CN116489655B - Malicious application program monitoring method based on 5GS - Google Patents
Malicious application program monitoring method based on 5GS Download PDFInfo
- Publication number
- CN116489655B CN116489655B CN202310245341.4A CN202310245341A CN116489655B CN 116489655 B CN116489655 B CN 116489655B CN 202310245341 A CN202310245341 A CN 202310245341A CN 116489655 B CN116489655 B CN 116489655B
- Authority
- CN
- China
- Prior art keywords
- malicious
- application program
- application
- current preset
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 230000006399 behavior Effects 0.000 claims abstract description 25
- 238000012544 monitoring process Methods 0.000 claims abstract description 22
- 102000038566 DCAFs Human genes 0.000 claims abstract description 20
- 108091007824 DCAFs Proteins 0.000 claims abstract description 20
- 238000004458 analytical method Methods 0.000 claims abstract description 9
- 238000013480 data collection Methods 0.000 claims abstract description 9
- 230000006870 function Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000012517 data analytics Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/128—Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/125—Protection against power exhaustion attacks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Abstract
The application discloses a malicious application program monitoring method based on 5GS, which comprises the following steps: establishing a PDU session for a request of a UE; AMF subscribes NWDAF to analyze whether a malicious application exists for the UE; NWDAF initiates an AF discovery procedure to discover DCAF; NWDAF subscribes to data collection with DCAF; the DCAF acquires the ID of each application program running on the UE in real time and transmits the UE running data to the NWDAF; the NWDAF analyzes based on the UE operation data to determine whether a malicious application program exists; the NWDAF notifies the AMF of the analysis result. The application program online monitoring method and device achieve online monitoring of the application program. Compared with the existing mode of identifying malicious application programs by using the model, the method and the device can identify the newly-appearing application programs with malicious behaviors.
Description
Technical Field
The application relates to the technical field of 5GS, in particular to a malicious application program monitoring method based on 5 GS.
Background
Intelligent terminals such as mobile phones, vehicle-mounted terminals and the like are widely used nowadays, so that daily life and work of people are facilitated, and potential safety hazards exist. If malicious application programs are carelessly installed, additional hardware and software resource consumption can be caused, and the use experience is affected; more serious are personal privacy information disclosure, malicious fee deduction, and the like. For most intelligent terminal users, whether some application programs are malicious application programs can be easily distinguished, but for middle-aged and elderly users, malicious application programs are easily installed due to false touch or induction of false information, the users are insensitive to changes of memory occupation and electric consumption of the UE, and the users are hard to notice when malicious deduction occurs, or the reasons why the malicious deduction occurs are hard to find out, so that deduction is caused. In general, for personal privacy data of a user, a provider of an application or a UE may use to analyze the behavior of the user, according to relevant privacy terms, to provide more specialized and more pertinent services to the user, but not to save or transmit, such malicious behavior being generally imperceptible to an individual user. Even if an individual user perceives and uninstalls the application, the application cannot be prevented from malicious behavior to other users and the risk of continuing to propagate.
Most of the existing malicious application program detection methods need to specifically collect the running information of the determined malicious application program, mix the running information of the normal application program, and perform model training to obtain a model with the capability of identifying the malicious application program. The technology can train a model with higher precision, but can only judge the existing malicious application programs, and more historical data must be used, so that the newly-appearing application programs with malicious behaviors cannot be well identified.
Disclosure of Invention
The purpose of the application is to provide a 5 GS-based malicious application monitoring method, equipment and a computer readable storage medium, which can identify newly-appearing application programs with malicious behaviors.
In order to achieve the above objective, the present application provides a malicious application monitoring method based on 5GS, including:
establishing a PDU session for a request of a UE;
AMF subscribes NWDAF to analyze whether a malicious application exists for the UE;
NWDAF initiates an AF discovery procedure to discover DCAF;
NWDAF subscribes to data collection with DCAF;
the DCAF acquires the ID of each application program running on the UE in real time and transmits the UE running data to the NWDAF;
the NWDAF analyzes based on the UE operation data to determine whether a malicious application program exists;
the NWDAF notifies the AMF of the analysis result.
Optionally, the UE operation data includes: memory occupation proportion, residual electric quantity and running application program quantity;
the NWDAF analyzes based on the UE operation data, and determines whether a malicious application exists, including:
calculating the average value of the memory occupation proportion in the current preset time according to the memory occupation proportion;
calculating the power failure rate in the current preset duration according to the residual electric quantity;
calculating the average number of running application programs in the current preset duration according to the number of running application programs;
and determining whether the malicious application program exists or not based on the average value of the memory occupation proportion, the power-down rate and the average number of the running application programs in the current preset duration.
Optionally, the determining whether the malicious application exists includes:
counting tickets if the average value of the memory occupation ratios in the current preset duration exceeds a memory occupation ratio threshold;
if the power-down rate in the current preset duration exceeds a power-down threshold value, counting tickets;
if the average number of the running application programs in the current preset duration is lower than a number threshold, counting tickets;
counting the total ticket number in the current preset time length;
and if the total ticket number in the current preset time length exceeds a ticket number threshold value, determining that a malicious program exists in the running application program in the current preset time length.
Optionally, after the determining that there is a malicious program in the running application within the current preset duration, the determining whether there is a malicious application further includes:
comparing the running application program in the current preset time with a stored historical safe application program and a stored historical malicious application program;
if all the comparison is successful, determining the application program which is successfully compared with the history malicious application program as a malicious application program;
if the application program which is not successfully compared exists, the application program sequence is regarded as a pending application program;
and determining whether the occurrence frequency of the undetermined application program in the running application programs acquired from all the UE in a future set period is higher than a preset frequency, and if so, determining that the undetermined application program is a malicious application program.
Optionally, according to the data from all UEs, an application program continuously determined as a security program up to a preset number of times is determined as the historical security application program.
Optionally, after the determining that there is a malicious program in the running application within the current preset duration, the determining whether there is a malicious application further includes:
determining whether the UE generates deduction or not within the current preset duration;
comparing the fee deduction behavior of the UE in the current preset time with the historical fee deduction behavior of the UE;
and if the fee deduction behavior of the UE in the current preset duration does not accord with the characteristic of the historical fee deduction behavior, determining the fee deduction application program as a malicious application program.
Optionally, the characteristics of the historical deduction behavior include a deduction time, a deduction type and a deduction amount.
Optionally, NWDAF subscribes to data collection to DCAF through event publication subscription messages.
To achieve the above object, the present application further provides an apparatus, including:
a processor;
a memory having stored therein executable instructions of the processor;
wherein the processor is configured to perform the 5 GS-based malicious application monitoring method as described above via execution of the executable instructions.
To achieve the above object, the present application further provides a computer-readable storage medium having stored thereon a program which, when executed by a processor, implements the 5 GS-based malicious application monitoring method as described above.
The present application also provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the electronic device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the electronic device executes the 5 GS-based malicious application monitoring method as described above.
The method and the device collect the operation data generated by the application program on the UE by using the DCAF function of the core network, transmit the operation data to the NWDAF in real time for analysis so as to determine whether a malicious application program exists in the application program running by the UE, and realize the online monitoring of the application program. Compared with the existing mode of identifying malicious application programs by using the model, the method and the device can identify the newly-appearing application programs with malicious behaviors.
Drawings
Fig. 1 is a flowchart of a malicious application monitoring method based on 5GS according to an embodiment of the present application.
Fig. 2 is a schematic block diagram of an apparatus of an embodiment of the present application.
Detailed Description
In order to describe the technical content, constructional features, achieved objects and effects of the present application in detail, the following description is made in connection with the embodiments and the accompanying drawings.
For ease of understanding the present application, the relevant terms presented herein are explained as follows:
UE: user Equipment
AMF: access and Mobility Management Function access and mobility management functions
NWDAF: network Data Analytics Function network data analysis function
DCAF: data Collection Application Function data collection application function
Example 1
Referring to fig. 1, the application discloses a malicious application program monitoring method based on 5GS, which includes:
s1, establishing PDU session for UE request.
By establishing the PDU session, the UE is enabled to maintain communication with the network elements.
S2, the AMF subscribes to NWDAF for analysis of whether a malicious application exists for the UE.
Specifically, the subscription message may include an analysis item ID, which refers to an item identification of whether the UE has a malicious application, and analysis report content, which refers to a determination result of the malicious application.
S3, NWDAF starts an AF discovery procedure to discover DCAF.
S4, the NWDAF subscribes data collection to the DCAF.
Specifically, NWDAF subscribes to data collection with DCAF through event publication subscription messages.
S5, the DCAF acquires the ID of each application program running on the UE and the running data of the UE in real time.
Specifically, the UE operation data includes: memory occupation ratio, residual electric quantity and running application program quantity. Of course, the UE operation data is not limited to the above data.
S6, the DCAF transmits the acquired data to the NWDAF.
Specifically, the DCAF notifies the NWDAF by means of data publication.
S7, the NWDAF analyzes based on the UE operation data to determine whether a malicious application program exists.
Specifically, NWDAF analyzes based on UE operation data to determine whether a malicious application exists, including:
calculating an average value of the memory occupation proportion in the current preset time according to the memory occupation proportion;
calculating the power failure rate in the current preset duration according to the residual electric quantity;
calculating the average number of running application programs in the current preset time according to the number of the running application programs;
and determining whether malicious application programs exist or not based on the average value of the memory occupation proportion, the power-down rate and the average number of running application programs in the current preset duration.
For example, the preset duration is set to 60 seconds, an average value of the memory occupancy ratios in the duration is calculated according to the acquired memory occupancy ratios of 10:00 to 10:01, an average value of the memory occupancy ratios in the duration is calculated according to the acquired memory occupancy ratios of 10:01 to 10:02, an average value of the memory occupancy ratios in the duration is calculated according to the acquired memory occupancy ratios of 10:02 to 10:03, and so on.
By simultaneously considering the average value of the memory occupation proportion, the power-down rate and the average number of running application programs to determine whether the malicious application programs exist, compared with the method for determining whether the malicious application programs exist by utilizing a single factor, whether the malicious application programs exist can be determined more accurately, and the probability that the application programs are mistakenly considered to be malicious application programs is reduced.
Specifically, determining whether a malicious application exists includes:
counting tickets if the average value of the memory occupation ratios in the current preset time length exceeds a memory occupation ratio threshold value;
if the power-down rate in the current preset duration exceeds the power-down threshold value, counting the ticket;
if the average number of running application programs in the current preset duration is lower than the number threshold, counting the ticket;
counting the total ticket number in the current preset time length;
and if the total ticket number in the current preset time length exceeds the ticket number threshold value, determining that a malicious program exists in the running application program in the current preset time length.
In particular, in the case where an application cannot close the background operation, or access and save the private data of the UE during use, the application may occupy additional operation memory, so that the memory occupation ratio of the UE in operation is too high. At this time, a memory occupation threshold may be set as required, for example, 80%, and when the average value of the memory occupation proportion in the current preset duration exceeds 80%, the memory occupation proportion is marked as 1, which indicates that there is a risk of malicious application, and is less than 80%, the memory occupation proportion is marked as 0, which indicates that there is no risk of malicious application.
Aiming at the power failure index, in the process of performing private data access or private data transmission, a malicious application program can increase the load of the UE and accelerate the consumption of electric quantity. And judging whether the UE has abnormal power failure according to the electric quantity change condition in a period of time. Therefore, an appropriate power-down threshold may be set according to a preset duration, and if the power-down rate exceeds 50% for a period of time, it is marked as 1, which indicates that there is a risk of malicious applications, and is less than 50%, it is marked as 0, which indicates that there is no risk of malicious applications.
The number of running programs refers to the number of running and background running application programs in a period of time, and the situation that the running memory is high and power is lost is caused by the large number of running programs in a period of time. If the number of running programs exceeds 8, the number of running programs of the UE is considered to be large, and may be marked as 0 at this time, and if the number of running programs is less than 8, the number of running programs of the UE is considered to be small, and may be marked as 1 at this time.
And finally, counting all the marks as 1, and determining that a malicious application program exists if the ticket number exceeds a ticket number threshold.
Specifically, after determining that a malicious program exists in the running application program within the current preset duration, determining whether the malicious application program exists further includes:
comparing the running application program in the current preset time with the stored historical safe application program and the stored historical malicious application program;
if all the comparison is successful, determining the application program which is successfully compared with the history malicious application program as a malicious application program;
if the application program which is not successfully compared exists, the application program sequence is regarded as a pending application program;
and determining whether the occurrence frequency of the pending application program in the running application programs acquired from all the UE in the future set period is higher than a preset frequency, and if so, determining that the pending application program is a malicious application program.
Because it is not necessarily possible to determine which specific application is a malicious application when it is determined that a malicious application exists in the running application within the current preset duration, by comparing the running application within the current preset duration with the stored historical security application and the stored historical malicious application, when all the comparison is successful (all the comparison is matched with the historical application), the application that is successfully compared with the historical malicious application is determined to be the malicious application, if all the comparison is not successful, the pending application can be screened out, and then it is only necessary to determine whether the frequency of occurrence of the next pending application is higher than the preset frequency, and it is possible to determine whether the pending application is a malicious application. By the method, the malicious application program can be determined quickly and accurately.
Specifically, according to data from all UEs, an application continuously determined as a security program up to a preset number of times is determined as a history security application. Of course, this is just one way of determining a historical security application. Specifically, when no malicious application appears in a plurality of UEs for a plurality of consecutive preset time periods, an application in which the number of occurrences reaches a preset number may be determined as a history security application. Of course, in order to ensure accuracy, the historical security application may be re-identified at intervals, preventing some applications from becoming malicious applications due to attacks or the like.
Specifically, after determining that a malicious program exists in the running application program within the current preset duration, determining whether the malicious application program exists further includes:
determining whether the UE generates deduction within the current preset time length;
comparing the fee deduction behavior of the UE in the current preset time with the historical fee deduction behavior of the UE;
and if the deduction behavior of the UE in the current preset duration does not accord with the characteristics of the historical deduction behavior, determining the deduction application program as a malicious application program.
Since the user's UE usually deducts fees regularly and periodically, the amount of deductions is relatively fixed, and thus, by comparing the deduction behavior in the current preset time period with the historical deduction behavior, it can be determined whether a malicious application exists.
In particular, the characteristics of the historical deduction behavior include the deduction time, the deduction type and the deduction amount. The deduction type is telephone fee, flow rate, etc.
S8, the NWDAF informs the AMF of the analysis result.
The method and the device collect the operation data generated by the application program on the UE by using the DCAF function of the core network, transmit the operation data to the NWDAF in real time for analysis so as to determine whether a malicious application program exists in the application program running by the UE, and realize the online monitoring of the application program. Compared with the existing mode of identifying malicious application programs by using the model, the method and the device can identify the newly-appearing application programs with malicious behaviors. In addition, the method and the device are convenient for initiating early warning to operators, the operators can issue malicious application program blacklists, spread and use of the malicious application programs are blocked, and further loss to users is prevented; and the method does not need to distinguish the system used by the UE, and has universality.
Example two
Referring to fig. 2, the present application discloses an apparatus comprising:
a processor 30;
a memory 40 having stored therein executable instructions of the processor 30;
wherein the processor 30 is configured to perform the 5 GS-based malicious application monitoring method according to embodiment one via execution of executable instructions.
Example III
The application discloses a computer readable storage medium, on which a program is stored, which when executed by a processor implements a malicious application monitoring method based on 5GS according to the first embodiment.
Example IV
Embodiments of the present application disclose a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the electronic device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the electronic device to perform the 5 GS-based malicious application monitoring method as described in embodiment one.
It should be appreciated that in embodiments of the present application, the processor may be a central processing module (CentralProcessing Unit, CPU), which may also be other general purpose processors, digital signal processors (DigitalSignal Processor, DSP), application specific integrated circuits (Application SpecificIntegrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Those skilled in the art will appreciate that the processes implementing all or part of the methods of the above embodiments may be implemented by hardware associated with computer program instructions, and the program may be stored in a computer readable storage medium, where the program when executed may include processes of embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-only memory (ROM), a Random access memory (Random AccessMemory, RAM), or the like.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
The foregoing disclosure is only illustrative of the preferred embodiments of the present application and is not intended to limit the scope of the claims hereof, as defined by the equivalents of the claims.
Claims (9)
1. A 5 GS-based malicious application monitoring method, comprising:
establishing a PDU session for a request of a UE;
AMF subscribes NWDAF to analyze whether a malicious application exists for the UE;
NWDAF initiates an AF discovery procedure to discover DCAF;
NWDAF subscribes to data collection with DCAF;
the DCAF acquires the ID of each application program running on the UE in real time and transmits the UE running data to the NWDAF;
the NWDAF analyzes based on the UE operation data to determine whether a malicious application program exists;
the NWDAF notifies the AMF of the analysis result;
the determining whether a malicious application exists includes:
determining that malicious programs exist in running application programs within the current preset duration;
after the malicious programs exist in the running application programs in the current preset time period, comparing the running application programs in the current preset time period with the stored historical safe application programs and the stored historical malicious application programs;
if all the comparison is successful, determining the application program which is successfully compared with the history malicious application program as a malicious application program;
if the application program which is not successfully compared exists, the application program sequence is regarded as a pending application program;
and determining whether the occurrence frequency of the undetermined application program in the running application programs acquired from all the UE in a future set period is higher than a preset frequency, and if so, determining that the undetermined application program is a malicious application program.
2. The method for 5GS based malicious application monitoring according to claim 1,
the UE operation data includes: memory occupation proportion, residual electric quantity and running application program quantity;
the NWDAF analyzes based on the UE operation data, and determines whether a malicious application exists, including:
calculating an average value of the memory occupation proportion in the current preset time according to the memory occupation proportion;
calculating the power failure rate in the current preset duration according to the residual electric quantity;
calculating the average number of running application programs in the current preset duration according to the number of running application programs;
and determining whether a malicious program exists in the running application program in the current preset duration based on the average value of the memory occupation proportion, the power-down rate and the average number of the running application program in the current preset duration.
3. The method for 5GS based malicious application monitoring according to claim 2,
the determining whether a malicious program exists in the running application program in the current preset duration comprises the following steps:
counting tickets if the average value of the memory occupation ratios in the current preset duration exceeds a memory occupation ratio threshold;
if the power-down rate in the current preset duration exceeds a power-down threshold value, counting tickets;
if the average number of the running application programs in the current preset duration is lower than a number threshold, counting tickets;
counting the total ticket number in the current preset time length;
and if the total ticket number in the current preset time length exceeds a ticket number threshold value, determining that a malicious program exists in the running application program in the current preset time length.
4. The method for 5GS based malicious application monitoring according to claim 1,
and determining the application program continuously determined as the security program reaching the preset times as the historical security application program according to the data from all the UE.
5. The method for 5GS based malicious application monitoring according to claim 3,
after the determining that a malicious program exists in the running application within the current preset duration, the determining whether the malicious application exists further includes:
determining whether the UE generates deduction or not within the current preset duration;
comparing the fee deduction behavior of the UE in the current preset time with the historical fee deduction behavior of the UE;
and if the fee deduction behavior of the UE in the current preset duration does not accord with the characteristic of the historical fee deduction behavior, determining the fee deduction application program as a malicious application program.
6. The method for 5GS based malicious application monitoring according to claim 5,
the characteristics of the historical deduction behavior include deduction time, deduction type and deduction amount.
7. The method for 5GS based malicious application monitoring according to claim 1,
NWDAF subscribes to data collection with DCAF through event publication subscription messages.
8. An apparatus, comprising:
a processor;
a memory having stored therein executable instructions of the processor;
wherein the processor is configured to perform the 5 GS-based malicious application monitoring method of any one of claims 1 to 7 via execution of the executable instructions.
9. A computer readable storage medium having stored thereon a program, wherein the program when executed by a processor implements the 5 GS-based malicious application monitoring method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310245341.4A CN116489655B (en) | 2023-03-14 | 2023-03-14 | Malicious application program monitoring method based on 5GS |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310245341.4A CN116489655B (en) | 2023-03-14 | 2023-03-14 | Malicious application program monitoring method based on 5GS |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116489655A CN116489655A (en) | 2023-07-25 |
| CN116489655B true CN116489655B (en) | 2024-03-15 |
Family
ID=87225775
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310245341.4A Active CN116489655B (en) | 2023-03-14 | 2023-03-14 | Malicious application program monitoring method based on 5GS |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116489655B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104809397A (en) * | 2015-05-12 | 2015-07-29 | 上海斐讯数据通信技术有限公司 | Android malicious software detection method and system based on dynamic monitoring |
| CN105809035A (en) * | 2016-03-07 | 2016-07-27 | 南京邮电大学 | Android application real-time behavior based malicious software detection method and system |
| CN106716382A (en) * | 2014-09-11 | 2017-05-24 | 高通股份有限公司 | Methods and systems for aggregated multi-application behavioral analysis of mobile device behaviors |
| CN107729236A (en) * | 2017-09-30 | 2018-02-23 | 努比亚技术有限公司 | Management method, device, mobile terminal and the storage medium of application program |
| CN115396890A (en) * | 2020-08-10 | 2022-11-25 | Oppo广东移动通信有限公司 | Data collection method and device |
-
2023
- 2023-03-14 CN CN202310245341.4A patent/CN116489655B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106716382A (en) * | 2014-09-11 | 2017-05-24 | 高通股份有限公司 | Methods and systems for aggregated multi-application behavioral analysis of mobile device behaviors |
| CN104809397A (en) * | 2015-05-12 | 2015-07-29 | 上海斐讯数据通信技术有限公司 | Android malicious software detection method and system based on dynamic monitoring |
| CN105809035A (en) * | 2016-03-07 | 2016-07-27 | 南京邮电大学 | Android application real-time behavior based malicious software detection method and system |
| CN107729236A (en) * | 2017-09-30 | 2018-02-23 | 努比亚技术有限公司 | Management method, device, mobile terminal and the storage medium of application program |
| CN115396890A (en) * | 2020-08-10 | 2022-11-25 | Oppo广东移动通信有限公司 | Data collection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116489655A (en) | 2023-07-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110830986B (en) | Method, device, equipment and storage medium for detecting abnormal behavior of Internet of things card | |
| CN104994080B (en) | Information processing method and system and electronic equipment | |
| CN104424277A (en) | Processing method and device for report information | |
| CN108280346B (en) | Application protection monitoring method, device and system | |
| CN110798488B (en) | Web application attack detection method | |
| CN106571933B (en) | Service processing method and device | |
| CN110572397B (en) | Flow-based webshell detection method | |
| CN109547427B (en) | Blacklist user identification method and device, computer equipment and storage medium | |
| CN116489655B (en) | Malicious application program monitoring method based on 5GS | |
| CN108446148B (en) | Rule management method and device and electronic equipment | |
| CN111949421B (en) | SDK calling method, device, electronic equipment and computer readable storage medium | |
| CN111740999B (en) | DDOS attack identification method, system and related device | |
| CN110516170B (en) | Method and device for checking abnormal web access | |
| CN114285633B (en) | Computer network security monitoring method and system | |
| CN114218577A (en) | API risk determination method, device, equipment and medium | |
| CN111698683B (en) | Network security control method and device, storage medium and computer equipment | |
| CN105279432B (en) | Software monitoring processing method and device | |
| CN111507594B (en) | Data processing method and device | |
| CN113377624A (en) | Information security alarm method and device and electronic equipment | |
| CN111294311B (en) | Traffic charging method and system for preventing traffic fraud | |
| CN112642162A (en) | User login management method and device, computer equipment and storage medium | |
| JP2011244098A (en) | Traffic analysis system and traffic analysis method | |
| CN112419655B (en) | Alarm information pushing method, device, equipment and medium | |
| CN111698684B (en) | Service security control method, device and storage medium | |
| CN112654004B (en) | Short message issuing method, device and system and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |