CN116483726A

CN116483726A - Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium

Info

Publication number: CN116483726A
Application number: CN202310473028.6A
Authority: CN
Inventors: 韩天助; 张银成; 陈烨; 李佳恒
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2023-04-27
Filing date: 2023-04-27
Publication date: 2023-07-25

Abstract

The disclosure provides an anomaly detection method, an anomaly detection device, electronic equipment and a storage medium, which can be applied to the technical field of information security. The method comprises the following steps: determining N code execution paths according to operation information from N terminal devices, wherein the operation information is used for representing the operation condition of target application software in the terminal devices, and N is more than or equal to 2; according to N code execution paths, M execution levels matched with target application software are determined, wherein the execution levels are used for realizing a single application function, and M is greater than or equal to 1; according to the N code execution paths, M execution numbers corresponding to the M execution levels are calculated, wherein the execution numbers represent the number of terminal equipment successfully executing a single application function; and determining an abnormality detection result of the target application software according to the M execution numbers.

Description

Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium

Technical Field

The disclosure relates to the technical field of information security, and in particular relates to an abnormality detection method, an abnormality detection device, electronic equipment and a storage medium.

Background

The client refers to application software corresponding to the server and providing local service for the user. For clients that are already online, the problem cannot be repaired by rollback of the client version. In order to ensure that the client operates normally, the related technology generally adopts a gray level release mechanism to detect abnormality and repair problems. The gray level distribution mechanism refers to: only part of users experience the client, and the application range is gradually enlarged under the condition that the client is free of abnormality.

In carrying out the above scheme, the inventors found that: the gray scale distribution mechanism can detect various anomalies, but cannot detect anomalies due to compatibility problems, resulting in poor user experience.

Disclosure of Invention

In view of the above, the present disclosure provides an abnormality detection method, an abnormality detection apparatus, an electronic device, and a storage medium.

According to a first aspect of the present disclosure, there is provided an abnormality detection method including:

determining N code execution paths according to operation information from N terminal devices, wherein the operation information is used for representing the operation condition of target application software in the terminal devices, and N is more than or equal to 2;

according to N code execution paths, M execution levels matched with target application software are determined, wherein the execution levels are used for realizing a single application function, and M is greater than or equal to 1;

according to the N code execution paths, M execution numbers corresponding to the M execution levels are calculated, wherein the execution numbers represent the number of terminal equipment successfully executing a single application function; and

and determining an abnormality detection result of the target application software according to the M execution numbers.

According to an embodiment of the disclosure, the M execution numbers are arranged according to an execution order of M execution levels, forming a first ordered sequence;

According to the M execution numbers, determining an abnormality detection result of the target application software, including:

comparing the M execution numbers according to the sequence of the first ordered sequence to obtain a first comparison result, wherein the first comparison result is used for representing whether the M execution numbers are the same; and

and determining an abnormality detection result according to the first comparison result.

According to an embodiment of the present disclosure, comparing the M execution numbers in order of the first ordered sequence to obtain a first comparison result includes:

starting from the 1 st execution number of the first ordered sequence, if the 1 st execution number is determined to be the same as the 2 nd execution number, comparing whether the 2 nd execution number is the same as the next execution number or not until different M-th execution number and m+1th execution number are obtained, wherein M is greater than or equal to 1 and M is less than or equal to M; and

the first comparison result is determined according to the m+1th execution level corresponding to the m+1th execution number.

According to an embodiment of the present disclosure, determining an anomaly detection result according to a first comparison result includes:

determining an abnormal level according to the first comparison result, wherein the abnormal level represents an execution level with an abnormality; and

and determining an abnormality detection result according to the abnormality level.

According to the embodiment of the disclosure, the execution hierarchy comprises P execution methods, and a chain processing relationship exists among the P execution methods, wherein P is greater than or equal to 1;

determining an anomaly detection result according to the anomaly hierarchy, including:

generating a second ordered sequence according to the chain processing relationship, wherein the second ordered sequence comprises P sub-execution numbers corresponding to the P execution methods;

comparing the P sub-execution numbers according to the order of the second ordered sequence to obtain a second comparison result, wherein the second comparison result is used for representing whether the P sub-execution numbers are the same or not; and

and determining an abnormality detection result according to the second comparison result.

According to an embodiment of the present disclosure, determining M execution levels matching the target application software according to N code execution paths includes:

determining the longest code execution path in the N code execution paths;

determining a target execution path matched with target application software according to the longest code execution path; and

dividing the target execution path according to the application function to obtain M execution levels.

According to an embodiment of the present disclosure, wherein the running information includes a time stamp and code execution information; according to the operation information from N terminal devices, N code execution paths are determined, including:

Sequencing the code execution information according to the time stamp to obtain an original execution path; and

and performing data cleaning and path segmentation on the original execution path to generate a code execution path.

According to an embodiment of the present disclosure, the operation information further includes common information, and the common information includes at least one of: the application version, the equipment model of the terminal equipment and the system model;

after determining the abnormality detection result of the target application software according to the M execution numbers, the method comprises the following steps:

determining an abnormality report identical to the abnormality detection result and the public information under the condition that the abnormality detection result is determined to represent that the target application software has abnormality; and

and under the condition that the number of the abnormal reports meets a preset threshold, sending prompt information to target application software in the N terminal devices so as to upgrade the target application software.

A second aspect of the present disclosure provides an abnormality detection apparatus including:

the path determining module is used for determining N code execution paths according to the operation information from N terminal devices, wherein the operation information is used for representing the operation condition of target application software in the terminal devices, and N is more than or equal to 2;

the hierarchy determining module is used for determining M execution hierarchies matched with the target application software according to N code execution paths, wherein the execution hierarchies are used for realizing single application functions, and M is greater than or equal to 1;

The computing module is used for computing M execution numbers corresponding to the M execution levels according to the N code execution paths, wherein the execution numbers represent the number of terminal equipment which successfully executes a single application function; and

and the detection module is used for determining an abnormality detection result of the target application software according to the M execution numbers.

A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the anomaly detection method described above.

A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described anomaly detection method.

The fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described abnormality detection method.

The embodiment of the disclosure determines N code execution paths according to the running information from N terminal devices; according to the N code execution paths, M execution levels matched with the target application software are determined; according to the N code execution paths, M execution numbers corresponding to the M execution levels are calculated, wherein the execution numbers represent the number of terminal equipment successfully executing a single application function; according to the M execution numbers, the abnormality detection results of the target application software are determined, so that the abnormality of the application software caused by the compatibility problem can be detected, the abnormality can be repaired in time, and the use experience of a user is improved.

Drawings

The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:

fig. 1 schematically illustrates an application scenario of an abnormality detection method according to an embodiment of the present disclosure;

FIG. 2 schematically illustrates a flow chart of an anomaly detection method according to an embodiment of the present disclosure;

FIG. 3 schematically illustrates a data flow diagram of an anomaly detection method according to an embodiment of the present disclosure;

fig. 4 schematically illustrates an anomaly detection application scenario according to a first embodiment of the present disclosure;

fig. 5 schematically illustrates an anomaly detection application scenario according to a second embodiment of the present disclosure;

fig. 6 schematically illustrates an anomaly detection application scenario according to a third embodiment of the present disclosure;

FIG. 7 schematically illustrates a flow chart of a method of upgrading target application software according to a specific embodiment of the disclosure;

fig. 8 schematically shows a block diagram of a configuration of an abnormality detection apparatus according to an embodiment of the present disclosure; and

fig. 9 schematically illustrates a block diagram of an electronic device adapted for an anomaly detection method according to an embodiment of the present disclosure.

Detailed Description

Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.

Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

In the technical scheme of the disclosure, the related data (such as including but not limited to personal information of a user) are collected, stored, used, processed, transmitted, provided, disclosed, applied and the like, all conform to the regulations of related laws and regulations, necessary security measures are adopted, and the public welcome is not violated.

In the related art, the anomaly detection process using the gray-scale distribution mechanism includes: the use range is limited by means of a white list and the like. For the newly-online client or the newly-online function, only partial users in the white list are ensured to experience the newly-online client or the newly-online function. Under the condition that part of user experience is not problematic, the application range is gradually expanded until the newly online client or the newly online function can face all users.

In the gray scale distribution mechanism, information such as user equipment and an operating system cannot be utilized, so that the gray scale distribution mechanism can only detect abnormalities related to the client, for example, unstable network connection between the server and the client, which results in operation failure. The gray scale mechanism cannot detect compatibility problems due to incompatibility of the system version with the client, incompatibility of the device model with the client, and the like.

In summary, the gray level publishing mechanism cannot detect the abnormality caused by the compatibility problem, so that the newly online client still has the abnormality, and the user experience is poor.

The embodiment of the disclosure provides an anomaly detection method, which comprises the following steps: determining N code execution paths according to operation information from N terminal devices, wherein the operation information is used for representing the operation condition of target application software in the terminal devices, and N is more than or equal to 2; according to N code execution paths, M execution levels matched with target application software are determined, wherein the execution levels are used for realizing a single application function, and M is greater than or equal to 1; according to the N code execution paths, M execution numbers corresponding to the M execution levels are calculated, wherein the execution numbers represent the number of terminal equipment successfully executing a single application function; and determining an abnormality detection result of the target application software according to the M execution numbers.

Fig. 1 schematically illustrates an application scenario of an abnormality detection method according to an embodiment of the present disclosure.

As shown in fig. 1, an application scenario 100 according to this embodiment may include a first terminal device 101, a second terminal device 102, a third terminal device 103, a network 104, and a server 105. The network 104 is a medium used to provide a communication link between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

The user may interact with the server 105 through the network 104 using at least one of the first terminal device 101, the second terminal device 102, the third terminal device 103, to receive or send messages, etc. Various communication client applications, such as a shopping class application, a web browser application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only) may be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103.

For example, the user may complete a transaction operation, a balance inquiry operation, or the like using a bank client in the first terminal device 101, the second terminal device 102, or the third terminal device 103. The first terminal device 101, the second terminal device 102, or the third terminal device 103 transmits the operation information of the bank client to the server 105 through the network 104.

The first terminal device 101, the second terminal device 102, the third terminal device 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.

The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by the user using the first terminal device 101, the second terminal device 102, and the third terminal device 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.

It should be noted that, the anomaly detection method provided in the embodiments of the present disclosure may be generally performed by the server 105. Accordingly, the abnormality detection apparatus provided by the embodiments of the present disclosure may be generally provided in the server 105. The anomaly detection method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105. Accordingly, the abnormality detection apparatus provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105.

It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

The abnormality detection method of the disclosed embodiment will be described in detail below with reference to fig. 2 to 6 based on the scenario described in fig. 1.

Fig. 2 schematically illustrates a flowchart of an anomaly detection method according to an embodiment of the present disclosure.

As shown in fig. 2, the method 200 includes operations S210 to S240.

In operation S210, N code execution paths are determined according to operation information from N terminal devices, where the operation information is used to characterize an operation condition of target application software in the terminal devices, and N is greater than or equal to 2.

According to the embodiment of the disclosure, the terminal device is provided with the target application software, and the terminal device can send the running condition of the target application software to the server so that the server can determine the code execution path according to the running information.

According to the embodiment of the disclosure, for the running information sent by each terminal device, the server obtains a code execution path of the related target application software by analyzing and processing the running information. And obtaining N code execution paths corresponding to the target application software in the N terminal devices according to the running information from the N terminal devices.

According to embodiments of the present disclosure, the code execution path may characterize the behavior of the target application software. For example, taking a login operation of application software as an example, the code execution path includes a code execution chain from entering a login page to completing the whole process of login.

According to an embodiment of the present disclosure, N terminal devices belong to the same device model and/or system model.

In operation S220, M execution levels matching the target application software are determined according to the N code execution paths, the execution levels being used to implement a single application function, M being 1 or more.

According to embodiments of the present disclosure, the execution hierarchy is used to implement a single application function of the target application software.

For example, still taking a login operation of application software as an example, the execution hierarchy includes: displaying a login page, inputting an account number, inputting a password and displaying a login success page. Wherein, the "show login page", "input account", "input password", "show login success page" each represent a single execution hierarchy.

According to an embodiment of the present disclosure, at the front end of the application software, the "show login page" is only embodied as a show function; at the back end of the application software, at least one calling method or code execution path is required to perform the "show login page" function.

According to an embodiment of the present disclosure, after N code execution paths corresponding to target application software in N terminal devices are determined, M execution levels that match the target application software and include the N code execution paths are determined.

For example, code execution path 1 only executes application function a, and code execution path 2 executes application functions a and B. The execution levels determined according to the code execution path 1 and the code execution path 2 are an execution level A 'and an execution level B', wherein the execution level A 'and the execution level B' respectively correspond to the application functions A and B.

In operation S230, M execution numbers corresponding to the M execution levels, which characterize the number of terminal devices that have successfully executed a single application function, are calculated according to the N code execution paths.

According to an embodiment of the present disclosure, after determining N code execution paths and M execution levels, the number of devices, among N terminal devices, that have executed an application function corresponding to an application level is calculated from the N code execution paths in units of an execution level.

For example, still taking code execution path 1 and code execution path 2 as examples, the execution hierarchy is A 'and B'. The execution levels determined according to the code execution path 1 and the code execution path 2 are an execution level a 'and an execution level B', and the number of execution numbers is 2. For the execution hierarchy a ', the code execution path 1 and the code execution path 2 execute the execution function a corresponding to the application hierarchy a ', and the value of the execution hierarchy a ' is 2. For the execution hierarchy B ', only the code execution path 2 executes the execution function B corresponding to the execution hierarchy B ', and thus the value of the execution hierarchy B ' is 2.

In operation S240, an abnormality detection result of the target application software is determined according to the M execution numbers.

According to the embodiment of the disclosure, after determining the M execution numbers, an abnormality detection result of the target application software is determined according to a difference in the number of terminal devices that have successfully executed the single application function, characterized by the M execution numbers.

According to the embodiment of the disclosure, vulnerability analysis can analyze the whole business process and the change condition of each stage from the starting point to the end point in the business process. Thus, a difference in the number of terminal devices characterized by the number of executions can be determined based on the vulnerability analysis.

According to the embodiment of the disclosure, for N terminal devices of the same device model and/or system model, code execution paths formed by each terminal device are completely consistent for the same target application software. Only when an abnormality occurs in a certain link in the code execution path, the code execution path is changed. Therefore, the abnormality in the code execution path is embodied in the execution number, and the abnormality detection result of the target application software can be determined according to the execution number.

Fig. 3 schematically illustrates a data flow diagram of an anomaly detection method according to an embodiment of the present disclosure.

As shown in fig. 3, a data flow diagram 300 of an anomaly detection method illustrates a process for determining the anomaly detection result of a target application software.

According to an embodiment of the present disclosure, the target application software 304 is installed on the terminal device 301. The terminal device 301 may send the running information 302 characterizing the running of the target application software 304 to the server.

According to an embodiment of the present disclosure, the server receives the operation information 302 transmitted from the terminal device 301, and determines the code execution path 303 according to the operation information 302. An execution hierarchy 305 matching the target application software is determined from the code execution path 303 and the target application software 304.

According to an embodiment of the present disclosure, after determining the execution hierarchy, the number of executions 306 corresponding to each execution hierarchy is determined from the execution hierarchy 305 and the code execution path 303. The anomaly detection result 307 of the target application software is determined according to the execution number 306 of the plurality of execution levels.

According to an embodiment of the present disclosure, the M execution numbers are arranged in an execution order of M execution levels, forming a first ordered sequence.

According to an embodiment of the present disclosure, determining an abnormality detection result of target application software according to M execution numbers includes the steps of: and comparing the M execution numbers according to the order of the first ordered sequence to obtain a first comparison result, wherein the first comparison result is used for representing whether the M execution numbers are the same or not. And determining an abnormality detection result according to the first comparison result.

According to embodiments of the present disclosure, there is an execution order among multiple execution levels, including an order of invocation between code or functions, and also including a logical order between functions.

For example, the execution hierarchy includes: the login page is displayed, the account number is input, the password is input, and the login success page is displayed as an example. Because of the logic sequence between each function of the login operation, the execution sequence between the 4 execution levels is "show login page- > input account- > input password- > show login success interface".

According to the embodiment of the present disclosure, the M execution levels are arranged in the execution order, and therefore, the M execution numbers corresponding to the M execution levels are also arranged in the above-described execution order, forming the first ordered sequence.

For example, the order of execution numbers in the first ordered sequence is "number of executions showing login page function- > number of executions of input account function- > number of executions of input password function- > number of executions showing login success interface function".

According to the embodiment of the disclosure, in the case of an abnormality in the target application software, all codes or functions after the abnormality point cannot be executed, and therefore, the first ordered sequence formed according to the M execution numbers has an inverted pyramid structure.

For example, still take the example of "show login page- > -enter account- > -enter password- > -show login success interface". For 100 terminal devices, the number of terminal devices entering a login page is 100, and the number of terminal devices inputting an account is only 98 times due to page display errors or output errors. And then, the number of terminal devices for inputting the passwords is only 95 times due to other errors, and the number of terminal devices for displaying the login success page is 90.

According to the embodiment of the disclosure, the M execution numbers are compared according to the order of the first ordered sequence, and a first comparison result is obtained, where the first comparison result is used for indicating whether the M execution numbers are the same. And generating an abnormality detection result according to the first comparison result.

The embodiment of the disclosure can improve the accuracy of the abnormality detection result by quantitative funnel analysis by comparing whether the number of executions is the same to determine the abnormality detection result. Furthermore, comparing the M execution numbers in the order of the first ordered sequence also enables detecting exceptions in the order of code execution, helping to locate sources of exceptions in the dimension of the execution hierarchy.

According to an embodiment of the present disclosure, comparing M execution numbers in order of a first ordered sequence to obtain a first comparison result includes the steps of:

Starting from the 1 st execution number of the first ordered sequence, in the case that the 1 st execution number is determined to be the same as the 2 nd execution number, comparing whether the 2 nd execution number is the same as the next execution number or not until the different M-th execution number and m+1th execution number are obtained, M being equal to or greater than 1, and M being equal to or less than M.

According to the embodiment of the present disclosure, in the case where the mth execution number and the mth+1th execution number are different, an abnormality occurs in the mth+1th execution level corresponding to the mth+1th execution number, and thus, the mth+1th execution level corresponding to the mth+1th execution number is taken as an abnormal level. The first comparison result includes an anomaly level.

According to embodiments of the present disclosure, the first comparison result may be determined from a one-time comparison process. In the process of one comparison, comparing whether the adjacent two execution numbers are the same according to the order of the first ordered sequence, and moving one step length to continue comparison until the different two execution numbers are detected under the condition that the adjacent two execution numbers are determined to be the same.

According to embodiments of the present disclosure, the first comparison result may also be determined by a multiple comparison process. For example, in one comparison process, it is determined that the mth execution number and the (m+1) th execution number are different. And in the second comparison process, starting from the (m+1) th execution number, continuously comparing whether the two adjacent execution numbers are the same according to the sequence of the first ordered sequence, and repeating the comparison process for a plurality of times until the comparison of all the execution numbers in the first ordered sequence is completed, so as to determine whether an abnormal execution level exists after the (m+1) th execution level.

According to embodiments of the present disclosure, for a plurality of comparison processes, a first comparison result may be determined according to different numbers of executions in the plurality of comparison processes.

For example, the first comparison result is generated by a two-time comparison process. In the first comparison, it is determined that the mth execution number is different from the (m+1) th execution number. In the second comparison process, it is determined that the number of executions of the ith execution level is different from the number of executions of the (i+1) th execution level, i is greater than or equal to m+1, and i is less than or equal to M. The first comparison result includes an m+1th execution level and an i+1th execution level.

According to an embodiment of the present disclosure, determining an anomaly detection result according to a first comparison result includes: determining an abnormal level according to the first comparison result, wherein the abnormal level represents an execution level with an abnormality; and determining an abnormality detection result according to the abnormality level.

According to an embodiment of the present disclosure, the first comparison result includes an anomaly level. Determining the anomaly level from the first comparison result includes: and directly acquiring the abnormal level according to the first comparison result. The difference in the number of executions of the two execution levels characterizes the presence of an exception between the two execution levels, and the execution level following the execution order may be determined as the exception level.

According to an embodiment of the present disclosure, in the case where the anomaly hierarchy is determined according to the first comparison result, the anomaly detection result may be directly generated according to the anomaly hierarchy so as to locate anomalies in the dimensions of the hierarchy.

According to the embodiment of the disclosure, in the case of determining the anomaly level according to the first comparison result, the anomaly level may be further processed to generate an anomaly detection result so as to locate anomalies in a lower layer dimension.

According to an embodiment of the present disclosure, an execution hierarchy includes P execution methods, among which a chain processing relationship exists, P being 1 or more.

According to an embodiment of the present disclosure, determining an anomaly detection result according to an anomaly hierarchy includes the steps of: and generating a second ordered sequence according to the chain processing relationship, wherein the second ordered sequence comprises P sub-execution numbers corresponding to the P execution methods. And comparing the P sub-execution numbers according to the order of the second ordered sequence to obtain a second comparison result, wherein the second comparison result is used for representing whether the P sub-execution numbers are the same or not. And determining an abnormality detection result according to the second comparison result.

According to an embodiment of the present disclosure, the execution hierarchy includes P execution methods. The last execution method is finished to represent the application function of the execution level.

According to embodiments of the present disclosure, the occurrence of an exception at the (m+1) -th execution level may be caused by the occurrence of an exception in a certain execution method within the (m+1) -th execution level. Thus, after the abnormality level is determined from the first comparison result, an execution method in which an abnormality occurs is determined for the abnormality level.

According to an embodiment of the present disclosure, generating the second ordered sequence in a chained processing relationship includes: and determining P sub-execution numbers corresponding to the P execution methods according to the hierarchical processing identification, and sequencing the P sub-execution numbers according to the chain processing relationship among the P execution methods to generate a second ordered sequence.

According to the embodiment of the disclosure, the second comparison result includes an anomaly method, and the anomaly method can be directly acquired according to the second comparison result. The number of sub-executions of the two execution methods is different, and the exception exists between the two execution methods, so that the execution methods with subsequent execution sequences are determined as exception methods.

According to an embodiment of the present disclosure, determining an abnormality detection result according to the second comparison result includes: determining an abnormal method according to the second comparison result; and generating an abnormality detection result according to the abnormality level and the abnormality method.

According to an embodiment of the present disclosure, a method of comparing the P sub-execution numbers to determine the second comparison result is similar to a method of comparing the M execution numbers to determine the first comparison result.

Specifically, the method for determining the second comparison result includes: starting from the 1 st sub-execution number of the second ordered sequence, under the condition that the 1 st sub-execution number is determined to be the same as the 2 nd sub-execution number, comparing whether the 2 nd sub-execution number is the same as the next sub-execution number or not until the P-th sub-execution number and the p+1st sub-execution number which are different are obtained, wherein P is greater than or equal to 1 and is smaller than or equal to P; and determining a second comparison result according to the p+1st execution method corresponding to the p+1st execution number.

For example, the exception hierarchy includes 3 execution methods sel1, sel2, and sel3, and the chain processing relationship between the 3 execution methods is "sel1- > sel2- > sel3". The number of sub-executions of sel1 is 1000, the number of sub-executions of sel2 is 1000, but the number of sub-executions of sel3 is 999, which indicates that the target application software of a certain terminal device has an exception in the middle of sel2- > sel3, and the execution method sel3 is determined as an exception method.

Fig. 4 schematically illustrates an abnormality detection application scenario according to a first embodiment of the present disclosure.

As shown in fig. 4, the abnormality detection application scenario 400 of the first embodiment includes code execution paths divided by a hierarchy dimension. Wherein the code execution path includes 5 execution hierarchies A, B, C, D, E.

According to embodiments of the present disclosure, a code execution path may include two sub-paths below, i.e., there are two execution orders, "a- > B- > C- > D" and "a- > B- > E- > C- > D". When comparing the M execution numbers in the order of the first ordered sequence, it is necessary to traverse all execution orders to generate the first comparison result.

For "a- > B- > E- > C- > D", when it is determined that the number of executions of the execution level E is different from the number of executions of the execution level B, the execution level E is determined to be an abnormal level, and the generated first comparison result and the abnormal detection result both include the execution level E.

Fig. 5 schematically illustrates an abnormality detection application scenario according to a second embodiment of the present disclosure

As shown in fig. 5, the anomaly detection application scenario 500 of the second embodiment includes code execution paths divided by a hierarchy-method dimension. Wherein the code execution path includes 5 execution hierarchies A, B, C, D, E. The execution level E is an exception level, and the execution level E includes execution methods E1, E2, E3.

According to an embodiment of the present disclosure, in the case where the execution level E is determined to be an abnormal level, whether the number of sub-executions of the execution methods E1, E2, E3 in the execution level E is the same is compared. If the number of sub-executions of the execution method e2 is different from the number of sub-executions of the execution method e3, the execution method e3 is determined as an abnormal method, and the generated second comparison result includes the execution method e3. And then, determining an abnormal detection result according to the first comparison result and the second comparison result. The abnormality detection result includes an abnormality level E and an abnormality method E3.

According to the embodiment of the disclosure, the abnormality detection result is determined according to the execution method in the execution hierarchy, so that the abnormality source can be directly positioned, the abnormality can be accurately repaired, and the user experience is improved.

According to an embodiment of the present disclosure, the abnormality detection method further includes: after M execution levels matched with the target application software are determined according to the N execution paths, determining whether the number of sub-executions of P execution methods under each execution level is the same for each execution level so as to obtain a third comparison result; and determining an abnormality detection result according to the third comparison result.

Fig. 6 schematically illustrates an abnormality detection application scenario according to a third embodiment of the present disclosure.

As shown in fig. 6, the abnormality detection application scenario 600 of the third embodiment includes code execution paths divided by method dimensions. Wherein the code execution path includes 9 execution methods. Wherein, the execution methods a1 and a2 belong to the execution level a, the execution method B1 belongs to the execution level B, the execution methods C1 and C2 belong to the execution level C, the execution method D1 belongs to the execution level D, and the execution methods E1, E2, E3 belong to the execution level E.

According to an embodiment of the present disclosure, by comparing the number of sub-executions of the above 9 execution methods, when the number of sub-executions of the execution method e2 is different from the number of sub-executions of the execution method e3, the execution method e3 is determined as an abnormal method, and the generated third comparison result includes the execution method e3. The abnormality detection result determined from the third comparison result includes an abnormality method e3.

According to the first embodiment of the present disclosure, the execution hierarchy in which an exception occurs is determined with the execution hierarchy as the minimum granularity. In the second embodiment, with the execution method as the minimum granularity, whether the execution level is abnormal or not is detected, the execution method in the abnormal level is detected, and the abnormality is determined by a multi-level multi-granularity method. The third embodiment uses the execution method as the minimum granularity, and determines the exception directly based on the execution method with the minimum granularity.

According to an embodiment of the present disclosure, M execution levels matching target application software are determined from N code execution paths, including the following steps.

Determining the longest code execution path in the N code execution paths; determining a target execution path matched with target application software according to the longest code execution path; and dividing the target execution path according to the application function to obtain M execution levels.

According to an embodiment of the present disclosure, theoretically, the same N terminal devices have exactly the same code execution paths. In practical situations, for a certain terminal device, because of the abnormality of the target application software, the breakpoint occurs in the code execution paths determined according to the running information, and the code execution paths of a plurality of terminal devices are different in length. Thus, the longer the code execution path is, the more complete application functions can be realized, and the more features related to the target application software can be embodied.

According to an embodiment of the present disclosure, after determining a longest one of the N code execution paths, a code execution path that is most similar to the longest one is determined from the database, and the most similar code execution path is determined to be a target execution path that matches the target application software.

According to the embodiment of the disclosure, the target execution path is divided according to the application function of the target application software, so that the most complete M execution levels can be obtained.

According to an embodiment of the present disclosure, the running information includes a time stamp and code execution information.

According to an embodiment of the present disclosure, determining N code execution paths according to operation information from N terminal devices includes: sequencing the code execution information according to the time stamp to obtain an original execution path; and performing data cleaning and path segmentation on the original execution path to generate a code execution path.

According to an embodiment of the present disclosure, the code execution information includes information related to the code such as a method name, a target object, and the like.

According to embodiments of the present disclosure, the operational information may be obtained through a hook public method. Specifically, by burying points in the target application software, the code is executed to a certain method and the running information when the method is executed is obtained.

According to embodiments of the present disclosure, a hook operation may be performed based on a Method-Swizzling operation of run time to embed points in the target application software.

According to an embodiment of the present disclosure, the method in the code, also called a function, is composed of a function name (SEL) and a function Implementation (IMP). In the same target object, the function names and the function realizations are in one-to-one correspondence, and the function realization corresponding to the function names can be found through the function names. The code implementation in the function implementation is the true content of the function execution. The Method-Swizzling operation of run time may direct the function name of one function to the function implementation of another function.

For example, function name selector2 corresponds to function implementation IMP2, and function name selector3 corresponds to function implementation IMP 3. By the Method-Swizzling operation of run time, selector2 is directed to IMP3 and selector3 is directed to IMP 2. Thus, as long as the function name selector is known, hook operation can be performed, IMP is realized by replacing the function corresponding to the function name, and buried points are realized.

According to embodiments of the present disclosure, the order of execution of the codes may be determined by reading the source code, and may also be determined according to the code execution time. Because the reading of the source code to generate the code execution path has low efficiency and is easy to make mistakes, the code execution information can be sequenced according to the time stamp to obtain the original execution path, and the efficiency and the accuracy of generating the original execution path are improved.

According to an embodiment of the present disclosure, data cleansing includes: deleting redundant codes, missing data, and the like.

According to the method and the device for generating the original execution path, the original execution path is generated according to the time stamp, and the original execution path is clear and divided, so that the clear code execution path can be obtained, and the processing efficiency is improved.

According to an embodiment of the present disclosure, the operation information further includes common information including at least one of: application version, device model of terminal device and system model.

According to an embodiment of the present disclosure, after determining an abnormality detection result of target application software according to M execution numbers, it includes:

and determining an abnormality report identical to the abnormality detection result and the public information under the condition that the abnormality detection result is determined to represent that the target application software has the abnormality.

According to an embodiment of the present disclosure, in a case where it is determined that an abnormality detection result characterizes the presence of an abnormality of the target application software, an abnormality report identical to the abnormality level and/or abnormality method and the common information is retrieved from the database according to the abnormality level and/or abnormality method and the common information included in the abnormality detection result.

According to the embodiment of the disclosure, under the condition of determining the exception report, determining whether the exception level and/or the exception method in the current exception retrieval inclusion are universal exceptions according to whether the number of exception inclusions meets a preset threshold value or not so as to update software in time.

According to the embodiment of the disclosure, in the case that the number of the abnormal reports meets the preset threshold, prompt information is sent to the target application software in the N terminal devices so as to upgrade the target application software.

According to another embodiment of the present disclosure, in case the number of abnormality reports satisfies a preset threshold, a scene switch of the target application software is turned off to limit the target application software in the same terminal device as the abnormality level and/or abnormality method, and the common information.

For example, an application software with an application version of 2.0 is taken as an example, and a terminal device with a system version of 3.0 is taken as an example. And under the condition that the number of the abnormal reports meets a preset threshold, closing a scene switch of an application scene corresponding to the application version of 2.0 and the system version of 3.0 to ensure that a user with the application version of 2.0 and the system version of 3.0 cannot use the scene, and only after upgrading the target application software or the system version, continuing to use the scene.

According to the embodiment of the disclosure, while the scene switch of the target application software is turned off, prompt information can be sent to the target application software in the N terminal devices so as to upgrade the target application software.

FIG. 7 schematically illustrates a flow chart of a method of upgrading target application software according to a specific embodiment of the disclosure.

As shown in fig. 7, the flowchart 700 of the target application software upgrade method includes operations S701 to S709.

In operation S701, operation information is collected. In particular, the operation information from the terminal device may be received by the server.

In operation S702, a code execution path is generated.

In operation S703, an execution hierarchy is determined.

In operation S704, layer-by-layer detection is performed. Specifically, the layer-by-layer detection may include detecting an execution hierarchy layer by layer, determining whether M execution numbers are the same in a dimension of the hierarchy, and obtaining a first comparison result. And determining an abnormality detection result according to the first comparison result.

Layer-by-layer detection may also include detection in the dimension of the hierarchy-method. Specifically, firstly detecting an execution level layer by layer to determine an abnormal level, and obtaining a first comparison result; and determining an abnormality method according to the abnormality level to obtain a second comparison result, and determining an abnormality detection result according to the first comparison result and the second comparison result.

Layer-by-layer detection may also include detection in the dimension of the method. Specifically, for each execution hierarchy, the execution method in the execution hierarchy is detected to determine an abnormal method, a third comparison result is obtained, and an abnormal detection result is determined according to the third comparison result.

In operation S705, whether there is an abnormality. Specifically, whether the target application software has an abnormality or not is determined according to the abnormality detection result. If there is an abnormality, the operation proceeds to operation S706, and the commonality analysis is performed; if there is no abnormality, the operation returns to operation S704, and the detection is continued.

In operation S706, a commonality analysis is performed. Specifically, the commonality analysis includes determining an abnormality report identical to the abnormality detection result and the common information.

In operation S707, whether a fusing mechanism is triggered. Specifically, it is determined whether the number of abnormal reports satisfies a preset threshold. If the number of abnormality reports satisfies the preset threshold, a fusing mechanism is triggered, and operation S708 is entered to turn off the scene switch. If the number of abnormality reports does not satisfy the preset threshold, the fusing mechanism is not triggered, and the operation returns to operation S706.

In operation S708, the scene switch is turned off.

In operation S709, upgrade.

The embodiment of the disclosure is based on the abnormality detection scheme of the target application software, can improve the interception rate of production abnormality in the prior art scheme, and optimizes the user experience.

Embodiments of the present disclosure are an addition to, and not a complete alternative to, prior art solutions. If the prior art solution can intercept 90% of the problems, embodiments of the present disclosure can increase this number to 95%, 99%, or even 100%.

Fig. 8 schematically shows a block diagram of a configuration of an abnormality detection apparatus according to an embodiment of the present disclosure.

As shown in fig. 8, the abnormality detection apparatus 800 of this embodiment includes a path determination module 810, a hierarchy determination module 820, a calculation module 830, and a detection module 840.

The path determining module 810 is configured to determine N code execution paths according to operation information from N terminal devices, where the operation information is used to characterize an operation condition of target application software in the terminal devices, and N is greater than or equal to 2. In an embodiment, the path determining module 810 may be configured to perform the operation S210 described above, which is not described herein.

The hierarchy determining module 820 is configured to determine, according to the N code execution paths, M execution hierarchies matched with the target application software, where the execution hierarchies are used to implement a single application function, and M is greater than or equal to 1. In an embodiment, the hierarchy determining module 820 may be used to perform the operation S220 described above, which is not described herein.

The calculating module 830 is configured to calculate, according to the N code execution paths, M execution numbers corresponding to the M execution levels, where the execution numbers represent the number of terminal devices that have successfully executed a single application function. In an embodiment, the calculating module 830 may be configured to perform the operation S230 described above, which is not described herein.

The detection module 840 is configured to determine an anomaly detection result of the target application software according to the M execution numbers. In an embodiment, the detection module 840 may be configured to perform the operation S240 described above, which is not described herein.

According to an embodiment of the present disclosure, the M execution numbers are arranged in an execution order of M execution levels, forming a first ordered sequence. The detection module 840 includes a comparison sub-module and a detection sub-module.

The comparing sub-module is used for comparing the M execution numbers according to the order of the first ordered sequence to obtain a first comparison result, and the first comparison result is used for representing whether the M execution numbers are the same or not.

The detection sub-module is used for determining an abnormal detection result according to the first comparison result.

According to an embodiment of the present disclosure, the comparison sub-module comprises a first comparison unit and a second comparison unit.

The first comparing unit is configured to, starting from a 1 st execution number of the first ordered sequence, in a case where it is determined that the 1 st execution number is the same as the 2 nd execution number, compare whether the 2 nd execution number is the same as the next execution number until a different mth execution number and mth+1th execution number are obtained, M being greater than or equal to 1, and M being less than or equal to M.

The second comparing unit is used for determining a first comparing result according to an m+1th execution level corresponding to the m+1th execution number.

According to an embodiment of the present disclosure, the detection sub-module comprises a first detection unit and a second detection unit.

The first detection unit is used for determining an abnormal level according to the first comparison result, wherein the abnormal level represents an execution level with an abnormality.

The second detection unit is used for determining an abnormality detection result according to the abnormality level.

According to an embodiment of the present disclosure, the execution hierarchy includes P execution methods, among which a chain processing relationship exists, P being equal to or greater than 1. The second detection unit includes a generation subunit, a comparison subunit, and a determination subunit.

The generating subunit is configured to generate a second ordered sequence according to the chain processing relationship, where the second ordered sequence includes P sub-execution numbers corresponding to the P execution methods.

The comparing subunit is configured to compare the P sub-execution numbers according to the order of the second ordered sequence, to obtain a second comparison result, where the second comparison result is used to characterize whether the P sub-execution numbers are the same.

The determining subunit is configured to determine an anomaly detection result according to the second comparison result.

According to an embodiment of the present disclosure, the hierarchy determination module 820 includes a first path determination sub-module, a second path determination sub-module, and a third path determination sub-module.

The first path determination submodule is used for determining the longest code execution path in the N code execution paths.

The second path determination submodule is used for determining a target execution path matched with target application software according to the longest code execution path.

The third path determining submodule is used for dividing the target execution path according to the application function to obtain M execution levels.

According to an embodiment of the present disclosure, the path determination module 810 includes a fourth path determination sub-module, a fifth path determination sub-module.

The fourth path determination submodule is used for sorting the code execution information according to the time stamp to obtain an original execution path.

And the fifth path determination submodule is used for carrying out data cleaning and path segmentation on the original execution path to generate a code execution path.

According to an embodiment of the present disclosure, the abnormality detection apparatus 800 further includes an abnormality report determination sub-module and a hint sub-module.

The abnormality report determination sub-module is used for determining an abnormality report identical to the abnormality detection result and the common information under the condition that the abnormality detection result is determined to represent that the target application software has an abnormality.

The prompt sub-module is used for sending prompt information to target application software in N terminal devices under the condition that the number of the abnormal reports meets a preset threshold value so as to upgrade the target application software.

Any of the path determination module 810, the hierarchy determination module 820, the calculation module 830, the detection module 840 may be combined in one module to be implemented, or any of them may be split into multiple modules, according to embodiments of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module.

At least one of the path determination module 810, the hierarchy determination module 820, the calculation module 830, the detection module 840 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable way of integrating or packaging circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the path determination module 810, the hierarchy determination module 820, the calculation module 830, the detection module 840 may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.

As shown in fig. 9, an electronic device 900 according to an embodiment of the present disclosure includes a processor 901 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. The processor 901 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 901 may also include on-board memory for caching purposes. Processor 901 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.

In the RAM 903, various programs and data necessary for the operation of the electronic device 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other by a bus 904. The processor 901 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the program may be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.

According to an embodiment of the disclosure, the electronic device 900 may also include an input/output (I/O) interface 905, the input/output (I/O) interface 905 also being connected to the bus 904. The electronic device 900 may also include one or more of the following components connected to the input/output I/O interface 905: an input section 906 including a keyboard, a mouse, and the like; an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 908 including a hard disk or the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to the I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 910 so that a computer program read out therefrom is installed into the storage section 908 as needed.

The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 902 and/or RAM 903 and/or one or more memories other than ROM 902 and RAM 903 described above.

Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to perform the methods provided by embodiments of the present disclosure.

The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, via communication portion 909, and/or installed from removable medium 911. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.

While the foregoing is directed to embodiments of the present disclosure, other and further details of the invention may be had by the present application, it is to be understood that the foregoing description is merely exemplary of the present disclosure and that no limitations are intended to the scope of the disclosure, except insofar as modifications, equivalents, improvements or modifications may be made without departing from the spirit and principles of the present disclosure.

Claims

1. An anomaly detection method, comprising:

according to the N code execution paths, M execution levels matched with the target application software are determined, wherein the execution levels are used for realizing a single application function, and M is greater than or equal to 1;

According to the N code execution paths, M execution numbers corresponding to the M execution levels are calculated, wherein the execution numbers represent the number of terminal devices successfully executing the single application function; and

2. The method of claim 1, wherein the M execution numbers are arranged in an order of execution of the M execution levels to form a first ordered sequence;

and determining an abnormality detection result of the target application software according to the M execution numbers, wherein the abnormality detection result comprises the following steps:

comparing the M execution numbers according to the order of the first ordered sequence to obtain a first comparison result, wherein the first comparison result is used for representing whether the M execution numbers are the same or not; and

and determining the abnormal detection result according to the first comparison result.

3. The method of claim 2, wherein the comparing the M execution numbers in the order of the first ordered sequence results in a first comparison result, comprising:

starting from the 1 st execution number of the first ordered sequence, under the condition that the 1 st execution number is determined to be the same as the 2 nd execution number, comparing whether the 2 nd execution number is the same as the next execution number or not until different M-th execution number and m+1th execution number are obtained, wherein M is greater than or equal to 1, and M is less than or equal to M; and

And determining the first comparison result according to an m+1th execution level corresponding to the m+1th execution number.

4. The method of claim 2, wherein the determining the anomaly detection result from the first comparison result comprises:

determining an exception level according to the first comparison result, wherein the exception level represents an execution level with exception; and

5. The method of claim 4, wherein the execution hierarchy comprises P execution methods, a chained processing relationship exists among the P execution methods, and P is greater than or equal to 1;

the determining an abnormality detection result according to the abnormality level includes:

generating a second ordered sequence according to the chained processing relationship, wherein the second ordered sequence comprises P sub-execution numbers corresponding to the P execution methods;

and determining the abnormal detection result according to the second comparison result.

6. The method of claim 1, wherein said determining M execution levels matching the target application software according to the N code execution paths comprises:

determining the longest code execution path in the N code execution paths;

determining a target execution path matched with the target application software according to the longest code execution path; and

dividing the target execution path according to the application function to obtain the M execution levels.

7. The method of claim 1, wherein the run information includes a timestamp and code execution information; the determining N code execution paths according to the operation information from the N terminal devices includes:

sorting the code execution information according to the time stamp to obtain an original execution path; and

and carrying out data cleaning and path segmentation on the original execution path to generate the code execution path.

8. The method of claim 1, wherein the operational information further comprises common information including at least one of: the application version, the equipment model of the terminal equipment and the system model;

determining an abnormality report identical to the abnormality detection result and the common information under the condition that the abnormality detection result is determined to represent that the target application software has an abnormality; and

9. An abnormality detection apparatus comprising:

the path determining module is used for determining N code execution paths according to operation information from N terminal devices, wherein the operation information is used for representing the operation condition of target application software in the terminal devices, and N is more than or equal to 2;

the hierarchy determining module is used for determining M execution hierarchies matched with the target application software according to the N code execution paths, wherein the execution hierarchies are used for realizing single application functions, and M is greater than or equal to 1;

the computing module is used for computing M execution numbers corresponding to the M execution levels according to the N code execution paths, wherein the execution numbers represent the number of terminal equipment which successfully execute the single application function; and

10. An electronic device, comprising:

one or more processors;

storage means for storing one or more programs,

wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-8.

11. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-8.

12. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 8.