CN117010332A - Application abnormality detection method, device, equipment and readable storage medium - Google Patents
Application abnormality detection method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN117010332A CN117010332A CN202210467802.8A CN202210467802A CN117010332A CN 117010332 A CN117010332 A CN 117010332A CN 202210467802 A CN202210467802 A CN 202210467802A CN 117010332 A CN117010332 A CN 117010332A
- Authority
- CN
- China
- Prior art keywords
- node
- target
- description
- word
- interaction component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 182
- 230000005856 abnormality Effects 0.000 title claims abstract description 22
- 230000003993 interaction Effects 0.000 claims abstract description 191
- 230000011218 segmentation Effects 0.000 claims abstract description 120
- 238000000034 method Methods 0.000 claims abstract description 80
- 238000012545 processing Methods 0.000 claims abstract description 49
- 230000002452 interceptive effect Effects 0.000 claims description 84
- 230000007704 transition Effects 0.000 claims description 49
- 238000010276 construction Methods 0.000 claims description 17
- 238000004891 communication Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 15
- 238000004458 analytical method Methods 0.000 claims description 13
- 238000000605 extraction Methods 0.000 claims description 10
- 238000002372 labelling Methods 0.000 claims description 9
- 230000006835 compression Effects 0.000 claims description 7
- 238000007906 compression Methods 0.000 claims description 7
- 238000001914 filtration Methods 0.000 claims description 7
- 230000006870 function Effects 0.000 claims description 6
- 239000013589 supplement Substances 0.000 claims description 6
- 230000001502 supplementing effect Effects 0.000 claims description 6
- 230000002829 reductive effect Effects 0.000 abstract description 6
- 238000005516 engineering process Methods 0.000 description 17
- 230000002159 abnormal effect Effects 0.000 description 14
- 238000013473 artificial intelligence Methods 0.000 description 11
- 230000006399 behavior Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 8
- 238000010801 machine learning Methods 0.000 description 6
- 238000013135 deep learning Methods 0.000 description 5
- 238000013507 mapping Methods 0.000 description 5
- 238000003058 natural language processing Methods 0.000 description 5
- 230000001960 triggered effect Effects 0.000 description 4
- 230000033228 biological regulation Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 3
- 239000000463 material Substances 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 230000002441 reversible effect Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000002787 reinforcement Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 239000003086 colorant Substances 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 239000012092 media component Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000036961 partial effect Effects 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 238000013526 transfer learning Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/10—Text processing
- G06F40/12—Use of codes for handling textual entities
- G06F40/14—Tree-structured documents
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/33—Querying
- G06F16/3331—Query processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/35—Clustering; Classification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/10—Text processing
- G06F40/194—Calculation of difference between files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/237—Lexical tools
- G06F40/242—Dictionaries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/279—Recognition of textual entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/30—Semantic analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Artificial Intelligence (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Software Systems (AREA)
- Machine Translation (AREA)
Abstract
The application discloses a method, a device and equipment for detecting application abnormality and a readable storage medium, and related embodiments can be applied to the fields of data security, application security, applet security, cloud security, privacy protection and the like. The method comprises the following steps: constructing a target node structure tree containing interaction components and extension description texts aiming at an application to be detected; performing word segmentation processing on the target description short text in the target node structure tree to obtain target description words; performing similarity matching on the target descriptive word and the word in the detection information dictionary, and determining the detection information type of the target descriptive word; and determining a detection result according to the event type of the event trigger attribute and the detection information type. By adopting the method and the device, the cost and time consumption for carrying out abnormality detection on the application to be detected can be reduced.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for detecting an application abnormality.
Background
With the development of internet technology, third party platform-mounted applications (applets) are becoming an indispensable service mode in people's life.
As applets go deep into people's daily lives, the types of personal information of objects related to the applets are more and more, the range of personal information is wider and wider, and the collection and the application of part of types of information can be abnormal, so that the loss is brought to the objects. Thus, before the applet is brought online, the applet should be subjected to abnormality detection. The interface for acquiring the object information can be called in the applet, and the interface is less, and most of the object information is collected in the applet interaction interface. The existing applet application abnormality detection method can only judge whether the applet is abnormal by a dynamic triggering mode and manually through the information type of object information collected by an applet interactive interface. The method for manually and dynamically detecting the data is high in cost, time-consuming and easy to miss judgment or misjudge.
Disclosure of Invention
The embodiment of the application provides an application anomaly detection method, an application anomaly detection device, application anomaly detection equipment and a readable storage medium, which can reduce the cost and time consumption for anomaly detection of an application to be detected.
In one aspect, an embodiment of the present application provides an application anomaly detection method, including:
constructing a target node structure tree aiming at application to be detected; wherein the target node structure tree comprises one or more nodes; a node comprises an interaction component and an expansion description text corresponding to the interaction component;
Performing word segmentation processing on the target description short text in the target node structure tree to obtain target description words; the target description short text refers to an extension description text contained in a node with an event triggering attribute in a target node structure tree;
performing similarity matching on the target descriptive word and the word in the detection information dictionary, and determining the detection information type of the target descriptive word;
and determining a detection result aiming at the application to be detected according to the event type of the event trigger attribute and the detection information type.
In one aspect, an embodiment of the present application provides an application anomaly detection apparatus, including:
the construction module is used for constructing a target node structure tree aiming at the application to be detected; wherein the target node structure tree comprises one or more nodes; a node comprises an interaction component and an expansion description text corresponding to the interaction component;
the word segmentation module is used for carrying out word segmentation processing on the target description short text in the target node structure tree to obtain target description words; the target description short text refers to an extension description text contained in a node with an event triggering attribute in a target node structure tree;
the matching module is used for matching the similarity between the target descriptive word and the word in the detection information dictionary and determining the detection information type of the target descriptive word;
And the result determining module is used for determining a detection result aiming at the application to be detected according to the event type of the event trigger attribute and the detection information type.
Wherein, the construction module includes:
the acquisition unit is used for acquiring a source code data packet corresponding to the application to be detected and acquiring an interactive component layout file from the source code data packet;
the analysis unit is used for performing tree analysis processing on the interactive component layout file to obtain an initial node structure tree; the initial node structure tree comprises one or more nodes; a node comprises an interaction component; the node structure relationship of the initial node structure tree is determined based on the structure relationship between the interactive components in the interactive component layout file;
the extraction unit is used for extracting text attribute values of each interaction component respectively to obtain a description text corresponding to each interaction component;
the expansion unit is used for carrying out expansion processing on the description text corresponding to each interaction component according to the node structure relation in the initial node structure tree to obtain an expansion description text corresponding to each interaction component;
and the adding unit is used for respectively adding the extension description text corresponding to each interaction component into the node to which each interaction component belongs to obtain a target node structure tree.
Wherein, the acquisition unit includes:
the first acquisition subunit is used for acquiring a source code data packet corresponding to the application to be detected;
the format detection subunit is used for carrying out format detection on the source code data packet to obtain a format detection result;
the second obtaining subunit is configured to decompil the source code data packet if the format detection result is a compressed compiling result, obtain a decompiled source code data packet, and find an interactive component layout file from the decompiled source code data packet;
and the second acquisition subunit is further configured to search the interactive component layout file from the source code data packet if the format detection result is not the compression compiling result.
Wherein, extension unit includes:
traversing the initial node structure tree, and performing extension processing on the description text corresponding to each interaction component according to the traversed node relationship to obtain a transition description text corresponding to each interaction component;
a text determining subunit, configured to, if no unexplained description node exists in the initial node structure tree, use the transition description text corresponding to each interaction component as an extension description text corresponding to each interaction component; the non-explanatory description node refers to a node of which the associated transition description text does not belong to an explanatory type;
And the supplementary extension subunit is used for carrying out supplementary processing on the transition description text corresponding to the interaction component contained in the non-interpretation description node according to the father node relation of the non-interpretation description node if the non-interpretation description node exists in the initial node structure tree, so as to obtain the extension description text corresponding to each interaction component.
The traversing extension subunit is specifically configured to traverse the initial node structure tree, and acquire a kth node; k is a positive integer less than or equal to M, M being the number of one or more nodes; if the sub-node relation of the kth node indicates that the kth node does not have the sub-node, using the description text corresponding to the interaction component contained in the kth node as the transition description text corresponding to the interaction component contained in the kth node; if the sub-node relation of the kth node indicates that the kth node has the sub-node, taking the sub-node corresponding to the kth node as a target sub-node, adding the description text corresponding to the interaction component contained in the target sub-node into the description text corresponding to the interaction component contained in the kth node, and obtaining the transition description text corresponding to the interaction component contained in the kth node.
The expansion subunit is specifically configured to obtain a parent node relationship of the non-explanatory description node if the non-explanatory description node exists in the initial node structure tree; if the father node relation of the non-explanatory description node indicates that the non-explanatory description node has a father node, supplementing the target explanatory description text into a transition description text corresponding to an interaction component contained in the non-explanatory description node; the target explanatory description text refers to a text belonging to an explanatory type in transition description texts corresponding to the interaction components contained in the father node; the transition description text after supplement and the transition description text corresponding to the interaction component contained in the explanatory description node are used as extension description text; an explanatory description node refers to a node in the initial node structure tree other than the non-explanatory description node.
Wherein the short target description text contains one or more short target description sentences;
a word segmentation module comprising:
the short sentence traversing unit is used for traversing one or more target description short sentences to obtain a j-th target description short sentence; j is a positive integer; j is less than or equal to the number of one or more object description phrases;
the language type determining unit is used for determining the language type corresponding to the jth target description phrase as the target language type;
the dividing unit is used for calling word segmentation tools corresponding to the target language types to divide the target description phrases so as to obtain phrase target description word segmentation corresponding to the j-th target description phrase;
the word segmentation determining unit is used for segmenting the short sentence target description corresponding to each target description short sentence as the target description word.
Wherein, the result determination module includes:
the weight acquisition unit is used for acquiring the risk weight corresponding to the event type of the event triggering attribute;
the probability acquisition unit is used for acquiring risk probability corresponding to the detection information type;
the weighting unit is used for carrying out weighting treatment on the risk probability according to the risk weight to obtain weighted risk probability;
and the detection result generation unit is used for generating a detection result aiming at the application to be detected according to the weighted risk probability.
Wherein, the matching module includes:
the target determining unit is used for taking the language type of the target descriptive segmentation as a target language type;
the target determining unit is also used for searching the word segmentation with the language type in the detected information dictionary as the target language type as a target word segmentation;
the target matching unit is used for acquiring the word with the highest similarity with the target description word from the target search word as a target matching word;
and the information type determining unit is used for acquiring the information type corresponding to the target matching word from the detection information dictionary and taking the information type as the detection information type of the target descriptive word.
Wherein, the application anomaly detection device further comprises:
the sample construction module is used for acquiring at least two sample applications and respectively constructing a sample node structure tree of each sample application; wherein one sample node structure tree comprises one or more sample nodes; the sample node comprises a sample interaction component and a sample extension description text corresponding to the sample interaction component;
the sample word segmentation module is used for carrying out word segmentation extraction processing on sample expansion description texts contained in at least two sample node structure trees to obtain sample word segmentation;
The clustering module is used for carrying out clustering treatment on the sample word segmentation to obtain a sample word segmentation cluster;
the labeling module is used for labeling the sample word segmentation cluster and determining the information type corresponding to the sample word segmentation cluster;
and the dictionary adding module is used for respectively adding each sample word and the information type corresponding to the sample word cluster to which each sample word belongs into the initial dictionary to obtain a detection information dictionary.
Wherein, sample segmentation module includes:
the word segmentation unit is used for carrying out word segmentation on the sample expansion description text contained in the at least two sample node structure trees to obtain one or more word segments;
the word segmentation filtering unit is used for filtering invalid word segmentation in one or more word segmentation to obtain valid word segmentation;
the word segmentation and duplication removal unit is used for carrying out duplication removal treatment on the effective word segmentation to obtain a sample word segmentation.
In one aspect, an embodiment of the present application provides a computer device, including: a processor, a memory, a network interface;
the processor is connected to the memory and the network interface, where the network interface is used to provide a data communication network element, the memory is used to store a computer program, and the processor is used to call the computer program to execute the method in the embodiment of the present application.
In one aspect, embodiments of the present application provide a computer readable storage medium having a computer program stored therein, the computer program being adapted to be loaded by a processor and to perform a method according to embodiments of the present application.
In one aspect, embodiments of the present application provide a computer program product or computer program comprising computer instructions stored in a computer-readable storage medium, the computer instructions being read from the computer-readable storage medium by a processor of a computer device, the computer instructions being executed by the processor, causing the computer device to perform a method according to an embodiment of the present application.
In the embodiment of the application, a target node structure tree of an application to be detected is firstly constructed, each node in the target node structure tree respectively comprises an interaction component and an extended description text corresponding to the interaction component, then word segmentation processing can be carried out on target description short text in the target node structure tree to obtain target description word segmentation, similarity matching is carried out on the target description word segmentation and word segmentation in a detection information dictionary and word segmentation in the detection information dictionary, and the detection information type of the target description word segmentation is determined; and finally, determining a detection result aiming at the application to be detected according to the event type of the event trigger attribute and the detection information type. The target description short text refers to an extension description text contained in a node with an event triggering attribute in the target node structure tree. By adopting the method provided by the embodiment of the application, for the application to be detected, the target description short text can be obtained by constructing the target node structure tree, and then the semantic analysis is carried out on the target description short text based on the detection information dictionary, so that the detection result for the application to be detected can be obtained, whether the applet is abnormal or not can be determined according to the detection result, the detection process for the application to be detected does not need to be manually participated, the cost and time consumption of abnormal detection of the application to be detected can be reduced, and the probability of missed judgment and false judgment can be reduced.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application;
fig. 2 is a schematic diagram of an application scenario of an application anomaly detection method according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of an abnormality detection method according to an embodiment of the present application;
FIG. 4 is a schematic flow chart of a method for constructing a target node structure tree according to an embodiment of the present application;
FIG. 5 is a schematic flow chart of an interactive component layout file acquisition according to an embodiment of the present application;
fig. 6 is a flowchart of a method for generating a detection information dictionary according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an abnormality detection apparatus according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Artificial intelligence (Artificial Intelligence, AI) is the theory, method, technique and application system that uses a digital computer or a machine controlled by a digital computer to simulate, extend and extend human intelligence, sense the environment, acquire knowledge and use the knowledge to obtain optimal results. In other words, artificial intelligence is an integrated technology of computer science that attempts to understand the essence of intelligence and to produce a new intelligent machine that can react in a similar way to human intelligence. Artificial intelligence, i.e. research on design principles and implementation methods of various intelligent machines, enables the machines to have functions of sensing, reasoning and decision.
Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, institutions, secure Cloud platforms based on Cloud computing business model applications. Cloud security fuses emerging technologies and concepts such as parallel processing, grid computing, unknown virus behavior judgment and the like, acquires the latest information of Trojan horse and malicious programs in the Internet through abnormal monitoring of a large number of network clients on software behaviors, sends the latest information to a server for automatic analysis and processing, and distributes solutions of viruses and Trojan horse to each client.
Applet security (Mobile Mini Programs Security, MMPS) provides a one-stop security solution for the full lifecycle of applets for users, mainly including applet privacy compliance, security diagnostics, reinforcement, and applet security scanning functions, and provides public cloud and privateization services. The small program safety is widely applied to a plurality of industries such as new retail, finance, internet, government affairs and the like at present, is stable and effective, and ensures that the small program development and construction of enterprises or individuals are safer and more convenient to operate.
The artificial intelligence technology is a comprehensive subject, and relates to the technology with wide fields, namely the technology with a hardware level and the technology with a software level. Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
Natural language processing (Nature Language processing, NLP) is an important direction in the fields of computer science and artificial intelligence. It is studying various theories and methods that enable effective communication between a person and a computer in natural language. Natural language processing is a science that integrates linguistics, computer science, and mathematics. Thus, the research in this field will involve natural language, i.e. language that people use daily, so it has a close relationship with the research in linguistics. Natural language processing techniques typically include text processing, semantic understanding, machine translation, robotic questions and answers, knowledge graph techniques, and the like.
Machine Learning (ML) is a multi-domain interdisciplinary, involving multiple disciplines such as probability theory, statistics, approximation theory, convex analysis, algorithm complexity theory, etc. It is specially studied how a computer simulates or implements learning behavior of a human to acquire new knowledge or skills, and reorganizes existing knowledge structures to continuously improve own performance. Machine learning is the core of artificial intelligence, a fundamental approach to letting computers have intelligence, which is applied throughout various areas of artificial intelligence. Machine learning and deep learning typically include techniques such as artificial neural networks, confidence networks, reinforcement learning, transfer learning, induction learning, teaching learning, and the like.
Deep Learning (DL) is an inherent rule and presentation hierarchy of Learning sample data, and information obtained in these Learning processes greatly helps interpretation of data such as text, images and sounds. Its final goal is to have the machine have analytical learning capabilities like a person, and to recognize text, image, and sound data. Deep learning is a complex machine learning algorithm that achieves far greater results in terms of speech and image recognition than prior art.
Referring to fig. 1, fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application. As shown in fig. 1, the network architecture may include a service server 100 and a terminal device cluster, where the terminal device cluster may include a terminal device 10a, a terminal device 10b, a terminal device 10c …, and a terminal device 10n, where any terminal device in the terminal device cluster may have a communication connection with the service server 100, for example, a communication connection exists between the terminal device 10a and the service server 100, a communication connection exists between the terminal device 10b and the service server 100, and a communication connection exists between the terminal device 10c and the service server 100, where the communication connection does not limit a connection manner, may be directly or indirectly connected through a wired communication manner, may also be directly or indirectly connected through a wireless communication manner, or may also be further connected through other manners, and the application is not limited herein.
It should be understood that each terminal device in the terminal cluster shown in fig. 1 may be provided with an application client, and when the application client runs in each terminal device, data interaction may be performed between the application client and the service server 100 shown in fig. 1, so that the service server 100 may receive service data from each terminal device. The application client may be an application client having a function of displaying data information such as text and image, such as a software management application, an instant messaging application, a payment application, and a browser. The application client may be an independent client, or may be an embedded sub-client integrated in a certain client (e.g., an instant messaging client, a social client, a video client, etc.), which is not limited herein.
As shown in fig. 1, each terminal device in the terminal device cluster may obtain an application to be detected by running the application client, and send the application to be detected as service data to the service server 100, and the service server 100 may perform anomaly detection on the application to be detected to obtain a detection result of the application to be detected. The Application to be detected may include software applications such as third party platform-mounted applications (applets) and mobile Applications (APP). The APP mainly refers to software installed on the terminal equipment, and a corresponding system is required to operate and is used for improving the defects and individuation of an original system; an applet refers to an application that can be used without downloading an installation, but is typically attached to an app through which the applet can be entered by scanning or searching. When the application to be detected acquires and uses the object information, a certain abnormal condition may exist, for example, the mobile phone number of the object is acquired and uploaded to the cloud end, and then the privacy security of the object may be revealed, that is, the application to be detected has a privacy security hidden trouble. However, because the ways of obtaining the object information by the application to be detected are various, the related object information is various, and the object can not necessarily detect the abnormal condition of the application to be detected, so that the abnormal condition of the application to be detected can be detected first before the application to be detected is used, a detection result is obtained, and the abnormal condition of the application to be detected is determined according to the detection result.
In a possible embodiment, taking the application to be detected as an applet, the applet can be used without downloading and installing, and only the authorization of an app is acquired to allow the applet to be accessed, so that the user of the app can directly acquire and search the page entering the applet through code scanning and then perform corresponding operation. Because the types and the number of the applets are gradually increased, different applets can acquire object information with different information types, and an application platform side corresponding to the app generally needs to perform anomaly detection on the applets before authorizing the applets, so that the object is prevented from revealing important or private object information due to the use of the applets. The detection personnel on the application platform side can run the application client through the terminal equipment, then acquire the applet through the application client, the terminal equipment can send the applet to the service server 100 as service data after acquiring the applet, the service server 100 can detect the applet abnormally and determine the detection result of the applet, and the detection result can inform the object of the weighted risk probability of the information type of the object information required to be acquired by the applet, so that the detection personnel can determine the risk of the applet. The weighted risk probability is determined based on the risk probability of the information type corresponding to the object information and the risk weight of the event type corresponding to the object information; wherein, the event type refers to the type of the event method executed by the applet for the object information.
After the service server 100 obtains the applet, it may perform anomaly detection on the application to be detected to determine a detection result of the application to be detected, and fig. 2 is a schematic application scenario diagram of an application anomaly detection method provided by an embodiment of the present application, where the specific implementation process is shown in fig. 2. For ease of understanding, the application to be detected will be described as an applet in the above embodiment. As shown in fig. 2, the terminal device 200 (which may be any of the terminal devices in fig. 1 described above, for example, the terminal device 10 a) is integrally installed with a software management application 300, and the object a has an association relationship with the terminal device 200. Assuming object a is an inspector, the applet responsible for detecting whether the applet accessing the target app meets security regulations, e.g., applet 301. In the interactive interface of the applet 301, an interactive component capable of acquiring object information appears, as shown in fig. 2, in the interactive interface 302 of the applet 301, the interactive component 303, the interactive component 304 and the interactive component 305 are included, where the interactive component 303 is a purely illustrative interactive component and is only used for displaying description text "privacy policy presentation", the interactive component 304 and the interactive component 305 are also carried with event triggering attributes besides the description text, that is, the object a can trigger the interactive component 304 to indicate approval of the privacy policy presentation, and can trigger the interactive component 305 to indicate rejection of the privacy policy presentation. When object a triggers either interaction component 304 or interaction component 305, applet 301 can obtain the selection information for object a regarding the presentation of the privacy policy. When the applet 301 includes one or more interactive interfaces, each interactive interface may have an interactive component with an event triggering attribute, and when an object triggers an interactive component with an event triggering attribute, the applet may acquire object information and execute event methods associated with the interactive component, where some anomalies may exist in the event methods, such as uploading object information that is more private to the cloud, so as to cause leakage of the object information. If the object a manually detects the abnormality of the applet 301, it is necessary to manually click on each interactive interface to determine whether the applet 301 is abnormal, which inevitably requires a long time, so that the object a may upload the applet 301 to the software management application 300, then initiate an abnormality detection request for the applet 301 to the service server 400 (e.g., the service server 100 shown in fig. 1) through the terminal device 200 running the software management application 300, and then the service server 400 may perform abnormality detection on the applet 301 to determine the detection result of the applet 301, i.e., determine the weighted risk probability of the information type of the object information acquired by the applet 301, so that the object a may determine the risk of the applet 301.
As shown in fig. 2, the terminal device 200 sends the applet 301 to the service server 400, and it should be noted that, the applet 301 may be sent to the service server 400, or the service server 400 may perform anomaly detection on the applet 301 by sending a source code packet of the applet 301 to the service server 400. The business server 400 will first build a target node structure tree 401 for the applet 301, the target node structure tree 401 corresponding to the interactive interface of the applet 301, the target node structure tree 401 being built based on the interactive components in the interactive interface. Assuming that the interactive interface of the applet 301 only includes the interactive interface 301, a target node structure tree 401 may include a node 4011, a node 4012 and a node 4013, where the node 4011 includes an interactive component 303 and an extended description text a corresponding to the interactive component 303, the node 4012 includes an interactive component 304 and an extended description text B corresponding to the interactive component 304, and the node 4013 includes an interactive component 305 and an extended description text C corresponding to the interactive component 305. The extended description text contained in the target node structure tree 401 is determined based on the interaction components each node contains and the node structure relationships in the target node structure 401. The node structure relationship of the target node structure tree 401 is determined based on the structure relationship of the interaction components in the interaction interface 302, and as can be seen from fig. 2, the interaction component 303 includes the interaction component 304 and the interaction component 305, so that the node 4011 is a parent node of the node 4012 and the node 4013. Briefly, the service server 400 may determine the description text corresponding to each interaction component, i.e. the text attribute value corresponding to the interaction component, for example, the description text of the interaction component 304 is "agreed", and then the service server 400 may expand the description text of the interaction component based on the adjacent interaction component of the interaction component (that is, the interaction component included in the node having the parent-child relationship with the node of the interaction component), so as to obtain an expanded description text, for example, supplement the description text of the adjacent interaction component into the description text of the interaction component. The expansion of the descriptive text is mainly to better supplement context semantics, thereby improving the accuracy of subsequent detection.
As shown in fig. 2, after obtaining the target node structure tree 401, the service server 400 may obtain the extended description text contained in the node with the event trigger attribute from the target node structure tree to form a target description short text 402. As can be seen from the above, the node 4012 including the interaction component 304 and the node 4013 including the interaction component 305 have event trigger properties, and thus the target description short text 402 is composed of the extended description text B and the extended description text C. Then, the service server 400 performs word segmentation on the short target description text 402, and supposing that the target description word 4031, the target description word 4032 and the target description word 4033 are obtained, and then, the service server 400 may perform similarity matching on each target description word and the word in the detection information dictionary 404 to obtain a detection information type 4051 corresponding to the target description word 4031, a detection information type 4052 corresponding to the target description word 4032 and a detection information type 4053 corresponding to the target description word 4033. The detection information dictionary 404 includes a plurality of words and information types corresponding to the words, and the service server 400 obtains the word with the highest similarity to the target descriptive word in the detection information dictionary 404, so that the information type of the word can be determined as the detection information type corresponding to the target descriptive word. Then, the service server 400 can determine the weighted risk probability corresponding to each target detection word according to the event type of the event trigger attribute corresponding to the target detection word and the detection information type corresponding to the target detection word, and further obtain the detection result for the applet 301. It can be appreciated that the event trigger attribute has different event types, for example, an upload information type, an acquisition information type, and the like, where the upload information type represents that the object information needs to be uploaded to the cloud or other servers, the acquisition information type represents that the acquired object information has a higher possibility of information leakage in the uploading process than the acquired information, and therefore, the same detection information type has different risk degrees when corresponding to different event types.
Alternatively, if the detection information dictionary is stored in the terminal device, the abnormality detection may be performed in the terminal device. Since the generation of the detection information dictionary involves a large number of offline calculations, the detection information dictionary local to the terminal device may be generated by the service server 400 and then sent to the terminal device for storage.
It will be appreciated that the method provided in the embodiment of the present application may be performed by a computer device, which includes but is not limited to a terminal device or a server, and the service server 100 in the embodiment of the present application may be a computer device, and terminal devices in a terminal device cluster may also be computer devices, which is not limited herein. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud security, data security, application security, privacy security protection, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligent platforms. The terminal device includes, but is not limited to, a mobile phone, a computer, an intelligent voice interaction device, an intelligent home appliance, a vehicle-mounted terminal, and the like. The embodiments of the present application may be applied to a variety of scenarios including, but not limited to, cloud technology, cloud security, application security, data security, applet security, blockchain, artificial intelligence, intelligent transportation, assisted driving, and the like.
It will be appreciated that in the specific embodiment of the present application, related data such as applications to be detected are required to obtain user permission or consent when the above embodiments of the present application are applied to specific products or technologies, and the collection, use and processing of related data is required to comply with related laws and regulations and standards of related countries and regions.
Further, referring to fig. 3, fig. 3 is a flowchart illustrating an abnormality detection method according to an embodiment of the present application. The method for detecting abnormal application may be executed by a computer device, where the computer device may be the service server 100 shown in fig. 1, or any one of the terminal devices in the terminal device cluster shown in fig. 1, for example, the terminal device 10c. The following will explain an example in which the present application abnormality detection method is executed by a computer device. The application anomaly detection method at least comprises the following steps S101-S104:
step S101, constructing a target node structure tree for application to be detected.
Specifically, the target node structure tree comprises one or more nodes, and one node comprises an interaction component and an expansion description text corresponding to the interaction component. The expansion description text in the target node structure tree is determined by the interaction components contained in each node and the node structure relations in the target node structure tree.
Specifically, the application to be detected may include an applet, a mobile application program, and the like, and the application to be detected may include one or more interactive interfaces during the running process, where the interactive interfaces may be formed by one or more interactive components, such as the interactive interface 301 shown in fig. 2 and described above. Wherein the interactive components are basic constituent units of the interactive interface, and one interactive component can present a partial view in the terminal equipment, so that one or more interactive components can form one interactive interface. Common interaction components include a view container component, a base content component, a form component, a navigation component, a media component, a map component, and a canvas component. Each interactive component has an attribute, and the presentation style of the interactive component can be changed by setting an attribute value corresponding to the attribute of the interactive component. Different types of interaction components may have some common attributes, such as component text attributes, component class name attributes, component style attributes, component color attributes, and so forth. The text attribute value corresponding to the component text attribute of the interactive component is generally displayed in the interactive interface, and the function and effect of the interactive component can be known through the displayed text attribute value object, so that the text attribute value of the interactive component can be called as the description text of the interactive component. For example, if the description text of the button assembly a is "agree to upload the phone number", the object may know that after clicking the button assembly a, the own phone will be uploaded to the cloud.
Therefore, the application to be detected can acquire the object information through the interaction component of the interaction interface in the running process, and sensitive behaviors of the application to be detected can exist in the process of acquiring the object information. The application to be detected refers to a behavior of the application to be detected, which involves collecting sensitive data such as personal information and geographical position information of an object. When the application to be detected has sensitive behaviors, privacy potential safety hazards exist when the application to be detected is used by an object. In order to determine whether the application to be detected meets the security regulations, the application to be detected may be subjected to anomaly detection.
Specifically, the computer equipment can construct a target node structure tree corresponding to the application to be detected through a reverse analysis method, so that an extended description text corresponding to the interactive component of the applet is obtained, and further, the abnormality detection is carried out on the application to be detected. The reverse analysis refers to obtaining application assembly codes through decompilation and other means to analyze code flow. When the target node structure tree is constructed, the computer device may first acquire a source code data packet corresponding to the application to be detected, then reversely analyze the source code data packet to determine an interaction interface included in the application to be detected, and a structural relationship between interaction components included in the interaction interface, and then generate an initial node structure tree, where one node in the initial node structure tree corresponds to one interaction component, and the node structure relationship between the nodes depends on the structural relationship between the interaction components, for example, the interaction component a includes an interaction component B and an interaction component C, and then the node a corresponding to the interaction component a is a parent node of the node B corresponding to the interaction component B and the node C corresponding to the interaction component C, and the node B and the node C are parallel. It should be noted that, when the application to be detected includes multiple interaction interfaces, the computer device may generate multiple initial node structure trees, that is, one interaction interface corresponds to one initial node structure tree, or may generate a target empty node as a root node of the initial node structure tree, and then use root nodes of the node structure tree corresponding to the multiple interaction interfaces as child nodes of the target empty node, so as to obtain an initial node structure tree. For ease of understanding, the following description will take as an example the computer device generating an initial node structure tree for the application to be detected. After the computer equipment obtains the initial node structure tree, the description text corresponding to each interaction component can be obtained through reverse analysis, then the description text corresponding to each interaction component is subjected to expansion processing according to the node structure relation in the initial node structure tree, so that the expansion description text corresponding to each interaction component is obtained, and then the expansion description text corresponding to each interaction component is written into the node containing the interaction component, so that the target node structure tree is obtained. It will be appreciated that the node structure relationship of the initial node structure tree is the same as the node structure relationship of the target node structure tree.
Specifically, the description text corresponding to the interaction component is expanded according to the node structure relation, namely, the description text corresponding to the interaction component contained in the node is supplemented according to the description text corresponding to the interaction component contained in the adjacent node of the node, so that the context semantics of the description text is richer, and the subsequent detection is facilitated.
Step S102, word segmentation processing is carried out on the target description short text in the target node structure tree, and target description word segmentation is obtained.
Specifically, the target description short text refers to an extended description text contained in a node with an event trigger attribute in the target node structure tree. The interaction component may have an event-triggered attribute, at which time the node containing the interaction component may be considered to have an event-triggered attribute, and when the interaction component has an event-triggered attribute, the object's object behavior (some behavior requiring object triggering, such as clicking, sliding, etc.) with respect to the interaction component may be responded by the computer device, and the application to be detected may execute the method associated with the interaction component. It can be understood that the application to be detected may acquire the object information only when the object triggers the interaction component with the event triggering attribute, so that the extended description text corresponding to the interaction component with the event triggering attribute can well describe the information type of the object information to be acquired by the application to be detected. Thus, the computer device may obtain, from the target node structure tree, the extended description text contained by all the nodes having the event-triggered attribute, and take it as the target description short text.
Specifically, if the target description short text includes one or more target description short sentences, word segmentation is performed on the target description short text in the target node structure tree, so that a feasible implementation process of the target description word segmentation is as follows: traversing one or more target description phrases to obtain a j-th target description phrase; j is a positive integer; j is less than or equal to the number of one or more object description phrases; determining the language type corresponding to the jth target description phrase as the target language type; calling a word segmentation tool corresponding to the target language type to divide the target description phrase to obtain a phrase target description word corresponding to the jth target description phrase; and taking the short sentence target description word corresponding to each target description short sentence as a target description word. The voice types may include chinese, english, etc. For target description phrases of different language types, different word segmentation tools can be adopted, for example, if the language type of the target description phrase is Chinese, the Chinese word segmentation tool can be used for word segmentation; if the language type of the target description phrase is English, hump word segmentation can be used for word segmentation. Of course, other word segmentation methods may be used to segment the target description phrase, and the application is not limited herein.
Step S103, similarity matching is carried out on the target descriptive word and the word in the detection information dictionary, and the detection information type of the target descriptive word is determined.
Specifically, similarity matching is performed on the target descriptive word and the word in the detection information dictionary, and one feasible implementation process for determining the detection information type of the target descriptive word is as follows: the language type of the target descriptive word is used as the target language type; the word segmentation with the language type of the detected information dictionary as the target language type is used as a target search word segmentation; obtaining the word with the highest similarity with the target description word from the target search word as a target matching word; and acquiring the information type corresponding to the target matching word from the detection information dictionary as the detection information type of the target descriptive word. The similarity matching can be realized in a fuzzy matching mode. For easy understanding, it is assumed that the target descriptive word is "telephone", and the language type thereof is chinese, so the computer device may use the word whose language type is also chinese in the detected information dictionary as the target search word, and assume that the target search word is "telephone number", "name" and "date of birth", then the computer device may perform fuzzy matching on the target descriptive word and the target search word to obtain the word having the highest similarity with "telephone", i.e. "telephone number", as the target matching word, and assume that the information type of "telephone number" in the detected information dictionary is "basic material", and the detected information type of the target descriptive word "telephone number" is "basic material".
Step S104, determining a detection result aiming at the application to be detected according to the event type of the event trigger attribute and the detection information type.
Specifically, there are many event types corresponding to the event triggering attribute, for example, an acquired information type, an uploaded information type, and the like, where the uploaded information type represents that object information needs to be uploaded to a cloud or other servers, the acquired information type represents that object information is acquired, and the possibility of information leakage in the uploading process is higher than that of the acquired information, that is, the risk degrees corresponding to different event types are different, so that different risk weights can be set for different event types according to the risk degrees corresponding to different event types. In addition, similarly, the information types can include basic materials, educational work information, property information and the like, and the risk degree of leakage of the object information of different information types is also different, so that different risk probabilities can be set for different information types. Therefore, according to the event type of the event trigger attribute and the detection information type, one possible implementation process of determining the detection result for the application to be detected is as follows: acquiring risk weights corresponding to event types of event triggering attributes; acquiring risk probability corresponding to the detection information type; weighting the risk probability according to the risk weight to obtain weighted risk probability; and generating a detection result aiming at the application to be detected according to the weighted risk probability. The detection result is actually an analysis result of the information type of the object information collected by the application to be detected, namely, the weighted risk probability is larger, and the abnormal problem of the application to be detected is more serious.
By adopting the method provided by the embodiment of the application, a target node structure tree of the application to be detected is firstly constructed, each node in the target node structure tree respectively comprises an interaction component and an expansion description text corresponding to the interaction component, wherein the expansion description text in the target node structure tree is determined based on the interaction component respectively contained by each node and the node structure relation in the target node structure tree; then, word segmentation processing can be carried out on the target description short text in the target node structure tree to obtain target description word segmentation, similarity matching is carried out on the target description word segmentation and the word segmentation in the detection information dictionary, and the detection information type of the target description word segmentation is determined; and finally, determining a detection result aiming at the application to be detected according to the event type of the event trigger attribute and the detection information type. The target description short text refers to an extension description text contained in a node with an event triggering attribute in the target node structure tree. By adopting the method provided by the embodiment of the application, for the application to be detected, the target description short text can be obtained by constructing the target node structure tree, and then the semantic analysis is carried out on the target description short text based on the detection information dictionary, so that the detection result for the application to be detected can be obtained, whether the applet is abnormal or not can be determined according to the detection result, the detection process for the application to be detected does not need to be manually participated, the cost and time consumption of abnormal detection of the application to be detected can be reduced, and the probability of missed judgment and false judgment can be reduced.
Further, referring to fig. 4, fig. 4 is a flow chart of a method for constructing a target node structure tree according to an embodiment of the present application. The construction method is a feasible implementation method of step S101 in the embodiment corresponding to fig. 3, and may be executed by a computer device, where the computer device may be the service server 100 shown in fig. 1 or any one of the terminal devices in the terminal device cluster shown in fig. 1, for example, the terminal device 10c. The following will explain an example of the present construction method executed by a computer device. The construction method at least comprises the following steps S201 to S205:
step S201, a source code data packet corresponding to an application to be detected is obtained, and an interactive component layout file is obtained from the source code data packet.
Specifically, referring to fig. 5, fig. 5 is a schematic flow chart of obtaining an interactive component layout file according to an embodiment of the present application. As shown in fig. 5, a possible implementation process of obtaining a source code data packet corresponding to an application to be detected and obtaining an interactive component layout file from the source code data packet includes the following steps:
and step 2011, acquiring a source code data packet corresponding to the application to be detected.
Step S2012, the source code data packet is subjected to format detection to obtain a format detection result.
Specifically, if the source code data packet is a compressed and compiled code packet, the computer device cannot directly search the files contained therein, so that the computer device needs to perform format detection on the source code data packet first, that is, determine whether the source code data packet is compressed and compiled.
And step S2013, if the format detection result is a compression compiling result, decompiling the source code data packet to obtain a decompiled source code data packet, and searching the interactive component layout file from the decompiled source code data packet.
Specifically, if the format detection result is a compression and compilation result, it is indicated that the source code data packet is a compressed and compiled code packet, so that the computer device needs to perform decompilation processing on the source agent data packet first to obtain a decompiled source code data packet, and then can normally search for files contained in the decompiled source code data packet. The decompilation process may use a tool appunplacker (applet decompilation tool), or may use decompression software, and the specific implementation may be determined by the type of the application to be detected. In addition, if the source code data packet is not only compressed and compiled, but also obfuscated, the corresponding anti-obfuscation tool may be used for restoration in the process of decompilation.
In step S2014, if the format detection result is not the compression compiling result, the interactive component layout file is searched from the source code data packet.
Step S202, tree analysis processing is carried out on the interactive component layout file, and an initial node structure tree is obtained.
Specifically, the initial node structure tree comprises one or more nodes, one node comprises an interactive component, and the node structure relationship of the initial node structure tree is determined based on the structure relationship among the interactive components in the interactive component layout file.
Specifically, the interactive component layout file includes all interactive components corresponding to the application to be detected and structural relations among the interactive components, and if the file is in an XML (Extensible Markup Language ) format, the XML format is a markup language for marking the electronic file to have a structural property, so that the interactive component layout file can well represent the structural relations among the interactive components. The computer device may parse the interactive component layout file into a tree structure using an XML parsing tool, thereby obtaining an initial node structure tree, where each interactive component may be mapped to a node on the initial node structure tree, and there is a parent-child relationship between interactive components and the layout frame, so there is a parent-child relationship between nodes.
And step S203, extracting text attribute values of each interaction component respectively to obtain a description text corresponding to each interaction component.
Specifically, as known from the above step S101, each interaction component may correspond to an attribute value of a plurality of attributes, and the computer device may extract a text attribute value of each interaction component, and filter out an attribute value unrelated to the text attribute of the component during the extraction process, so as to obtain a description text corresponding to each interaction component. Wherein the irrelevant attribute values include, but are not limited to, corresponding attribute values for component class names, component styles, component colors, component binding data variables, and the like.
Step S204, performing expansion processing on the description text corresponding to each interaction component according to the node structure relation in the initial node structure tree to obtain an expansion description text corresponding to each interaction component.
Specifically, the interaction component and its corresponding descriptive text may form a tuple similar to < n, s >, where n represents the interaction component or the node to which the interaction component corresponds and s represents its corresponding descriptive text. The computer equipment can expand the binary group according to the father-son node relation in the node structure relation to obtain an expanded binary group < n, q >, wherein q is an expansion description text corresponding to n.
Specifically, assuming that n is a node, s can be extended according to the relationship between the parent node and the child node of n by adopting the following rule: namely, the father node has the explanatory short text information of all child nodes; for the node without the explanatory short text information, the node has the explanatory short text information of the father node. In other words, the description text corresponding to each interaction component is expanded according to the node structure relation in the initial node structure tree, and one possible implementation process for obtaining the expanded description text corresponding to each interaction component is as follows: traversing the initial node structure tree, and performing expansion processing on the description text corresponding to each interaction component according to the sub-node relation of the traversed node to obtain a transition description text corresponding to each interaction component; if the unexplained description nodes do not exist in the initial node structure tree, the transition description text corresponding to each interaction component is used as the extension description text corresponding to each interaction component; the non-explanatory description node refers to a node of which the associated transition description text does not belong to an explanatory type; if the unexplained description node exists in the initial node structure tree, carrying out supplementary processing on transition description texts corresponding to the interaction components contained in the unexplained description node according to the father node relation of the unexplained description node, and obtaining extension description texts corresponding to each interaction component. The non-explanatory description node refers to a transition description text corresponding to the included interaction component, and the text of the explanatory type is not included in the transition description text. The explanatory type text carries explanatory short text information, for example, the description text is "privacy policy display", the corresponding explanatory description text is "privacy policy", and the object can acquire the text displayed by the explanatory description text as the privacy policy.
Specifically, the traversing initial node structure tree expands the description text corresponding to each interaction component according to the sub-node relation of the traversed node, and one feasible implementation process of obtaining the transition description text corresponding to each interaction component is as follows: traversing the initial node structure tree to obtain a kth node; k is a positive integer less than or equal to M, M being the number of one or more nodes; if the sub-node relation of the kth node indicates that the kth node does not have a sub-node, the description text corresponding to the interaction component contained in the kth node is used as the transition description text corresponding to the interaction component contained in the kth node; if the sub-node relation of the kth node indicates that the kth node has the sub-node, taking the sub-node corresponding to the kth node as a target sub-node, adding the description text corresponding to the interaction component contained in the target sub-node into the description text corresponding to the interaction component contained in the kth node, and obtaining the transition description text corresponding to the interaction component contained in the kth node.
For ease of understanding, assume that, after text extraction on the attribute of each node in the initial node structure tree is performed, a mapping relationship table of the node and the descriptive text is obtained, and one available structure of the mapping relationship table is as shown in table 1:
TABLE 1
Where < node 1, node 2> means that in the initial node structure tree, node 1 is the parent node of node 2. The computer equipment can perform expansion processing on the mapping relation table shown in table 1 according to the father-son node relation in the initial node structure tree to obtain a transition mapping relation table, as shown in table 2:
TABLE 2
Specifically, if the unexplained description node exists in the initial node structure tree, performing complementary processing on the transition description text corresponding to the interaction component included in the unexplained description node according to the parent node relationship of the unexplained description node, so as to obtain one feasible implementation of the extension description text corresponding to each interaction component as follows: if the unexplained description node exists in the initial node structure tree, acquiring a father node relation of the unexplained description node; if the father node relation of the non-explanatory description node indicates that the non-explanatory description node has a father node, supplementing the target explanatory description text into a transition description text corresponding to an interaction component contained in the non-explanatory description node; the target explanatory description text refers to a text belonging to an explanatory type in transition description texts corresponding to the interaction components contained in the father node; the transition description text after supplement and the transition description text corresponding to the interaction component contained in the explanatory description node are used as extension description text; an explanatory description node refers to a node in the initial node structure tree other than the non-explanatory description node.
For easy understanding, referring to table 2 again, it can be seen from table 2 that the transition description texts corresponding to the interaction components included in the nodes 2 and 3 do not carry the explanatory short text information, so that the nodes 2 and 3 belong to the non-explanatory description nodes, and the target explanatory description text included in the parent node can be supplemented into the corresponding transition description text, so as to obtain an extended mapping relationship table, as shown in table 3:
TABLE 3 Table 3
Step S205, adding the extended description text corresponding to each interaction component to the node to which each interaction component belongs, so as to obtain a target node structure tree.
By adopting the method provided by the embodiment of the application, the description text associated with the nodes is supplemented as the context into the description text of each node according to the node structure relation of the target node structure tree, and the extended description text is finally obtained as shown in the table 3, so that the method has better interpretability and full comprehensiveness than the description text corresponding to the node at the beginning.
Further, referring to fig. 6, fig. 6 is a flowchart of a method for generating a detection information dictionary according to an embodiment of the present application. The generating method is a possible implementation method for constructing the detection information dictionary in the embodiment corresponding to fig. 3, and may be executed by a computer device, where the computer device may be the service server 100 shown in fig. 1 or any one of the terminal device clusters shown in fig. 1, for example, the terminal device 10c. The following description will be given of an example of the execution of the present generation method by a computer device. The generating method at least includes the following steps S301-S305:
Step S301, at least two sample applications are acquired, and a sample node structure tree of each sample application is respectively constructed.
Specifically, a sample node structure tree comprises one or more sample nodes, and a sample node comprises a sample interaction component and a sample extension description text corresponding to the sample interaction component. Wherein the sample extension description text in the sample node structure tree is determined based on the sample interaction component respectively contained in each sample node and the sample node structure relationship in the sample node structure tree.
Specifically, when the detection information dictionary is constructed, a large number of sample applications can be acquired first, so as to obtain a sample application set, and then, for each sample application in the sample application set, a corresponding sample node structure tree is constructed. The construction process of the sample node structure tree may refer to the construction process of the target node structure tree described in the embodiment corresponding to fig. 4, and will not be described herein.
Step S302, segmentation extraction processing is carried out on sample expansion description texts contained in at least two sample node structure trees, and sample segmentation is obtained.
Specifically, the segmentation extraction processing is performed on the sample expansion description text contained in at least two sample node structure trees, and one feasible implementation process for obtaining the sample segmentation is as follows: performing word segmentation processing on sample expansion description texts contained in at least two sample node structure trees to obtain one or more word segments; filtering invalid word segments in one or more word segments to obtain valid word segments; and carrying out de-duplication treatment on the effective word segmentation to obtain sample word segmentation. Wherein, the invalid word segment may refer to a text word segment without explanatory description information, i.e., a word segment not belonging to an explanatory type. It can be appreciated that when the number of sample applications is sufficiently large, the probability of occurrence of repeated word segmentation is high, so that the valid word needs to be subjected to de-duplication processing to determine the uniqueness of the valid word, and the subsequent workload is reduced.
Step S303, carrying out clustering treatment on the sample word segmentation to obtain a sample word segmentation cluster.
Specifically, the purpose of clustering sample words is to add all sample words with the same information type into the same sample word cluster, in other words, the information types of the sample words in one sample word cluster are the same.
And S304, labeling the sample word segmentation cluster, and determining the information type corresponding to the sample word segmentation cluster.
Specifically, the labeling processing is performed on the sample word segmentation cluster to record which information type the sample word segmentation cluster specifically belongs to. Specifically, the information type can refer to the user information type marked in GB/T35273-2020 personal information safety Specification of information safety technology.
Step S305, adding each sample word and the information type corresponding to the sample word cluster to which each sample word belongs into the initial dictionary to obtain a detection information dictionary.
Specifically, the computer device adds each sample word and the information type corresponding to the sample word cluster to which the sample word belongs into the initial dictionary, and then the detection information dictionary is obtained.
By adopting the method provided by the embodiment of the application, the detection information dictionary can be built off-line, and the detection information dictionary can be directly used when the subsequent online detection is carried out on the application to be detected, so that the detection time is saved.
Referring to fig. 7, fig. 7 is a schematic structural diagram of an abnormality detection apparatus according to an embodiment of the present application. The application anomaly detection means may be a computer program (including program code) running on the computer device, for example the application anomaly detection means is an application software; the device can be used for executing the corresponding steps in the application abnormality detection method provided by the embodiment of the application. As shown in fig. 7, the application abnormality detection apparatus 1 may include: the device comprises a construction module 11, a word segmentation module 12, a matching module 13 and a result determination module 14.
A construction module 11, configured to construct a target node structure tree for an application to be detected; the target node structure tree comprises one or more nodes; a node comprises an interaction component and an expansion description text corresponding to the interaction component;
the word segmentation module 12 is used for performing word segmentation on the target description short text in the target node structure tree to obtain target description words; the target description short text refers to an extension description text contained in a node with an event triggering attribute in a target node structure tree;
The matching module 13 is used for matching the similarity between the target descriptive word and the word in the detection information dictionary and determining the detection information type of the target descriptive word;
the result determining module 14 is configured to determine a detection result for the application to be detected according to the event type of the event trigger attribute and the detection information type.
The specific implementation manners of the construction module 11, the word segmentation module 12, the matching module 13, and the result determination module 14 may be referred to the description of step S101 to step S104 in the embodiment corresponding to fig. 3, and will not be described herein.
Wherein the construction module 11 comprises: acquisition unit 111, analysis unit 112, extraction unit 113, expansion unit 114, and addition unit 115.
An obtaining unit 111, configured to obtain a source code data packet corresponding to an application to be detected, and obtain an interaction component layout file from the source code data packet;
the parsing unit 112 is configured to perform tree parsing on the interactive component layout file to obtain an initial node structure tree; the initial node structure tree comprises one or more nodes; a node comprises an interaction component; the node structure relationship of the initial node structure tree is determined based on the structure relationship between the interactive components in the interactive component layout file;
An extracting unit 113, configured to extract text attribute values of each interaction component, so as to obtain a description text corresponding to each interaction component;
an expansion unit 114, configured to perform expansion processing on the description text corresponding to each interaction component according to the node structure relationship in the initial node structure tree, so as to obtain an expanded description text corresponding to each interaction component;
and the adding unit 115 is configured to add the extended description text corresponding to each interaction component to the node to which each interaction component belongs, so as to obtain a target node structure tree.
The specific implementation manners of the obtaining unit 111, the parsing unit 112, the extracting unit 113, the expanding unit 114, and the adding unit 115 may be referred to the descriptions of step S201 to step S205 in the embodiment corresponding to fig. 4, and will not be described herein.
Wherein the acquisition unit 111 includes: a first acquisition subunit 1111, a format detection subunit 1112, and a second acquisition subunit 1113.
A first obtaining subunit 1111, configured to obtain a source code data packet corresponding to an application to be detected;
a format detection subunit 1112, configured to perform format detection on the source code packet to obtain a format detection result;
The second obtaining subunit 1113 is configured to decompil the source code data packet if the format detection result is a compressed compiling result, obtain a decompiled source code data packet, and find an interactive component layout file from the decompiled source code data packet;
the second obtaining subunit 1113 is further configured to search the interactive component layout file from the source code packet if the format detection result is not the compression compilation result.
For specific implementation manners of the first acquiring subunit 1111, the format detecting subunit 1112, and the second acquiring subunit 1113, reference may be made to the description of step S2011-step S2012 in the embodiment corresponding to fig. 5, and the detailed description will be omitted here.
Wherein the expansion unit 114 includes: traversing extension sub-unit 1141, text determination sub-unit 1142, and supplementing extension sub-unit 1143.
The traversal extension subunit 1141 is configured to traverse the initial node structure tree, and perform extension processing on the description text corresponding to each interaction component according to the traversed node relationship, so as to obtain a transition description text corresponding to each interaction component;
a text determining subunit 1142, configured to, if no unexplained description node exists in the initial node structure tree, use the transition description text corresponding to each interaction component as the extension description text corresponding to each interaction component; the non-explanatory description node refers to a node of which the associated transition description text does not belong to an explanatory type;
And the supplementary expansion subunit 1143 is configured to, if there is an unexplained description node in the initial node structure tree, perform supplementary processing on the transition description text corresponding to the interaction component included in the unexplained description node according to the parent node relationship of the unexplained description node, so as to obtain an expansion description text corresponding to each interaction component.
The traversing extension subunit is specifically configured to traverse the initial node structure tree, and acquire a kth node; k is a positive integer less than or equal to M, M being the number of one or more nodes; if the sub-node relation of the kth node indicates that the kth node does not have the sub-node, using the description text corresponding to the interaction component contained in the kth node as the transition description text corresponding to the interaction component contained in the kth node; if the sub-node relation of the kth node indicates that the kth node has the sub-node, taking the sub-node corresponding to the kth node as a target sub-node, adding the description text corresponding to the interaction component contained in the target sub-node into the description text corresponding to the interaction component contained in the kth node, and obtaining the transition description text corresponding to the interaction component contained in the kth node.
The expansion subunit is specifically configured to obtain a parent node relationship of the non-explanatory description node if the non-explanatory description node exists in the initial node structure tree; if the father node relation of the non-explanatory description node indicates that the non-explanatory description node has a father node, supplementing the target explanatory description text into a transition description text corresponding to an interaction component contained in the non-explanatory description node; the target explanatory description text refers to a text belonging to an explanatory type in transition description texts corresponding to the interaction components contained in the father node; the transition description text after supplement and the transition description text corresponding to the interaction component contained in the explanatory description node are used as extension description text; an explanatory description node refers to a node in the initial node structure tree other than the non-explanatory description node.
The specific implementation manner of the traversing expansion subunit 1141, the text determining subunit 1142, and the supplementing expansion subunit 1143 may be referred to the description of step S204 in the embodiment corresponding to fig. 4, and will not be described herein.
Wherein the short target description text contains one or more short target description sentences;
the word segmentation module 12 includes: a phrase traversing unit 121, a language type determining unit 122, a dividing unit 123, and a word segmentation determining unit 124.
A phrase traversing unit 121, configured to traverse one or more target description phrases to obtain a j-th target description phrase; j is a positive integer; j is less than or equal to the number of one or more object description phrases;
a language type determining unit 122, configured to determine a language type corresponding to the jth target description phrase as a target language type;
a dividing unit 123, configured to invoke a word segmentation tool corresponding to the target language type to divide the target description phrase, so as to obtain a phrase target description word corresponding to the jth target description phrase;
the word segmentation determining unit 124 is configured to segment the short sentence target description word corresponding to each target description short sentence as a target description word.
The specific implementation manners of the phrase traversing unit 121, the language type determining unit 122, the dividing unit 123, and the word segmentation determining unit 124 may be referred to the description of step S102 in the embodiment corresponding to fig. 3, and will not be described herein.
Wherein the result determination module 14 comprises: weight acquisition section 141, probability acquisition section 142, weighting section 143, and detection result generation section 144.
A weight obtaining unit 141, configured to obtain a risk weight corresponding to an event type of the event trigger attribute;
a probability obtaining unit 142, configured to obtain a risk probability corresponding to the detection information type;
a weighting unit 143, configured to perform a weighting process on the risk probability according to the risk weight, so as to obtain a weighted risk probability;
the detection result generating unit 144 is configured to generate a detection result for the application to be detected according to the weighted risk probability.
The specific implementation manners of the weight obtaining unit 141, the probability obtaining unit 142, the weighting unit 143, and the detection result generating unit 144 may be referred to the description of step S104 in the embodiment corresponding to fig. 3, and will not be described herein.
Wherein the matching module 13 comprises: a target determination unit 131, a target matching unit 132, and an information type determination unit 133.
A target determining unit 131 for taking the language type of the target descriptive word as a target language type;
the target determining unit 131 is further configured to search for a word segment with a language type being the target language type in the detected information dictionary as a target word segment;
A target matching unit 132, configured to obtain, from the target search word, a word having the highest similarity to the target description word, as a target matching word;
an information type determining unit 133, configured to obtain, from the detection information dictionary, an information type corresponding to the target matching word as a detection information type of the target descriptive word.
The specific implementation manner of the target determining unit 131, the target matching unit 132, and the information type determining unit 133 may be referred to the description of step S103 in the embodiment corresponding to fig. 3, and will not be described herein.
Wherein, the application anomaly detection device 1 further comprises: the system comprises a sample construction module 15, a sample word segmentation module 16, a clustering module 17, a labeling module 18 and a dictionary adding module 19.
A sample construction module 15, configured to obtain at least two sample applications, and respectively construct a sample node structure tree of each sample application; a sample node structure tree comprising one or more sample nodes; the sample node comprises a sample interaction component and a sample extension description text corresponding to the sample interaction component;
the sample word segmentation module 16 is configured to perform word segmentation extraction processing on sample extension description text contained in at least two sample node structure trees, so as to obtain sample word segmentation;
The clustering module 17 is used for carrying out clustering treatment on the sample word segmentation to obtain a sample word segmentation cluster;
the labeling module 18 is used for labeling the sample word segmentation cluster and determining the information type corresponding to the sample word segmentation cluster;
the dictionary adding module 19 is configured to add each sample word and an information type corresponding to a sample word cluster to which each sample word belongs to the initial dictionary, so as to obtain a detection information dictionary.
The specific implementation manners of the sample construction module 15, the sample word segmentation module 16, the clustering module 17, the labeling module 18, and the dictionary adding module 19 may be referred to the description of step S301 to step S305 in the embodiment corresponding to fig. 6, and will not be described herein.
Wherein the sample word segmentation module 16 comprises: a word segmentation unit 161, a word segmentation filtering unit 162, and a word segmentation de-duplication unit 163.
A word segmentation unit 161, configured to perform word segmentation on a sample extension description text included in at least two sample node structure trees, so as to obtain one or more word segments;
a word segmentation filtering unit 162, configured to filter invalid word segments in the one or more word segments to obtain valid word segments;
the word segmentation de-duplication unit 163 is configured to perform de-duplication processing on the valid word segmentation to obtain a sample word segmentation.
The specific implementation manner of the word segmentation unit 161, the word segmentation filtering unit 162, and the word segmentation duplication removing unit 163 may be referred to the description of step S302 in the embodiment corresponding to fig. 3, and will not be described herein.
Referring to fig. 8, fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the application. As shown in fig. 8, the application abnormality detection apparatus 1 in the embodiment corresponding to fig. 8 described above may be applied to a computer device 1000, and the computer device 1000 may include: processor 1001, network interface 1004, and memory 1005, and in addition, the above-described computer device 1000 may further include: a user interface 1003, and at least one communication bus 1002. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display (Display), a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface, among others. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory. The memory 1005 may also optionally be at least one storage device located remotely from the processor 1001. As shown in fig. 8, an operating system, a network communication module, a user interface module, and a device control application may be included in a memory 1005, which is a type of computer-readable storage medium.
In the computer device 1000 shown in fig. 8, the network interface 1004 may provide a network communication network element; while user interface 1003 is primarily used as an interface for providing input to a user; and the processor 1001 may be used to invoke a device control application stored in the memory 1005 to implement:
constructing a target node structure tree aiming at application to be detected; the target node structure tree comprises one or more nodes; a node comprises an interaction component and an expansion description text corresponding to the interaction component;
performing word segmentation processing on the target description short text in the target node structure tree to obtain target description words; the target description short text refers to an extension description text contained in a node with an event triggering attribute in a target node structure tree;
performing similarity matching on the target descriptive word and the word in the detection information dictionary, and determining the detection information type of the target descriptive word;
and determining a detection result aiming at the application to be detected according to the event type of the event trigger attribute and the detection information type.
It should be understood that the computer device 1000 described in the embodiments of the present application may perform the description of the application anomaly detection method in any one of the embodiments shown in fig. 3, 4, 5 and 6, and will not be repeated here. In addition, the description of the beneficial effects of the same method is omitted.
Furthermore, it should be noted here that: the embodiment of the present application further provides a computer readable storage medium, in which a computer program executed by the application anomaly detection device 1 mentioned above is stored, and the computer program includes program instructions, when the processor executes the program instructions, the description of the application anomaly detection method in any one of the embodiments shown in fig. 3, 4, 5, and 6 can be executed, and therefore, will not be repeated herein. In addition, the description of the beneficial effects of the same method is omitted. For technical details not disclosed in the embodiments of the computer-readable storage medium according to the present application, please refer to the description of the method embodiments of the present application.
The computer readable storage medium may be the application abnormality detection apparatus provided in any one of the foregoing embodiments or an internal storage unit of the foregoing computer device, for example, a hard disk or a memory of the computer device. The computer readable storage medium may also be an external storage device of the computer device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) card, a flash card (flash card) or the like, which are provided on the computer device. Further, the computer-readable storage medium may also include both internal storage units and external storage devices of the computer device. The computer-readable storage medium is used to store the computer program and other programs and data required by the computer device. The computer-readable storage medium may also be used to temporarily store data that has been output or is to be output.
Furthermore, it should be noted here that: embodiments of the present application also provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium and executes the computer instructions to cause the computer device to perform the method provided by the corresponding embodiments of any of the foregoing fig. 3, 4, 5, 6.
The terms first, second and the like in the description and in the claims and drawings of embodiments of the application are used for distinguishing between different objects and not for describing a particular sequential order. Furthermore, the term "include" and any variations thereof is intended to cover a non-exclusive inclusion. For example, a process, method, apparatus, article, or device that comprises a list of steps or elements is not limited to the list of steps or modules but may, in the alternative, include other steps or modules not listed or inherent to such process, method, apparatus, article, or device.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied as electronic hardware, as a computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of network elements in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether these network elements are implemented in hardware or software depends on the specific application and design constraints of the solution. The skilled person may use different methods for implementing the described network elements for each specific application, but such implementation should not be considered to be beyond the scope of the present application.
The foregoing disclosure is illustrative of the present application and is not to be construed as limiting the scope of the application, which is defined by the appended claims.
Claims (15)
1. An application anomaly detection method, comprising:
constructing a target node structure tree aiming at application to be detected; wherein the target node structure tree comprises one or more nodes; one node comprises an interaction component and an expansion description text corresponding to the interaction component;
performing word segmentation processing on the target description short text in the target node structure tree to obtain target description words; the target description short text refers to an extension description text contained in a node with an event triggering attribute in the target node structure tree;
performing similarity matching on the target descriptive word and the word in the detection information dictionary, and determining the detection information type of the target descriptive word;
and determining a detection result aiming at the application to be detected according to the event type of the event triggering attribute and the detection information type.
2. The method of claim 1, wherein constructing the target node structure tree for the application to be detected comprises:
Acquiring a source code data packet corresponding to an application to be detected, and acquiring an interactive component layout file from the source code data packet;
performing tree analysis processing on the interactive component layout file to obtain an initial node structure tree; the initial node structure tree comprises one or more nodes; a node comprises an interaction component; the node structure relationship of the initial node structure tree is determined based on the structure relationship between the interactive components in the interactive component layout file;
extracting text attribute values of each interaction component respectively to obtain a description text corresponding to each interaction component;
performing expansion processing on the description text corresponding to each interaction component according to the node structure relation in the initial node structure tree to obtain an expansion description text corresponding to each interaction component;
and respectively adding the extension description text corresponding to each interaction component into the node to which each interaction component belongs to obtain a target node structure tree.
3. The method according to claim 2, wherein the obtaining a source code data packet corresponding to the application to be detected, and obtaining the interactive component layout file from the source code data packet, includes:
Acquiring a source code data packet corresponding to an application to be detected;
performing format detection on the source code data packet to obtain a format detection result;
if the format detection result is a compression compiling result, decompiling the source code data packet to obtain a decompiled source code data packet, and searching an interactive component layout file from the decompiled source code data packet;
and if the format detection result is not the compression compiling result, searching an interactive component layout file from the source code data packet.
4. The method according to claim 2, wherein the expanding the description text corresponding to each interaction component according to the node structure relationship in the initial node structure tree to obtain the expanded description text corresponding to each interaction component includes:
traversing the initial node structure tree, and performing expansion processing on the description text corresponding to each interaction component according to the child node relation of the traversed node to obtain a transition description text corresponding to each interaction component;
if the unexplained description nodes do not exist in the initial node structure tree, the transition description text corresponding to each interaction component is used as the extension description text corresponding to each interaction component; the non-explanatory description node refers to a node of which the associated transition description text does not belong to an explanatory type;
And if the unexplained description node exists in the initial node structure tree, carrying out supplementary processing on the transition description text corresponding to the interaction component contained in the unexplained description node according to the father node relation of the unexplained description node to obtain the extension description text corresponding to each interaction component.
5. The method of claim 4, wherein traversing the initial node structure tree, performing expansion processing on the description text corresponding to each interaction component according to the traversed node child relationship, and obtaining transition description text corresponding to each interaction component includes:
traversing the initial node structure tree to obtain a kth node; k is a positive integer less than or equal to M, M being the number of the one or more nodes;
if the sub-node relation of the kth node indicates that the kth node does not have a sub-node, using the description text corresponding to the interaction component contained in the kth node as a transition description text corresponding to the interaction component contained in the kth node;
if the sub-node relation of the kth node indicates that the kth node has sub-nodes, taking the sub-node corresponding to the kth node as a target sub-node, adding the description text corresponding to the interaction component contained in the target sub-node into the description text corresponding to the interaction component contained in the kth node, and obtaining the transition description text corresponding to the interaction component contained in the kth node.
6. The method of claim 4, wherein if the unexplained description node exists in the initial node structure tree, performing additional processing on transition description text corresponding to an interaction component included in the unexplained description node according to a parent node relationship of the unexplained description node to obtain extension description text corresponding to each interaction component, including:
if the unexplained description node exists in the initial node structure tree, acquiring a father node relation of the unexplained description node;
if the father node relation of the non-explanatory description node indicates that the non-explanatory description node has a father node, supplementing a target explanatory description text into a transition description text corresponding to an interaction component contained in the non-explanatory description node; the target explanatory description text refers to a text belonging to the explanatory type in transition description texts corresponding to the interaction components contained in the father node;
the transition description text after supplement and the transition description text corresponding to the interaction component contained in the explanatory description node are used as extension description text; the explanatory description node refers to a node other than the non-explanatory description node in the initial node structure tree.
7. The method of claim 1, wherein the short object description text comprises one or more short object description sentences;
performing word segmentation processing on the target description short text in the target node structure tree to obtain target description words, including:
traversing the one or more target description phrases to obtain a j-th target description phrase; j is a positive integer; j is less than or equal to the number of the one or more object description phrases;
determining the language type corresponding to the jth target description phrase as a target language type;
calling a word segmentation tool corresponding to the target language type to divide the target description phrase to obtain a phrase target description word corresponding to the jth target description phrase;
and taking the short sentence target description word corresponding to each target description short sentence as a target description word.
8. The method according to claim 1, wherein determining the detection result for the application to be detected according to the event type of the event trigger attribute and the detection information type comprises:
acquiring risk weights corresponding to event types of the event triggering attributes;
Acquiring risk probability corresponding to the detection information type;
weighting the risk probability according to the risk weight to obtain a weighted risk probability;
and generating a detection result aiming at the application to be detected according to the weighted risk probability.
9. The method of claim 1, wherein the similarity matching the target descriptive word with the word in the detection information dictionary, determining the detection information type of the target descriptive word, comprises:
taking the language type of the target descriptive word as a target language type;
the word segmentation with the language type of the target language type in the detected information dictionary is used as a target searching word segmentation;
obtaining the word with the highest similarity with the target description word from the target search word as a target matching word;
and acquiring the information type corresponding to the target matching word from the detection information dictionary as the detection information type of the target descriptive word.
10. The method as recited in claim 1, further comprising:
acquiring at least two sample applications, and respectively constructing a sample node structure tree of each sample application; wherein one sample node structure tree comprises one or more sample nodes; the sample node comprises a sample interaction component and a sample extension description text corresponding to the sample interaction component;
Performing word segmentation extraction processing on sample expansion description texts contained in at least two sample node structure trees to obtain sample word segmentation;
clustering the sample word segmentation to obtain a sample word segmentation cluster;
labeling the sample word segmentation cluster, and determining the information type corresponding to the sample word segmentation cluster;
and respectively adding each sample word and the information type corresponding to the sample word cluster to which each sample word belongs into an initial dictionary to obtain a detection information dictionary.
11. The method according to claim 10, wherein the performing word segmentation extraction processing on the sample extension description text contained in the at least two sample node structure trees to obtain sample segmentation includes:
performing word segmentation processing on sample expansion description texts contained in at least two sample node structure trees to obtain one or more word segments;
filtering the invalid word segmentation in the one or more word segmentation to obtain an effective word segmentation;
and carrying out de-duplication treatment on the effective word segmentation to obtain a sample word segmentation.
12. An application abnormality detection apparatus, characterized by comprising:
the construction module is used for constructing a target node structure tree aiming at the application to be detected; wherein the target node structure tree comprises one or more nodes; one node comprises an interaction component and an expansion description text corresponding to the interaction component;
The word segmentation module is used for carrying out word segmentation processing on the target description short text in the target node structure tree to obtain target description words; the target description short text refers to an extension description text contained in a node with an event triggering attribute in the target node structure tree;
the matching module is used for matching the similarity between the target descriptive word and the word in the detection information dictionary and determining the detection information type of the target descriptive word;
and the result determining module is used for determining a detection result aiming at the application to be detected according to the event type of the event triggering attribute and the detection information type.
13. A computer device, comprising: a processor, a memory, and a network interface;
the processor is connected to the memory, the network interface for providing data communication functions, the memory for storing program code, the processor for invoking the program code to perform the method of any of claims 1-11.
14. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program adapted to be loaded by a processor and to perform the method of any of claims 1-11.
15. A computer program product comprising computer programs/instructions which, when executed by a processor, are adapted to carry out the method of any one of claims 1-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210467802.8A CN117010332A (en) | 2022-04-29 | 2022-04-29 | Application abnormality detection method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210467802.8A CN117010332A (en) | 2022-04-29 | 2022-04-29 | Application abnormality detection method, device, equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117010332A true CN117010332A (en) | 2023-11-07 |
Family
ID=88569647
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210467802.8A Pending CN117010332A (en) | 2022-04-29 | 2022-04-29 | Application abnormality detection method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117010332A (en) |
-
2022
- 2022-04-29 CN CN202210467802.8A patent/CN117010332A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9639601B2 (en) | Question answering system adapted to style of user requests | |
| US8370278B2 (en) | Ontological categorization of question concepts from document summaries | |
| CN107341399B (en) | Method and device for evaluating security of code file | |
| TW202020691A (en) | Feature word determination method and device and server | |
| CN108090351B (en) | Method and apparatus for processing request message | |
| RU2704531C1 (en) | Method and apparatus for analyzing semantic information | |
| US11601453B2 (en) | Methods and systems for establishing semantic equivalence in access sequences using sentence embeddings | |
| CN112015430A (en) | JavaScript code translation method and device, computer equipment and storage medium | |
| CN112579469A (en) | Source code defect detection method and device | |
| CN112580331A (en) | Method and system for establishing knowledge graph of policy text | |
| Hosseini et al. | Analyzing privacy policies through syntax-driven semantic analysis of information types | |
| CN116955720A (en) | Data processing method, apparatus, device, storage medium and computer program product | |
| CN113869789A (en) | Risk monitoring method and device, computer equipment and storage medium | |
| CN116719683A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
| CN116701604A (en) | Question and answer corpus construction method and device, question and answer method, equipment and medium | |
| CN115563296A (en) | Fusion detection method and system based on content semantics | |
| CN117010332A (en) | Application abnormality detection method, device, equipment and readable storage medium | |
| CN114417883A (en) | Data processing method, device and equipment | |
| KR20220068462A (en) | Method and apparatus for generating knowledge graph | |
| CN111753548A (en) | Information acquisition method and device, computer storage medium and electronic equipment | |
| CN111581533A (en) | State recognition method and device of target object, electronic equipment and storage medium | |
| CN113849785B (en) | Mobile terminal information asset use behavior identification method for application program | |
| CN115795058B (en) | Threat modeling method, threat modeling system, electronic equipment and storage medium | |
| US12008000B2 (en) | Automated fact checking using iterative knowledge base querying | |
| CN114942980B (en) | Method and device for determining text matching |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |