classification model, wherein the page classification model is obtained by training according to a plurality of historical program screenshots of at least one application program;
determining a simulation trigger operation corresponding to the display interface based on the page type, executing the simulation trigger operation on the display interface, and acquiring response data of the tested program to the simulation trigger operation;
and determining whether the tested program has potential safety hazard or not according to the response data.
According to an aspect of the present application, there is provided a security detection apparatus, the apparatus including:
the acquisition module is used for acquiring a program screenshot corresponding to a display interface of the tested program;
the determining module is used for determining the page type of the program screenshot based on a page classification model, and the page classification model is obtained by training according to a plurality of historical program screenshots of at least one application program;
the acquisition module is further used for determining the simulation trigger operation corresponding to the display interface based on the page type, executing the simulation trigger operation on the display interface and acquiring response data of the tested program to the simulation trigger operation;
and the determining module is also used for determining whether the tested program has potential safety hazards or not according to the response data.
According to one aspect of the present application, there is provided a computer device comprising a memory and a processor; the memory has stored therein at least one program code that is loaded and executed by the processor to implement the security detection method as described above.
According to an aspect of the present application, there is provided a computer-readable storage medium having stored therein a computer program for execution by a processor to implement the security detection method as described above.
According to an aspect of the present application, there is provided a chip comprising programmable logic circuits and/or program instructions for implementing the security detection method as described above when the electronic device in which the chip is installed is operating.
According to an aspect of the present application, there is provided a computer program product comprising computer instructions stored in a computer-readable storage medium, and a processor reading and executing the computer instructions from the computer-readable storage medium to implement the security detection method as described above.
The beneficial effects that technical scheme that this application embodiment brought include at least:
the safety detection method for the application program is provided to enhance the safety management of the application program, ensure the safe use of the application program and protect the safety of user data. Based on the page classification model, page classification can be carried out on the program screenshot corresponding to the display interface of the tested program; and then, judging whether the tested program has potential safety hazard or not according to the response data under different page types.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of a computer system provided in an exemplary embodiment of the present application;
FIG. 2 is a flow diagram of a security detection method provided by an exemplary embodiment of the present application;
FIG. 3 is a flowchart of training a page classification model provided by an exemplary embodiment of the present application;
FIG. 4 is a flowchart of training a page classification model provided by an exemplary embodiment of the present application;
FIG. 5 is a flow chart of picture clustering provided by an exemplary embodiment of the present application;
FIG. 6 is a diagram illustrating a display page of the rights authorization type provided by an exemplary embodiment of the present application;
FIG. 7 is a schematic illustration of a display page of the login type provided by an exemplary embodiment of the present application;
FIG. 8 is a flow chart of a security detection method provided by an exemplary embodiment of the present application;
FIG. 9 is a flowchart of a tested program execution triggering action provided by an exemplary embodiment of the present application;
FIG. 10 is a schematic illustration of different trigger behavior executions provided by an exemplary embodiment of the present application;
FIG. 11 is a flow chart of a security detection method provided by an exemplary embodiment of the present application;
FIG. 12 is a schematic view of a security detection device provided in an exemplary embodiment of the present application;
fig. 13 is a schematic structural diagram of a computer device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the appended claims.
It is to be understood that reference herein to "a number" means one or more and "a plurality" means two or more. "and/or" describes the association relationship of the associated object, indicating that there may be three relationships, for example, a and/or B, which may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
First, terms referred to in the embodiments of the present application will be briefly described.
Artificial Intelligence (AI): the method is a theory, method, technology and application system for simulating, extending and expanding human intelligence by using a digital computer or a machine controlled by the digital computer, sensing the environment, acquiring knowledge and obtaining the best result by using the knowledge. In other words, artificial intelligence is a comprehensive technique of computer science that attempts to understand the essence of intelligence and produce a new intelligent machine that can react in a manner similar to human intelligence. Artificial intelligence is the research of the design principle and the implementation method of various intelligent machines, so that the machines have the functions of perception, reasoning and decision making.
The artificial intelligence technology is a comprehensive subject and relates to the field of extensive technology, namely the technology of a hardware level and the technology of a software level. The artificial intelligence base technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.
And (4) safety program: refers to an application for maintaining the security of a terminal.
The terminal security relates to data security, privacy protection, virus searching and killing and other aspects. Illustratively, the security application may be any one of a terminal housekeeping application, a virus killing application, a privacy detection application, and the like, which relate to terminal security.
And (3) testing a program: refers to any application that a user initiates.
It should be understood that the program under test is an application program that the user initiates in real time. For example, the tested program is a chat application, a game application, etc. started by the user in real time. In some embodiments. The tested program can be an application program carried by the terminal factory, an application program which is allowed to be downloaded and/or installed in an application store associated with the terminal, or an application program which is downloaded and/or installed by a user through an external link. The type, source, installation position, operation mode and the like of the tested program are not limited, and the tested program can be any application program.
A page classification model: the embodiment of the application provides an AI model.
Illustratively, the page classification model is obtained by training a plurality of historical program screenshots of at least one application program, and is used for realizing page classification of the display pages of the application program. The historical program screenshot is used for indicating an interface picture of a historical display page of an application program and can be obtained through screenshot. The model training process will be developed below, and is skipped here.
In some embodiments, the use of the page classification model is as follows: the security program acquires the page classification model; after a user starts a tested program in real time, the safety program can capture a current display interface of the tested program to obtain a program capture corresponding to the current display interface; then, the security program inputs the program screenshot into a page classification model, and the page classification model outputs the page type of the program screenshot.
After the page type of the program screenshot is determined, response data corresponding to the program to be tested can be obtained to judge whether the program to be tested has potential safety hazards (namely, the safety detection method provided by the application), and specific contents are developed below.
Fig. 1 is a schematic diagram illustrating a computer system provided in an exemplary embodiment of the present application, where the computer system 100 includes a training device 110 for a page classification model and a using device 120 for the page classification model, and the training device 110 sends the trained page classification model to the using device 120. The page classification model is an AI model related to the application of the security detection method provided by the application.
Therein, the training device 110 and the usage device 120 may be computer devices with machine learning capabilities, such as a terminal or a server.
Optionally, the training device 110 and the using device 120 may be the same computer device, or the training device 110 and the using device 120 may be different computer devices. Also, when the training device 110 and the using device 120 are different devices, the training device 110 and the using device 120 may be the same type of device, such as the training device 110 and the using device 120 may both be servers; alternatively, the training device 110 and the using device 120 may be different types of devices, such as the training device 110 being a server and the using device 120 being a terminal. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform. The terminal may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart television, a vehicle-mounted terminal, a wearable device, a smart sound box, and the like, but is not limited thereto. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein.
During the model training process, the training device 110 needs to obtain a plurality of historical program screenshots of at least one application program, where one historical program screenshot corresponds to a historical display interface of one application program.
It should be noted that before collecting the relevant data of the user (including but not limited to the historical program screenshot) and in the process of collecting the relevant data of the user, a prompt interface, a popup window, or output voice prompt information may be displayed, where the prompt interface, the popup window, or the voice prompt information is used to prompt the user to currently collect the relevant data, so that the relevant step of obtaining the relevant data of the user is started only after the confirmation operation sent by the user to the prompt interface or the popup window is obtained, otherwise (that is, when the confirmation operation sent by the user to the prompt interface or the popup window is not obtained), the relevant step of obtaining the relevant data of the user is ended, that is, the relevant data of the user is not obtained. In other words, all user data collected in the present application is collected under the approval and authorization of the user, and the collection, use and processing of the relevant user data need to comply with relevant laws and regulations and standards of relevant countries and regions. In the following embodiments, all the steps related to data collection, use and processing should be performed under the condition that the user agrees and authorizes and conforms to the relevant laws and regulations and standards of the relevant countries and regions, and will not be described again.
Fig. 2 shows a flowchart of a security detection method provided in an exemplary embodiment of the present application, which is executed by a security program. The security program refers to an application program for maintaining terminal security, and the security program may be any one of terminal security related applications such as a terminal manager application, a virus searching and killing application, and a privacy detection application.
In the embodiment of the application, the safety program is used for detecting whether the tested program has potential safety hazards. The tested program refers to any application program started by a user. It should be understood that the tested program is an application program that is started by a user in real time, the application does not limit the type, source, installation location, operation mode, etc. of the tested program, and the tested program may be any application program.
Schematically, the safety detection method provided by the embodiment of the application comprises the following steps:
step 101: and acquiring a program screenshot corresponding to a display interface of the tested program.
When the display interface of the tested program is displayed, the terminal can capture the screen shot of the display interface to obtain the program screen shot of the display interface.
It should be noted that the program screenshots acquired in the present application are collected under the condition that the user agrees and authorizes, and the collection, use and processing of the related program screenshots need to comply with relevant laws, regulations and standards of relevant countries and regions.
Step 102: and determining the page type of the program screenshot based on the page classification model.
Illustratively, the page classification model is trained from a plurality of historical program screenshots of at least one application. The historical program screenshot is used for indicating an interface picture of a historical display page of an application program and can be obtained through screenshot of the historical display interface.
It should be appreciated that the page classification model is invoked by the security program to determine the page type of the program screenshot for determining whether the tested program has a security risk. The page classification model can be obtained by training the terminal with the safety program, and can also be obtained by training other terminals and then sent to the terminal with the safety program.
In some embodiments, with the user's consent, the terminal performing model training may obtain a plurality of historical program screenshots of at least one application, for example, obtain m historical program screenshots of n applications, each corresponding to a different number of historical program screenshots. And then, processing the m historical program screenshots by adopting modes of picture clustering, character recognition or the like to determine a type label marked on each historical program screenshot, thereby realizing the type division of the m historical program screenshots. And constructing a corresponding training set based on the m historical program screenshots and the corresponding type labels thereof, thereby obtaining the page classification model required by the embodiment of the application through training.
After the page classification model is obtained, the security program can input the program screenshot into the page classification model, and the security program can determine the page type corresponding to the program screenshot through model judgment. It should be understood that the page classification model may be provided in the security program, and invoked directly by the security program; the page classification model can also be arranged at other positions of the terminal provided with the security program or in the cloud server and indirectly called by the security program. The setting position of the page classification model is not limited.
It should be understood that the page types of the program screenshots may be divided according to actual needs. Illustratively, the page types include a permission authorization type, a login type, a text input type, and the like. The permission authorization type refers to a page type of a display interface for granting a certain permission (such as reading data and acquiring privacy data) of the terminal to the tested program, the login type refers to a page type of a display page for logging in an associated account of the tested program, and the text input type refers to a page type of a display page for inputting a text on a current page. It should be understood that the above categories are exemplary only and are not intended to limit the present application, and other categories are also included in the scope of the present application and will not be described herein.
In some embodiments, besides the plurality of page types indicated by the page classification model, there is a case where the page type of the program interface is unknown, which can also be understood as a case where the program interface does not belong to any one of the page types indicated by the page classification model. In this case, the following steps 103 and 104 will not be executed.
Step 103: and determining the simulation trigger operation corresponding to the display interface based on the page type, executing the simulation trigger operation on the display interface, and acquiring the response data of the tested program to the simulation trigger operation.
After determining the page type of the program screenshot, the security program may determine, based on the page type, a simulation trigger operation corresponding to a display interface of the program to be tested. The simulation triggering operation refers to at least one triggering operation which can be performed on the display interface based on the page type. For example, if the page type is the authorization type, the simulated trigger operation corresponding to the display interface includes "agree" and "disagree". Wherein, in response to the 'consent' simulation trigger operation, a certain permission can be granted to the tested program; in response to the simulated trigger action being "not approved," the tested program may be denied certain rights.
After the simulation trigger operation is determined, the security program can perform trigger simulation on the tested program based on the simulation trigger operation to acquire response data of the tested program. Still taking the permission authorization type as an example, based on two types of simulated trigger operations including "agree" and "disagree", the security program executes the two types of simulated trigger operations on the display interface (i.e., permission authorization interface), and respectively acquires response data of the program to be tested to the two types of simulated trigger operations.
For example, for the simulation trigger operation of "agree", the tested program executes the operation of acquiring a certain authority, and the response data can be marked as the tested program acquisition authority. For the simulation trigger operation of 'disagreement', the tested program receives the notice that the terminal refuses authorization, and if the tested program executes the operation of exiting the program, the response data can be marked as the exiting program; if the tested program executes the operation of entering the next display interface, the response data can be marked as continuing to execute the subsequent operation. Based on the method, for the authority authorization type, the security program acquires response data of the tested program to at least one simulation trigger operation on the display interface so as to facilitate subsequent operations.
Step 104: and determining whether the tested program has potential safety hazard or not according to the response data.
According to step 103, for different page types, the security program may obtain response data of the program under test to at least one simulated trigger operation on the display interface. Then, the security program can detect the response data, and under the condition that the response data has security holes, the tested program is determined to have potential safety hazards; and under the condition that no security hole exists in the response data, determining that the tested program does not have potential safety hazard.
The existence of the security vulnerability in the response data can be understood as follows: based on different page types, the response of a tested program to the simulation trigger operation has potential safety hazards of a terminal, and risks such as user data stealing, privacy disclosure, virus invasion and the like can be caused.
Further, the existence of a security vulnerability in the corresponding data can be understood as follows: based on different page types, the response of the tested program to the simulation trigger operation does not accord with relevant laws and regulations. For example, for a display interface for implementing privacy authorization, the corresponding program screenshot may be determined as the authorization type. And if the response data of the tested program aiming at the 'disagreement' simulation trigger operation is marked as exiting the program, namely the user disagrees the privacy authorization, the user is not allowed to use the tested program. If the operation would violate national laws and regulations regarding privacy authorization, the program under test may be determined to present a security risk.
To sum up, the embodiment of the present application provides a security detection method for an application program (i.e., a tested program), so as to enhance security management on the application program, ensure secure use of the application program, and protect security of user data. Based on the page classification model, the page classification can be carried out on the program screenshot corresponding to the display interface of the tested program, so that the classification detection of different functions of the tested program is facilitated; and then, judging whether the tested program has potential safety hazard or not according to the response data under different page types, and reminding the user even if the tested program is managed.
In some embodiments, the page classification model may also be called by the program under test to implement the trigger operation.
The tested program is any application program started by a user in real time.
In the use process of the application program, page triggering is generally performed based on the control element, that is, a trigger operation on the control element is detected to execute a corresponding trigger behavior. In some scenarios (e.g., externally installed applications), the control element may not be recognized, which may result in a triggering operation with a possibility of a triggering failure.
It can be understood that in the triggering scheme in the related art, the triggering operation is mainly implemented by matching control elements on the display interface. Based on this, it is difficult to determine the specific type of the current display interface through a single control element, and the specific type needs to be determined according to other different elements in the display interface, which results in a complex technical implementation. On the other hand, based on the fact that the application program may be installed through an external link, there is a possibility that the control element is difficult to recognize, for example, some game-type application programs are developed by using a game framework, and the control element in the current display interface cannot be acquired.
Illustratively, if the tested program can call the page classification model, the following steps can be implemented:
the tested program can capture a screenshot of the display interface to obtain a program screenshot;
then, inputting the program screenshot into a page classification model to acquire a trigger rule corresponding to the display page; based on the trigger rule, the tested program can respond to the trigger operation on the display interface.
With reference to the above contents, the tested program calls the page classification model, so that the possibility of failure in matching of the control elements in the triggering process can be avoided, the page classification does not depend on the control elements singly, and other elements in the display interface do not need to be matched by adopting a complex technical means, so that the triggering efficiency can be effectively improved.
With reference to the foregoing, a page classification model is trained from a plurality of historical screenshot images of at least one application, and the following will describe the model training process in detail:
FIG. 3 is a flowchart of training a page classification model provided by an exemplary embodiment of the present application. In some embodiments, the page classification model is trained by a terminal installed with a security program; in other embodiments, the page classification model is trained by other terminals, which is not limited in this application.
Illustratively, the page classification model is obtained by training through the following steps:
step 201: a plurality of historical program screenshots of at least one application program are obtained.
The historical program screenshot is used for indicating an interface picture of a historical display page of an application program and can be obtained through screenshot of the historical display interface. In some embodiments, with the user's consent, the terminal performing model training may obtain a plurality of historical program screenshots of at least one application, for example, obtain m historical program screenshots of n applications, each corresponding to a different number of historical program screenshots.
In some embodiments, the ith historical program screenshot in the plurality of historical program screenshots is obtained by screenshot of the ith historical display interface in the plurality of historical display interfaces of the at least one application program, and i is a positive integer not less than 0.
Optionally, step 201 may be implemented as follows:
and performing screenshot on the ith historical display interface in the multiple historical display interfaces of the at least one application program to obtain the ith historical program screenshot in the multiple historical program screenshots.
It can be understood that after at least one application program is started and run, screenshot can be performed on a plurality of historical display interfaces according to user agreement, so as to obtain historical program screenshot corresponding to each historical display interface, and the historical program screenshots are used for building a training set of a page classification model.
It should be understood that, in the security detection method provided in the embodiment of the present application, a screenshot is also performed on a display interface of a program to be detected, so as to obtain a corresponding program screenshot, where the program screenshot is used for performing optimization training on a page classification model. The acquisition of the program screenshot also needs to be agreed by the user.
Step 202: and clustering the plurality of historical program screenshots to obtain a clustering result.
After a plurality of historical program screenshots are obtained, the terminal for model training can perform clustering processing on the historical program screenshots so as to realize classification of the plurality of historical program screenshots.
Optionally, step 202 may be implemented as follows:
converting the plurality of historical program screenshots into a vector space based on a depth residual error network model to obtain vectors corresponding to the plurality of historical program screenshots, wherein one historical program screenshot corresponds to one vector in the vector space;
constructing a distance relation network according to a vector space, wherein the distance relation network is used for describing the similarity degree among a plurality of historical program screenshots, and a vector corresponding to one historical program screenshot is a node in the distance relation network;
and clustering the plurality of historical program screenshots according to the distance relation network to obtain a clustering result.
The Deep residual network (Deep residual network) model may be a resnet model.
Based on the depth residual error network model, vector conversion can be carried out on the original pictures of the plurality of historical program screenshots, and the original pictures are converted into a vector space. For example, a 512-dimensional vector is generated for each historical program screenshot, and a plurality of vectors form the vector space.
Based on a plurality of vectors in a vector space, a distance relationship network may be constructed. Wherein a cosine distance (cosine distance) between two vectors in the vector space can identify a degree of similarity between two historical program screenshots. For example, assuming that there are three historical program screenshots a, B, and C, if the cosine distance (a, B) < the cosine distance (a, C), the historical program screenshot a and the historical program screenshot B are more similar.
Subsequently, based on the distance relationship network, a plurality of vectors in the vector space may be clustered (which may be understood as clustering a plurality of historical program screenshots) to obtain a clustering result. Schematically, fig. 4 shows a flowchart of image clustering provided in an exemplary embodiment of the present application, which specifically includes the following steps:
step 1: the picture space is converted to the vector space.
Illustratively, a 512-dimensional vector is generated for each picture (i.e., each historical program screenshot) using a depth residual network model.
And 2, step: and constructing a distance relation network graph.
Based on each picture in step 1, each picture is taken as a node in the network, and if the cosine distance between the two pictures is smaller than a predefined threshold (for example, the threshold is 0.05), there is an edge between the two pictures.
And 3, step 3: and calculating the connected components based on the relational network graph.
Illustratively, for connected components whose number of nodes is not greater than a predefined threshold (illustratively, the threshold is 128), directly as a cluster; for connected components with the number of nodes larger than the threshold, the nodes in all large connected components are input into a k-means clustering algorithm (which can be labeled as a kmeans algorithm). Referring to fig. 4, k is illustratively 128.
And 4, step 4: and synthesizing the clusters of the small connected components and the clusters output by the kmeans to obtain a final clustering result.
It should be appreciated that based on the clustering process given above, it should be possible to classify multiple historical program shots, with one clustering result corresponding to one classification. Step 203 may then be performed to label each of the clustered results.
Step 203: and acquiring the type label marked for each clustering result.
Illustratively, one type tag is used to indicate one page type.
Wherein the type tags are labeled according to the following influence factors: functions of a plurality of history display pages; characters in a plurality of page pictures; images in a plurality of page pictures.
Referring to the foregoing, the page types of the program screenshot may be divided according to actual needs, and the page types exemplarily include a permission authorization type, a login type, a text input type, and the like. Based on this, the type tag can be understood as a label for the various page types described above.
It should be understood that the type tags correspond one-to-one to the page types. Optionally, the type tag includes at least one of the following tags: authority authorization tags, login tags and text input tags. Other types of tags may also exist based on different page types, which is not limited in this application.
Fig. 5 and 6 are schematic diagrams of display pages showing a rights authorization type and a login type, respectively. Wherein, referring to (a) and (b) of fig. 5, based on the function and text of the display page, it can be determined that the page is a page for granting a privacy authority, and then it can be determined as an authority authorization type; referring to (a) and (b) of fig. 6, based on the text in the display page, it can be determined that the page is a page for logging in an account, and it can be determined as a login type.
Based on this, each historical program screenshot can be marked to clarify its corresponding type tag.
Step 204: and constructing a training set of the page classification model.
Illustratively, the training set includes a plurality of historical program screenshots and a type label corresponding to each historical program screenshot.
Referring to the foregoing, based on step 202 and step 203, a plurality of historical program screenshots and corresponding type tags thereof can be obtained; a training set used by the page classification model can then be constructed accordingly to facilitate model training. The name of the historical program screenshot, namely the type tag, can be set according to actual needs, and the name is not limited in the application.
Step 205: and training according to the training set to obtain a page classification model.
After the training set is constructed, model training may be performed based on the training set. Specifically, the page classification model can be finally determined by defining a model architecture, training a model, calculating error loss, adjusting the model based on the error loss and the like. The model architecture, the error loss calculation and other processes involved in the model training process can be set according to actual needs, and the model architecture, the error loss calculation and other processes are not limited in the application.
After the page classification model is obtained through training, the safety program can input the program screenshot into the page classification model; and then, through model judgment, the security program can determine the page type corresponding to the program screenshot and perform subsequent operation.
With reference to the foregoing, fig. 7 shows a specific implementation of model training: firstly, acquiring a plurality of historical program screenshots; and then, gradually classifying the screenshot data, acquiring a clustering result, selecting a target type, inputting a target picture, training a model and outputting a classified model file.
Wherein, the step of selecting the target model can also be understood as the step of acquiring the type label; the target picture is any one of the historical program screenshots, the target picture is used as model input to carry out model training, and the output of the target picture is a type label.
In some embodiments, multiple historical program screenshots can be obtained by screenshot multiple historical display interfaces of at least one application. Clustering the plurality of historical program screenshots to obtain a clustering result; clustering results are then labeled, and each clustering result is labeled as a page type (i.e., a pick target type). Based on this, a training set of the page classification model will be obtained.
And then, selecting any one of the historical program screenshots as a model input (namely, inputting a target picture) to carry out model training, and comparing an input result with the page type correspondingly marked by the historical program screenshot to output a classification model file. Wherein, the classification model file at least comprises a page type. Illustratively, the page types include a permission authorization type, a login type, a text entry type, and the like. The permission authorization type refers to a page type of a display interface granting a certain permission of the terminal to the tested program, the login type refers to a page type of a display page for logging in an associated account of the tested program, and the text input type refers to a page type of a display page for inputting a text on a current page. For example, if the display page is used to determine whether to grant the right to read data to the tested program, it may be determined as the right authorization type. It should be understood that the above types are merely illustrative examples of the page types, and do not limit the present application, and other categories are also covered by the protection scope of the present application and are not described in detail.
In addition, as the types and/or functions of the application programs increase, the page classification model can be optimally trained. After the agreement of the user is obtained, a program screenshot corresponding to a newly added page program or a program screenshot corresponding to a newly added function of an original page program is obtained, a new training set is formed based on the program screenshot, and accordingly, optimization training of the page classification model is completed.
It should be appreciated that optimal training based on the page classification model may also lead to an increase in page types. Illustratively, based on the newly added similar functions of the plurality of applications, a new page type is obtained through picture clustering, and the page type is associated with the newly added similar functions of the plurality of applications.
Based on the method, the output classification model file is updated, so that the page classification model can judge the types of the display pages of different application programs more finely, the accuracy of page classification can be improved, the safety management of the application programs is further enhanced, and the safe use of the application programs and the safety of user data are further ensured.
In summary, the embodiment of the present application provides a method for training a page classification model.
The method comprises the steps that a plurality of historical program screenshots are clustered to obtain a clustering result, so that the plurality of historical program screenshots can be classified; and then marking each clustering result to determine a type label corresponding to each historical program screenshot. Based on this, a required training set can be constructed for model training. And then, taking the plurality of historical program screenshots as model input and the type labels as model output to perform model training, and finally obtaining the page classification model required by the embodiment of the application.
Referring to the foregoing, in some embodiments, the training set may be determined in other ways besides by picture clustering to train the page classification model. Optionally, the page classification model may also be obtained by training through the following steps:
acquiring a plurality of historical program screenshots;
performing character recognition on the plurality of historical program screenshots to obtain character recognition results;
obtaining type labels marked aiming at the character recognition result, wherein one type label is used for indicating one page type;
constructing a training set of a page classification model, wherein the training set comprises a plurality of historical program screenshots and type labels corresponding to the historical program screenshots;
and training according to the training set to obtain a page classification model.
Illustratively, the word Recognition may be implemented by means of Optical Character Recognition (OCR), and the page type is determined by the text information based on the text information (i.e. the word Recognition result) that the OCR can obtain on each historical program screenshot. Subsequently, the processes of labeling the type labels, constructing the training set, and training the model refer to the foregoing contents, which are not described in detail.
Illustratively, fig. 8 shows a flowchart of a security detection method provided by an exemplary embodiment of the present application, which is executed by a security program, and the method includes the following steps:
step 301: and after the tested program is started, acquiring a program screenshot corresponding to a display interface of the tested program.
The program screenshot can be realized by screenshot of a display interface of the tested program.
Step 302: and saving the screenshot of the program.
It should be appreciated that step 302 is an optional step, during the process of security detection of the tested program by the security program, the security program may capture a screenshot of its display interface and store the screenshot, and this data is used for optimization training of the page classification model to improve the accuracy of the page classification model.
Step 303: and classifying the pictures based on the page classification model.
After screenshot is carried out on the display interface, the security program can identify the page type by calling the page classification model so as to determine the type of the display interface.
The relevant description of the page classification model can refer to the foregoing contents; the training process of the page classification model is shown by the step in the dashed box at the left side of fig. 8, which is similar to fig. 7 and will not be described again.
Referring to fig. 8, based on the determined classification (i.e., the page type), the trigger operation corresponding to the display interface of the classification should be able to be determined, and then the trigger behavior corresponding to the trigger operation can be determined.
Step 304: and judging whether the display interface is matched with the trigger rule.
A trigger rule is understood to be a one-to-one correspondence between trigger operations and responses, one trigger operation corresponding uniquely to one response. In some embodiments, prior to security detection, the security program has entered its corresponding trigger rules in advance according to different page types. It can be understood that this step is used to determine whether the page type of the program screenshot corresponding to the currently displayed page of the tested program belongs to any one of the types included in the page classification model. Subsequently, based on the determined page type, the security program may determine that there is a matching trigger rule for the page type; based on the page type being unknown, the security program may determine that there is no matching trigger rule for the page type.
Illustratively, in case of matching the trigger rule, step 3051 is performed; in case the trigger rule is not matched, step 3052 is performed. Wherein, the step 3051 and the step 3052 are alternatively executed.
Step 3051: and under the condition of matching the trigger rule, executing corresponding trigger behaviors on the display interface.
Wherein, the triggering behavior can be understood as the response of the tested program to different triggering operations, and the response data of the tested program to the triggering operations can be generated based on the triggering behavior.
Referring to FIG. 8, the trigger action includes, but is not limited to, the following actions: click, slide, text box entry, etc. For different trigger operations, there are different trigger behaviors. For example, the trigger operation is a click operation, and the corresponding trigger behavior may be switching a page, granting a right, opening a certain control in a display interface, and the like.
Referring to the foregoing, there are different trigger rules based on different page types. In different trigger rules, the responses corresponding to the same trigger operation may be the same or different. For example, in the trigger rule corresponding to the authority authorization type, the response corresponding to the click operation is to acquire the authority; in the trigger rule corresponding to the login type, the response corresponding to the click operation is to switch the display interface to the main page of the tested program.
It should be understood that there are differences in trigger rules, trigger operations, and responses for different page types, which are not limited in this application; the foregoing is merely exemplary and is not intended to limit the present disclosure.
Step 3052: and in the case of not matching the trigger rule, randomly triggering.
The random triggering refers to that the tested program randomly executes a triggering operation.
It will be appreciated that in the event that the page type is unknown, the security program may randomly select a trigger operation to execute if it is determined that there is no matching trigger rule for the page type (i.e., there is no matching trigger rule). For example, the security program randomly performs a click, swipe, text box-time input, and the like. The randomly executed trigger operation may be performed according to a preset sequence of the security program, or may be one randomly selected by the security program from a plurality of trigger operations.
It should be understood that the triggering operations involved in step 3051 and step 3052 should be performed on the display interface of the tested program.
Step 306: and judging whether the ending condition is met.
It should be understood that the end condition is used to indicate a condition for ending the security check on the program under test.
Optionally, the ending condition includes, but is not limited to, at least one of the following conditions:
the dwell time on the display interface exceeds a time threshold;
the triggering times of the triggering operation on the display interface exceed a time threshold.
Referring to fig. 8 and fig. 9, a flowchart of a trigger action executed by a tested program according to an exemplary embodiment of the present application is shown, which specifically includes the following steps:
step 401: and after the tested program is started, the tested program sends a program screenshot to the safety program.
The program screenshot is judged by calling a page classification model by the security program.
Step 402: and the tested program obtains a classification result.
The classification result is sent by a security program, and can be understood as a page type obtained after model judgment is carried out by a page classification model.
Step 403: and judging whether the classification result is a known classification.
It should be understood that this determination step may be determined by the security program to determine whether the displayed page of the tested program is of any of the page types indicated by the page classification model.
Wherein, in case the classification result is a known classification, the specific type is determined, and step 4041 is performed; in the case where the classification result is not a known classification, step 4042 is performed, and step 4041 and step 4042 are performed alternatively and not simultaneously.
Step 4041: a trigger configuration for the target type is determined.
The trigger configuration can also be understood as the trigger rule in the foregoing.
Step 405: and selecting a trigger action according to the target type.
Step 406: a triggering action is performed.
Step 4042: a random operation is performed.
Here, random operation may be understood as random triggering in step 3052.
Referring to fig. 10, a schematic diagram of the execution of different trigger behaviors is illustratively provided.
Illustratively, for a trigger configuration, there are multiple trigger conditions, the ith trigger condition corresponding to the ith trigger action. In step 403, in the case that the classification result is determined to be a known classification, it may be understood that a certain trigger condition of a plurality of trigger conditions is determined to be satisfied, and then when the trigger condition is satisfied, a corresponding trigger action is executed; in the case that the classification result is determined not to be the known classification, it can be understood that any trigger condition is not satisfied, and at this time, a random operation is executed to perform a random action.
It should be understood that the random behavior may be any one of click, slide, and the like, which is not limited in this application.
Step 407: and acquiring a program screenshot.
It should be understood that the screenshot obtained in step 407 may be the same screenshot as the screenshot obtained in step 401, or may be another screenshot obtained after the interface is switched after the trigger action. Illustratively, step 407 is an optional step, and the screenshot is used for optimization training of the page classification model to improve the accuracy of the page classification model.
To sum up, the embodiment of the present application provides a security detection method for an application program (i.e., a tested program), so as to enhance security management on the application program, ensure secure use of the application program, and protect security of user data. Based on the page classification model, page classification can be carried out on the program screenshot corresponding to the display interface of the tested program, so that classification detection can be conveniently carried out on different functions of the tested program; and then, judging whether the tested program has potential safety hazard or not according to the response data under different page types, and reminding the user even if the tested program is managed.
Referring to fig. 2, fig. 11 shows a flowchart of a security detection method provided in an exemplary embodiment of the present application. Optionally, step 104 may be implemented as step 1041, and the security detection method provided in this application further includes step 105, step 106, and step 107. Wherein, the step 103 and the step 105 are executed alternatively, and cannot be executed simultaneously; step 105 and step 106 may be performed sequentially or simultaneously. The method comprises the following specific steps:
step 1041: and under the condition that the response data has a security vulnerability, determining that the tested program has a security hidden trouble, and marking the tested program as a security abnormal program.
According to step 103, for different page types, the security program may obtain response data of the program under test to at least one simulated trigger operation on the display interface. Then, the security program can detect the response data, and under the condition that the response data has security holes, the tested program is determined to have potential safety hazards; and under the condition that no security hole exists in the response data, determining that the tested program does not have potential safety hazard.
The existence of the security vulnerability in the response data can be understood as follows: based on different page types, the response of a tested program to the simulation trigger operation has potential safety hazards of a terminal, so that risks such as user data stealing, privacy disclosure, virus invasion and the like occur.
Further, the existence of a security vulnerability in the corresponding data can be understood as follows: based on different page types, the response of the tested program to the simulation trigger operation does not accord with relevant laws and regulations. For example, for a display interface for implementing privacy authorization, the corresponding program screenshot may be determined as an authorization type. And if the response data of the tested program aiming at the simulation trigger operation of 'disagreement' is marked as exiting the program, namely the user disagrees with privacy authorization, the user is not allowed to use the tested program. If the operation would violate national laws and regulations regarding privacy authorization, the tested program may be determined to present a security risk.
Step 105: and under the condition that the program screenshot does not belong to any page type indicated by the page classification model, executing random trigger operation on the display interface, and acquiring response data of the tested program to the random trigger operation.
Referring to the foregoing, in the process of determining the page classification model, there is a case where the type of the program screenshot is unknown, that is, the program screenshot does not belong to any page type indicated by the page classification model. At this time, the security program can execute a random trigger operation on the display interface, that is, perform a trigger action randomly, and record the response data of the tested program to the random trigger operation.
Subsequently, the security program can still determine whether the tested program has a security risk based on the response data.
Step 106: and saving the screenshot of the program.
Illustratively, the program screenshot is used for performing optimization training on the page classification model.
Referring to the above, based on the unknown type of the program screenshot, the security program may store the program screenshot, and after a certain number of program screenshots are stored, the page classification model may be optimally trained to improve the accuracy of the page classification model.
Step 107: and stopping the safety detection of the tested program under the condition that the stay time on the display interface exceeds a first threshold value and/or the triggering times of the simulation triggering operation exceed a second threshold value.
For the security inspection of the program under test, an end condition may be set, the end condition indicating a condition for ending the security inspection of the program under test. Wherein the end conditions include, but are not limited to: the dwell time on the display interface exceeds a first threshold value and/or the number of triggers simulating a trigger operation exceeds a second threshold value.
Based on the method, a termination condition can be set for the safety detection of the safety program, and the larger terminal power consumption caused by the over detection of the safety program is avoided.
In summary, in the security detection method provided in the embodiments of the present application, under the condition that the response data has a security vulnerability, the detected program may be marked as a security exception program, so as to strengthen security management on the application program, ensure secure use of the application program, and protect security of the user data.
Optionally, when the program screenshot does not belong to any page type indicated by the page classification model, a random trigger operation may be performed on the display interface to obtain response data of the program to be tested to the random trigger operation, so as to perform security detection, and further implement secure use of the application program and protection of data security.
Optionally, under the condition that the program screenshot does not belong to any page type indicated by the page classification model, the program screenshot can be saved so as to facilitate optimization training of the page classification model, improve accuracy of the model, and further strengthen safety management on the application program.
The following are embodiments of the apparatus of the present application, and for details that are not described in detail in the embodiments of the apparatus, reference may be made to corresponding descriptions in the above method embodiments, and details are not described herein again.
Fig. 12 shows a schematic diagram of a security detection apparatus provided in an exemplary embodiment of the present application, the apparatus including:
an obtaining module 1210, configured to obtain a program screenshot corresponding to a display interface of a program to be tested;
a determining module 1220, configured to determine a page type of the program screenshot based on a page classification model, where the page classification model is obtained by training a plurality of historical program screenshots of at least one application program;
the obtaining module 1210 is further configured to determine a simulation trigger operation corresponding to the display interface based on the page type, execute the simulation trigger operation on the display interface, and obtain response data of the program to be tested to the simulation trigger operation;
the determining module 1220 is further configured to determine whether a potential safety hazard exists in the tested program according to the response data.
Optionally, the page classification model is obtained by training through the following steps: acquiring a plurality of historical program screenshots; clustering the plurality of historical program screenshots to obtain a clustering result; obtaining type labels marked aiming at each clustering result, wherein one type label is used for indicating one page type; constructing a training set of a page classification model, wherein the training set comprises a plurality of historical program screenshots and type labels corresponding to the historical program screenshots; and training according to the training set to obtain a page classification model.
It should be understood that the apparatus may further include a model training module for implementing training of the page classification model.
Optionally, the ith historical program screenshot in the multiple historical program screenshots is obtained by screenshot the ith historical display interface in the multiple historical display interfaces of the at least one application program, and i is a positive integer not less than 0.
Optionally, the page classification model is obtained by training through the following steps: acquiring a plurality of historical program screenshots; performing character recognition on the plurality of historical program screenshots to obtain character recognition results; obtaining type labels marked aiming at the character recognition result, wherein one type label is used for indicating one page type; constructing a training set of a page classification model, wherein the training set comprises a plurality of historical program screenshots and type labels corresponding to the historical program screenshots; and training according to the training set to obtain a page classification model.
Optionally, the apparatus further includes a processing module 1230, configured to execute a random trigger operation on the display interface to obtain response data of the program to be tested to the random trigger operation, when the program screenshot does not belong to any page type indicated by the page classification model.
Optionally, the processing module 1230 is further configured to store the program screenshot, and the program screenshot is used to perform optimization training on the page classification model.
Optionally, the determining module 1220 is configured to determine that a potential safety hazard exists in the tested program and mark the tested program as a safety abnormal program under the condition that the response data has a safety bug.
Optionally, the processing module 1230 is further configured to stop the safety detection of the program under test when the dwell time on the display interface exceeds a first threshold and/or the number of times of triggering of the simulation triggering operation exceeds a second threshold.
Referring to fig. 13, a block diagram of a computer device 1300 according to an exemplary embodiment of the present application is shown. The computer device 1300 may be a portable mobile terminal, such as: smart phones, tablet computers, MP3 players (Moving Picture Experts Group Audio Layer III, moving Picture Experts Group Audio Layer IV, moving Picture Experts Group Audio Layer 4) players. Computer device 1300 may also be referred to by other names such as user equipment, portable terminal, etc.
Generally, computer device 1300 includes: a processor 1301 and a memory 1302.
Processor 1301 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 1301 may be implemented in at least one of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 1301 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also referred to as a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 1301 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing content that the display screen needs to display. In some embodiments, processor 1301 may further include an AI (Artificial Intelligence) processor for processing computational operations related to machine learning.
The memory 1302 may include one or more computer-readable storage media, which may be tangible and non-transitory. The memory 1302 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 1302 is used to store at least one instruction for execution by processor 1301 to implement the security detection method provided in embodiments of the present application.
In some embodiments, computer device 1300 may also optionally include: a peripheral interface 1303 and at least one peripheral. Specifically, the peripheral device includes: at least one of radio frequency circuitry 1304, touch display 1305, camera assembly 1306, audio circuitry 1307, and power supply 1308.
Peripheral interface 1303 can be used to connect at least one peripheral related to I/O (Input/Output) to processor 1301 and memory 1302. In some embodiments, processor 1301, memory 1302, and peripheral interface 1303 are integrated on the same chip or circuit board; in some other embodiments, any one or two of the processor 1301, the memory 1302, and the peripheral device interface 1303 may be implemented on a separate chip or circuit board, which is not limited in this embodiment.
The Radio Frequency circuit 1304 is used to receive and transmit RF (Radio Frequency) signals, also called electromagnetic signals. Radio frequency circuit 1304 communicates with communication networks and other communication devices via electromagnetic signals. The radio frequency circuit 1304 converts an electrical signal into an electromagnetic signal to transmit, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 1304 includes: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, etc. The radio frequency circuitry 1304 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: the world wide web, metropolitan area networks, intranets, various generations of mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or WiFi networks. In some embodiments, the radio frequency circuit 1304 may also include NFC (Near Field Communication) related circuits, which are not limited in this application.
The touch display 1305 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. The touch display 1305 also has the capability to collect touch signals on or over the surface of the touch display 1305. The touch signal may be input to the processor 1301 as a control signal for processing. The touch display 1305 is used to provide virtual buttons and/or a comment keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the touch display 1305 may be one, providing the front panel of the computer device 1300; in other embodiments, the touch screen displays 1305 may be at least two, respectively disposed on different surfaces of the computer device 1300 or in a folded design; in still other embodiments, the touch display 1305 may be a flexible display disposed on a curved surface or on a folded surface of the computer device 1300. Even more, the touch screen 1305 may be arranged in a non-rectangular irregular pattern, i.e., a shaped screen. The touch Display 1305 may be made of LCD (Liquid Crystal Display), OLED (Organic Light-Emitting Diode), or the like.
The camera assembly 1306 is used to capture images or video. Optionally, camera head assembly 1306 includes a front camera and a rear camera. Generally, a front camera is used for realizing video call or self-shooting, and a rear camera is used for realizing shooting of pictures or videos. In some embodiments, the number of the rear cameras is at least two, and each of the rear cameras is any one of a main camera, a depth-of-field camera and a wide-angle camera, so that the main camera and the depth-of-field camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize a panoramic shooting function and a VR (Virtual Reality) shooting function. In some embodiments, camera assembly 1306 may also include a flash. The flash lamp can be a single-color temperature flash lamp or a double-color temperature flash lamp. The double-color-temperature flash lamp is a combination of a warm-light flash lamp and a cold-light flash lamp, and can be used for light compensation at different color temperatures.
The audio circuit 1307 is used to provide an audio interface between a user and the computer device 1300. The audio circuit 1307 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals to the processor 1301 for processing, or inputting the electric signals to the radio frequency circuit 1304 for realizing voice communication. The microphones may be multiple and placed at different locations on the computer device 1300 for stereo sound acquisition or noise reduction purposes. The microphone may also be an array microphone or an omni-directional pick-up microphone. The speaker is used to convert electrical signals from the processor 1301 or the radio frequency circuitry 1304 into sound waves. The loudspeaker can be a traditional film loudspeaker or a piezoelectric ceramic loudspeaker. When the speaker is a piezoelectric ceramic speaker, the speaker can be used for purposes such as converting an electric signal into a sound wave audible to a human being, or converting an electric signal into a sound wave inaudible to a human being to measure a distance. In some embodiments, the audio circuit 1307 may also include a headphone jack.
The power supply 1308 is used to power the various components in the computer device 1300. The power source 1308 can be alternating current, direct current, disposable batteries, or rechargeable batteries. When the power source 1308 includes a rechargeable battery, the rechargeable battery may be a wired rechargeable battery or a wireless rechargeable battery. The wired rechargeable battery is a battery charged through a wired line, and the wireless rechargeable battery is a battery charged through a wireless coil. The rechargeable battery can also be used to support fast charge technology.
In some embodiments, the computer device 1300 also includes one or more sensors 1309. The one or more sensors 1309 include, but are not limited to: acceleration sensor 1310, gyro sensor 1311, pressure sensor 1312, optical sensor 1313, and proximity sensor 1314.
The acceleration sensor 1310 may detect the magnitude of acceleration in three coordinate axes of the coordinate system established with the computer apparatus 1300. For example, the acceleration sensor 1310 may be used to detect the components of the gravitational acceleration in three coordinate axes. The processor 1301 may control the touch display screen 1305 to display the user interface in a landscape view or a portrait view according to the gravitational acceleration signal collected by the acceleration sensor 1310. The acceleration sensor 1310 may also be used for acquisition of motion data of a game or a user.
The gyro sensor 1311 may detect a body direction and a rotation angle of the computer device 1300, and the gyro sensor 1311 may cooperate with the acceleration sensor 1310 to acquire a 3D motion of the user on the computer device 1300. The processor 1301 may implement the following functions according to the data collected by the gyro sensor 1311: motion sensing (such as changing the UI according to a user's tilting operation), image stabilization at the time of photographing, game control, and inertial navigation.
Pressure sensors 1312 may be disposed on the side bezel of computer device 1300 and/or underneath touch display 1305. When the pressure sensor 1312 is disposed on the side frame of the computer device 1300, a user's grip signal on the computer device 1300 can be detected, and left-right hand recognition or shortcut operation can be performed based on the grip signal. When the pressure sensor 1312 is disposed at a lower layer of the touch display 1305, it is possible to control an operability control on the UI interface according to a pressure operation of the user on the touch display 1305. The operability control comprises at least one of a button control, a scroll bar control, an icon control, and a menu control.
The optical sensor 1313 is used to collect the ambient light intensity. In one embodiment, the processor 1301 can control the display brightness of the touch display screen 1305 according to the ambient light intensity collected by the optical sensor 1313. Specifically, when the ambient light intensity is high, the display brightness of the touch display screen 1305 is increased; when the ambient light intensity is low, the display brightness of the touch display panel 1305 is turned down. In another embodiment, the processor 1301 can also dynamically adjust the shooting parameters of the camera assembly 1306 according to the ambient light intensity collected by the optical sensor 1313.
A proximity sensor 1314, also known as a distance sensor, is typically disposed on the front of the computer device 1300. The proximity sensor 1314 is used to capture the distance between the user and the front of the computer device 1300. In one embodiment, the touch display 1305 is controlled by the processor 1301 to switch from the bright screen state to the rest screen state from the bright screen state when the proximity sensor 1314 detects that the distance between the user and the front surface of the computer device 1300 is gradually reduced; the touch display 1305 is controlled by the processor 1301 to switch from the rest state to the bright state when the proximity sensor 1314 detects that the distance between the user and the front face of the computer device 1300 is gradually increasing.
Those skilled in the art will appreciate that the architecture illustrated in FIG. 13 does not constitute a limitation of computer device 1300, and may include more or fewer components than those illustrated, or may combine certain components, or may employ a different arrangement of components.
The present application also provides a computer device comprising a memory and a processor; the memory has stored therein at least one program code that is loaded and executed by the processor to implement the security detection method as described above.
The present application also provides a computer-readable storage medium having stored thereon a computer program for execution by a processor to implement the security detection method as described above.
The present application also provides a chip comprising a programmable logic circuit and/or program instructions for implementing the security detection method as described above when the electronic device in which the chip is installed is operated.
The present application also provides a computer program product comprising computer instructions stored in a computer readable storage medium, which are read and executed by a processor to implement the security detection method as described above.
It should be understood that reference to "a plurality" herein means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk.
The above description is only exemplary of the present application and should not be taken as limiting, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (14)

1. A security detection method, performed by a security program, the method comprising:
acquiring a program screenshot corresponding to a display interface of a tested program;
determining a page type of the program screenshot based on a page classification model, wherein the page classification model is obtained by training a plurality of historical program screenshots of at least one application program;
determining a simulation trigger operation corresponding to the display interface based on the page type, executing the simulation trigger operation on the display interface, and acquiring response data of the tested program to the simulation trigger operation;
and determining whether the tested program has potential safety hazard or not according to the response data.
2. The method of claim 1, wherein the page classification model is trained by:
acquiring a plurality of historical program screenshots;
clustering the plurality of historical program screenshots to obtain a clustering result;
obtaining type labels marked aiming at each type of clustering result, wherein one type label is used for indicating one page type;
constructing a training set of the page classification model, wherein the training set comprises a plurality of historical program screenshots and type labels corresponding to the historical program screenshots;
and training according to the training set to obtain the page classification model.
3. The method of claim 2, wherein clustering the plurality of historical program screenshots to obtain a clustering result comprises:
converting the plurality of historical program screenshots into a vector space based on a depth residual error network model to obtain vectors corresponding to the plurality of historical program screenshots, wherein one historical program screenshot corresponds to one vector in the vector space;
constructing a distance relation network according to the vector space, wherein the distance relation network is used for describing the similarity degree among the plurality of historical program screenshots, and the vector corresponding to one historical program screenshot is one node in the distance relation network;
and clustering the plurality of historical program screenshots according to the distance relation network to obtain the clustering result.
4. The method of claim 2, wherein obtaining the plurality of historical program screenshots comprises:
and screenshot is carried out on the ith historical display interface in the multiple historical display interfaces of the at least one application program, so as to obtain the ith historical program screenshot in the multiple historical program screenshots, wherein i is a positive integer not less than 0.
5. The method of claim 1, wherein the page classification model is trained by:
acquiring a plurality of historical program screenshots;
performing character recognition on the plurality of historical program screenshots to obtain character recognition results;
obtaining type labels marked aiming at the character recognition result, wherein one type label is used for indicating a page type;
constructing a training set of the page classification model, wherein the training set comprises a plurality of historical program screenshots and type labels corresponding to the historical program screenshots;
and training according to the training set to obtain the page classification model.
6. The method of any of claims 1 to 5, further comprising:
and under the condition that the program screenshot does not belong to any page type indicated by the page classification model, executing random trigger operation on the display interface, and acquiring response data of the tested program to the random trigger operation.
7. The method of claim 6, further comprising:
and saving the program screenshot, wherein the program screenshot is used for carrying out optimization training on the page classification model.
8. The method of any one of claims 1 to 5, wherein said determining whether a potential safety hazard exists in the tested program according to the response data comprises:
and under the condition that the response data has a security vulnerability, determining that the tested program has a potential safety hazard, and marking the tested program as a security abnormal program.
9. The method of any of claims 1 to 5, further comprising:
and stopping the safety detection of the tested program under the condition that the stay time on the display interface exceeds a first threshold value and/or the triggering times of the simulation triggering operation exceed a second threshold value.
10. A security detection apparatus, the apparatus comprising:
the acquisition module is used for acquiring a program screenshot corresponding to a display interface of the tested program;
the determining module is used for determining the page type of the program screenshot based on a page classification model, and the page classification model is obtained by training according to a plurality of historical program screenshots of at least one application program;
the obtaining module is further configured to determine a simulation trigger operation corresponding to the display interface based on the page type, execute the simulation trigger operation on the display interface, and obtain response data of the program under test to the simulation trigger operation;
and the determining module is also used for determining whether the tested program has potential safety hazard according to the response data.
11. A computer device, wherein the computer device comprises a memory and a processor;
the memory has stored therein at least one program code, which is loaded and executed by the processor to implement the security detection method according to any one of claims 1 to 9.
12. A computer-readable storage medium, in which a computer program is stored which is adapted to be executed by a processor to implement the security detection method of any one of claims 1 to 9.
13. A chip comprising programmable logic circuits and/or program instructions for implementing a security detection method as claimed in any one of claims 1 to 9 when the electronic device in which the chip is installed is operated.
14. A computer program product comprising computer instructions stored in a computer readable storage medium, from which a processor reads and executes the computer instructions to implement the security detection method of any of claims 1 to 9.
CN202211555864.0A 2022-12-06 2022-12-06 Security detection method, device, equipment and medium Pending CN115758364A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211555864.0A CN115758364A (en) 2022-12-06 2022-12-06 Security detection method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211555864.0A CN115758364A (en) 2022-12-06 2022-12-06 Security detection method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN115758364A true CN115758364A (en) 2023-03-07

Family

ID=85343779

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211555864.0A Pending CN115758364A (en) 2022-12-06 2022-12-06 Security detection method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN115758364A (en)

Similar Documents

Publication Publication Date Title
CN111262887B (en) Network risk detection method, device, equipment and medium based on object characteristics
CN111914812B (en) Image processing model training method, device, equipment and storage medium
CN111737573A (en) Resource recommendation method, device, equipment and storage medium
CN110839128B (en) Photographing behavior detection method and device and storage medium
CN111738365B (en) Image classification model training method and device, computer equipment and storage medium
CN111104980A (en) Method, device, equipment and storage medium for determining classification result
CN108229171B (en) Driver processing method, device and storage medium
CN108200282B (en) Application starting method and device, storage medium and electronic equipment
CN111209377A (en) Text processing method, device, equipment and medium based on deep learning
CN113515987A (en) Palm print recognition method and device, computer equipment and storage medium
CN112001442B (en) Feature detection method, device, computer equipment and storage medium
CN107895108B (en) Operation management method and mobile terminal
CN111753813A (en) Image processing method, device, equipment and storage medium
CN111353513A (en) Target crowd screening method, device, terminal and storage medium
CN115329309A (en) Verification method, verification device, electronic equipment and storage medium
CN112560612B (en) System, method, computer device and storage medium for determining business algorithm
CN115758364A (en) Security detection method, device, equipment and medium
CN112764824B (en) Method, device, equipment and storage medium for triggering identity verification in application program
CN112231666A (en) Illegal account processing method, device, terminal, server and storage medium
CN113936240A (en) Method, device and equipment for determining sample image and storage medium
CN111897709A (en) Method, device, electronic equipment and medium for monitoring user
CN112308104A (en) Abnormity identification method and device and computer storage medium
CN111143441A (en) Gender determination method, device, equipment and storage medium
CN111259252A (en) User identification recognition method and device, computer equipment and storage medium
CN114511779B (en) Training method of scene graph generation model, scene graph generation method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination