CN117056152A - Equipment detection method and related device - Google Patents
Equipment detection method and related device Download PDFInfo
- Publication number
- CN117056152A CN117056152A CN202311327696.4A CN202311327696A CN117056152A CN 117056152 A CN117056152 A CN 117056152A CN 202311327696 A CN202311327696 A CN 202311327696A CN 117056152 A CN117056152 A CN 117056152A
- Authority
- CN
- China
- Prior art keywords
- application
- applications
- target
- equipment
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 73
- 238000009434 installation Methods 0.000 claims abstract description 181
- 230000002159 abnormal effect Effects 0.000 claims abstract description 151
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 110
- 230000005856 abnormality Effects 0.000 claims description 98
- 238000000034 method Methods 0.000 claims description 51
- 238000012512 characterization method Methods 0.000 claims description 47
- 238000004458 analytical method Methods 0.000 claims description 46
- 230000006399 behavior Effects 0.000 claims description 26
- 238000003860 storage Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 13
- 238000009826 distribution Methods 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 abstract description 35
- 238000013473 artificial intelligence Methods 0.000 abstract description 11
- 230000006870 function Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000010801 machine learning Methods 0.000 description 6
- 230000009471 action Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 238000012549 training Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000005236 sound signal Effects 0.000 description 2
- 238000011282 treatment Methods 0.000 description 2
- 238000012935 Averaging Methods 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000033228 biological regulation Effects 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000007599 discharging Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000005194 fractionation Methods 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000010897 surface acoustic wave method Methods 0.000 description 1
- 230000008685 targeting Effects 0.000 description 1
- 238000013526 transfer learning Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/22—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
- G06F11/2205—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/61—Installation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/03—Credit; Loans; Processing thereof
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Finance (AREA)
- Software Systems (AREA)
- Accounting & Taxation (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Development Economics (AREA)
- Economics (AREA)
- Marketing (AREA)
- Strategic Management (AREA)
- Technology Law (AREA)
- General Business, Economics & Management (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the application discloses a device detection method and a related device, which can be applied to various application scenes such as cloud technology, artificial intelligence or intelligent traffic, and the like, and can be used for determining sub-application characteristics respectively corresponding to each application to be analyzed by combining the abnormal rate characteristics and the application installation sequence characteristics respectively corresponding to a plurality of applications to be analyzed which are installed by the device to be detected during detection.
Description
Technical Field
The application relates to the technical field of information analysis, in particular to a device detection method and a related device.
Background
With the continuous development of internet technology, more and more businesses can be executed on the internet, and the accompanying abnormal business behaviors are further and further developed. For example, due to the implementation of an online loan service, someone may conduct a loan through a terminal device but not repayment, thereby causing abnormal loan behavior.
In the related art, in order to identify a device in which abnormal behavior may occur, a related person needs to analyze an application for performing the abnormal behavior empirically first, and then detect the risk that the device is used to perform the abnormal behavior by judging whether the device is installed with the application.
The equipment detection mode in the related art is too dependent on participation of artificial experience, the labor cost is high, and because the speed of manual analysis is low, the iteration speed of the application for abnormal behaviors is difficult to keep up, therefore, the equipment with the risk of executing the abnormal behaviors is difficult to detect efficiently and accurately, and the probability of abnormal behaviors which cannot be identified in advance is high.
Disclosure of Invention
In order to solve the technical problems, the application provides the equipment detection method, which can automatically realize the accurate analysis of the probability that the equipment is used for executing abnormal behaviors, reduce the dependence on human participation and improve the equipment detection efficiency.
The embodiment of the application discloses the following technical scheme:
in a first aspect, an embodiment of the present application discloses a device detection method, where the method includes:
acquiring application installation information corresponding to equipment to be detected, wherein the application installation information is used for identifying a plurality of applications to be analyzed installed in the equipment to be detected;
determining sub-application features corresponding to a target application, wherein the sub-application features corresponding to the target application are determined based on abnormality rates corresponding to the target application and application installation sequences corresponding to the target application in a plurality of devices respectively, the target application is any one of the plurality of applications to be analyzed, the abnormality rates are used for representing the probability that devices for installing the target application are used for executing abnormal behaviors, and the sub-application features are used for representing the abnormality rate features corresponding to the target application and the application installation sequence features in the plurality of devices;
determining application characteristics corresponding to the equipment to be detected according to sub-application characteristics respectively corresponding to the plurality of applications to be analyzed;
and determining the abnormal probability corresponding to the equipment to be detected according to the application characteristics, wherein the abnormal probability is used for identifying the probability that the equipment to be detected is used for executing abnormal behaviors.
In a second aspect, an embodiment of the present application discloses an apparatus detecting device, including an acquisition unit, a first determination unit, a second determination unit, and a third determination unit:
the acquisition unit is used for acquiring application installation information corresponding to equipment to be detected, and the application installation information is used for identifying a plurality of applications to be analyzed installed in the equipment to be detected;
the first determining unit is configured to determine sub-application features corresponding to a target application, where the sub-application features corresponding to the target application are determined based on an anomaly rate corresponding to the target application and an application installation order corresponding to the target application in a plurality of devices, the target application is any one of the plurality of applications to be analyzed, the anomaly rate is used to represent a probability that a device for installing the target application is used to execute an anomaly, and the sub-application features are used to represent the anomaly rate features corresponding to the target application and the application installation order features in the plurality of devices;
the second determining unit is configured to determine application features corresponding to the to-be-detected device according to sub-application features corresponding to the multiple to-be-analyzed applications respectively;
The third determining unit is configured to determine, according to the application feature, an anomaly probability corresponding to the device to be detected, where the anomaly probability is used to identify a probability that the device to be detected is used to execute an anomaly behavior.
In one possible implementation, the sub-application feature corresponding to the target application is determined by:
determining abnormality rate information corresponding to the target application according to the abnormality rate corresponding to the target application, wherein the abnormality rate information is used for representing the abnormality rate corresponding to the target application;
determining feature information corresponding to a target device according to abnormality rate information respectively corresponding to a plurality of applications installed in the target device and application installation sequences of the plurality of applications in the target device, wherein the feature information comprises abnormality rate information respectively corresponding to a plurality of applications arranged in the application installation sequences of the plurality of applications in the target device, the target device is any device in the plurality of devices, and the plurality of applications comprise the target application;
the feature information corresponding to the plurality of devices is input into a word vector model, sub-application features corresponding to the plurality of applications are determined, the word vector model is used for taking the feature information as sentence units, the abnormality rate information as word units, the feature corresponding to each abnormality rate information is determined, and the sub-application feature corresponding to the target application is the feature corresponding to the abnormality rate information corresponding to the target application.
In a possible implementation manner, the apparatus further includes a dividing unit:
the dividing unit is used for dividing a plurality of abnormal rate intervals, each abnormal rate interval is provided with a corresponding interval identifier, and the interval identifiers corresponding to different abnormal rate intervals are different;
the determining the abnormality rate information corresponding to the target application according to the abnormality rate corresponding to the target application includes:
determining a target abnormal rate interval corresponding to the abnormal rate corresponding to the target application in the plurality of abnormal rate intervals;
and determining the section identifier corresponding to the target abnormal rate section as abnormal rate information corresponding to the target application.
In one possible implementation manner, the first determining unit is specifically configured to:
determining the target abnormal rate interval corresponding to the abnormal rate corresponding to the target application in the plurality of abnormal rate intervals;
and determining the characteristics corresponding to the interval identification corresponding to the target abnormal rate interval as sub-application characteristics corresponding to the target application.
In a possible implementation manner, the second determining unit is specifically configured to:
and determining the average value of the sub-application features corresponding to the plurality of applications to be analyzed as the application feature corresponding to the target equipment.
In a possible implementation manner, the apparatus further includes a fourth determining unit:
the fourth determining unit is configured to determine a target application installation order corresponding to the plurality of applications to be analyzed in the device to be detected;
the second determining unit is specifically configured to:
and determining the application characteristics corresponding to the target equipment according to the target application installation sequence and the sub-application characteristics respectively corresponding to the plurality of applications to be analyzed, wherein the characteristic distribution sequence of the sub-application characteristics respectively corresponding to the plurality of applications to be analyzed in the application characteristics corresponding to the target equipment meets the target application installation sequence.
In one possible implementation, the plurality of devices are devices for performing abnormal behavior.
In a possible implementation manner, the acquiring unit is specifically configured to:
acquiring initial application installation information corresponding to the equipment to be detected, wherein the initial application installation information is used for identifying a plurality of installed applications corresponding to the equipment to be detected;
according to the characterization strength information and a preset threshold value which correspond to the plurality of installed applications respectively, determining whether the equipment to be detected is used for executing the plurality of applications to be analyzed with larger abnormal behavior characterization strength from the plurality of installed applications, obtaining application installation information corresponding to the equipment to be detected, wherein the characterization strength information is used for characterizing whether the installed applications are used for executing the characterization strength of the abnormal behavior on the equipment to be detected, and the preset threshold value is used for determining whether the equipment to be detected is used for executing the applications to be analyzed with larger abnormal behavior characterization strength.
In a possible implementation manner, the characterization strength information includes installed duration information corresponding to each of the plurality of installed applications, the installed duration information is used for identifying an installed duration corresponding to the installed application in the device to be detected, the preset threshold includes an installed duration threshold, and the obtaining unit is specifically configured to:
and determining the plurality of applications to be analyzed, of which the corresponding installed duration does not exceed the installed duration threshold, from the plurality of installed applications according to the installed duration information and the installed duration threshold respectively corresponding to the plurality of installed applications.
In one possible implementation manner, the characterization strength information includes installation times information corresponding to the plurality of installed applications, the installation times information is used for identifying the installation times corresponding to the installed applications, the preset threshold includes an installation times threshold, and the obtaining unit is specifically configured to:
and determining the applications to be analyzed, of which the corresponding installation times do not exceed the installation times threshold value, from the plurality of installed applications according to the installation times information and the installation times threshold value respectively corresponding to the plurality of installed applications.
In one possible implementation, the anomaly rate corresponding to the target application is determined by:
acquiring a plurality of installed devices on which the target application is installed;
and determining the abnormality rate corresponding to the target application according to the ratio of the number of devices used for executing the abnormal behavior in the plurality of installed devices to the total number of devices of the plurality of installed devices.
In a possible implementation manner, the third determining unit is specifically configured to:
determining the abnormal probability corresponding to the equipment to be detected according to the application characteristics through an abnormal analysis model;
the anomaly analysis model is trained by:
acquiring a sample equipment set, wherein the sample equipment set comprises a plurality of sample equipment, the plurality of sample equipment respectively has corresponding application characteristics and equipment labels, and the equipment labels are used for identifying whether the sample equipment is used for executing abnormal behaviors;
respectively taking the plurality of sample devices as target sample devices, and determining a to-be-determined device label corresponding to the target sample devices according to application characteristics corresponding to the target sample devices through an initial abnormality detection model, wherein the to-be-determined device label is determined by the probability that the target sample devices determined through the initial abnormality detection model are used for executing abnormal behaviors;
And adjusting model parameters of the initial anomaly detection model according to the difference between the equipment label to be determined and the equipment label corresponding to the target sample equipment to obtain the anomaly detection model.
In a possible implementation manner, the apparatus further includes an execution unit:
the execution unit is configured to reject the execution request based on acquiring an execution request of the device to be detected for a target behavior, where the abnormality probability corresponding to the device to be detected is greater than a preset probability threshold, and the execution request is used for requesting execution of the target behavior.
In a third aspect, embodiments of the present application disclose a computer device comprising a processor and a memory:
the memory is used for storing a computer program and transmitting the computer program to the processor;
the processor is configured to execute the device detection method according to any one of the first aspects according to instructions in the computer program;
in a fourth aspect, an embodiment of the present application discloses a computer-readable storage medium for storing a computer program for executing the device detection method according to any one of the first aspects;
In a fifth aspect, an embodiment of the application discloses a computer program product comprising a computer program which, when run on a computer device, causes the computer device to perform the device detection method of any of the first aspects.
According to the technical scheme, in order to accurately detect the equipment for executing the abnormal behavior on the premise of not depending on human participation and human experience, the probability that the equipment provided with multiple applications is used for executing the abnormal behavior can be analyzed based on the characteristics of the known abnormal rate of the applications and the installation sequence characteristics of the applications in the equipment. The known abnormality rate can reflect the influence of an application on whether the device provided with the application is used for executing abnormal behaviors, and the installation sequence characteristics corresponding to the plurality of applications installed by the device can reflect the influence of the relevance between different applications in the installation sequence dimension on whether the device is used for executing the abnormal behaviors to a certain extent, so that the device can be accurately analyzed on whether the device can be used for executing the abnormal behaviors by combining the characteristics of the two dimensions. During actual detection, application installation information corresponding to the equipment to be detected can be acquired first, the application installation information is used for identifying a plurality of applications to be analyzed installed in the equipment to be detected, sub-application characteristics corresponding to each application to be analyzed can be determined based on anomaly rates corresponding to the applications to be analyzed respectively and installation sequence characteristics in the equipment, and characteristics of the applications to be analyzed in two dimensions of anomaly rates and application installation sequences can be represented through the sub-application characteristics. According to the sub-application features respectively corresponding to the plurality of applications to be analyzed, the application features corresponding to the equipment to be detected can be determined, the application features can represent the overall abnormal rate features and the overall installation sequence features of the applications installed by the equipment to be detected, so that whether the equipment to be detected can be used for executing abnormal behaviors can be accurately analyzed based on the application features, the abnormal probability corresponding to the equipment to be detected is determined, and the abnormal probability can be used for identifying the probability that the equipment to be detected is used for executing the abnormal behaviors. Therefore, the application can realize automatic analysis of the abnormal probability of the equipment to be detected based on the known objective data such as the abnormal rate and the application installation sequence, and on the premise of ensuring the analysis accuracy, the application does not need to rely on artificial experience, so that the analysis efficiency is relatively higher, the analysis range is wider, the consumption of labor cost is reduced, and the application is more suitable for the environment of quick update application. In addition, the method and the device for detecting the abnormality of the equipment based on the application are used for detecting the abnormality of the equipment based on the whole of a plurality of applications installed on the equipment to be detected, and even if specific applications which cannot be accurately analyzed exist in the equipment, the equipment can be analyzed by combining with other applications, so that the detection limit is small, and the applicability is high.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a device detection method in an actual application scenario provided in an embodiment of the present application;
fig. 2 is a flowchart of a device detection method according to an embodiment of the present application;
fig. 3 is a flowchart of a method for detecting a device in an actual application scenario according to an embodiment of the present application;
fig. 4 is a schematic diagram of a device detection method in an actual application scenario according to an embodiment of the present application;
fig. 5 is a schematic diagram of a device detection method in an actual application scenario according to an embodiment of the present application;
fig. 6 is a block diagram of a device detecting apparatus according to an embodiment of the present application;
fig. 7 is a block diagram of a terminal according to an embodiment of the present application;
fig. 8 is a block diagram of a server according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described below with reference to the accompanying drawings.
In the present application, the device for performing abnormal behavior means that abnormal behavior is performed by an application installed in the device, for example, fraudulent behavior such as malicious loan is performed by a lending application. In the related art, in order to identify a device that may be used to perform an abnormal behavior, it is necessary to manually analyze which applications are used to perform the abnormal behavior first, and then determine whether the device is used to perform the abnormal behavior according to whether the application is installed in the device.
Therefore, the detection mode of the abnormal equipment in the related technology is very dependent on the analysis and identification of abnormal application by manpower, and the labor cost is high. Meanwhile, the coverage rate of manual application analysis is low, only abnormal applications which have already appeared can be analyzed, and accurate analysis is difficult to perform on applications which do not obviously represent the abnormality or abnormal applications with low occurrence frequency, so that equipment where the applications are located cannot be detected as abnormal equipment. In addition, since the application for executing the abnormal behavior is generally updated at a higher iteration speed, the analysis speed of the application is lower manually, and when the application for executing the abnormal behavior is manually analyzed, the application may be replaced by other updated application and is not used by the device any more, so that the resistance of the detection of the manual device is poor, and the application is difficult to adapt to the abnormal application environment with a higher updating speed.
In order to solve the technical problems, the application provides a device detection method, which can combine the abnormal rate characteristics and the application installation sequence characteristics respectively corresponding to a plurality of applications to be analyzed installed by a device to be detected, determine the sub-application characteristics respectively corresponding to each application to be analyzed, and construct the application characteristics corresponding to the application to be detected through the sub-application characteristics corresponding to the plurality of applications to be analyzed.
It will be appreciated that the method may be applied to a computer device which is a device detectable computer device, for example a terminal device or a server. The method can be independently executed by the terminal equipment or the server, can also be applied to a network scene of communication between the terminal equipment and the server, and is executed by the cooperation of the terminal equipment and the server. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligent platforms. The terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the present application is not limited herein.
The Cloud technology (Cloud technology) is a generic term of network technology, information technology, integration technology, management platform technology, application technology and the like applied based on a Cloud computing business model, can form a resource pool, and is used as required, flexible and convenient. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing.
The application can relate to the field of cloud computing in cloud technology, cloud computing (cloud computing) is a computing mode, and distributes computing tasks on a resource pool formed by a large number of computers, so that various application systems can acquire computing power, storage space and information service according to requirements. The network that provides the resources is referred to as the "cloud". Resources in the cloud are infinitely expandable in the sense of users, and can be acquired at any time, used as needed, expanded at any time and paid for use as needed.
As a basic capability provider of cloud computing, a cloud computing resource pool (cloud platform for short, generally referred to as IaaS (Infrastructure as a Service, infrastructure as a service) platform) is established, in which multiple types of virtual resources are deployed for external clients to select for use.
According to the logic function division, a PaaS (Platform as a Service ) layer can be deployed on an IaaS (Infrastructure as a Service ) layer, and a SaaS (Software as a Service, software as a service) layer can be deployed above the PaaS layer, or the SaaS can be directly deployed on the IaaS. PaaS is a platform on which software runs, such as a database, web container, etc. SaaS is a wide variety of business software such as web portals, sms mass senders, etc. Generally, saaS and PaaS are upper layers relative to IaaS.
When the abnormal probability of the equipment to be detected is analyzed, the application installation information can be uploaded to the cloud server, and the abnormal probability corresponding to the equipment to be detected is determined through a cloud computing technology,
The application may also relate to the field of artificial intelligence (Artificial Intelligence, AI), which is a theory, method, technique and application system that simulates, extends and expands human intelligence, senses environment, acquires knowledge and uses knowledge to obtain optimal results using a digital computer or a machine controlled by a digital computer. In other words, artificial intelligence is an integrated technology of computer science that attempts to understand the essence of intelligence and to produce a new intelligent machine that can react in a similar way to human intelligence. Artificial intelligence, i.e. research on design principles and implementation methods of various intelligent machines, enables the machines to have functions of sensing, reasoning and decision.
The artificial intelligence technology is a comprehensive subject, and relates to the technology with wide fields, namely the technology with a hardware level and the technology with a software level. Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
For example, the present application may relate to Machine Learning (ML) technology, which is a multi-domain interdisciplinary discipline involving multiple disciplines such as probability theory, statistics, approximation theory, convex analysis, algorithm complexity theory, etc. It is specially studied how a computer simulates or implements learning behavior of a human to acquire new knowledge or skills, and reorganizes existing knowledge structures to continuously improve own performance. Machine learning is the core of artificial intelligence, a fundamental approach to letting computers have intelligence, which is applied throughout various areas of artificial intelligence. Machine learning and deep learning typically include techniques such as artificial neural networks, confidence networks, reinforcement learning, transfer learning, induction learning, teaching learning, and the like. The anomaly analysis model applied in the application can be obtained through training by a machine learning technology.
The application can also relate to an intelligent transportation system (Intelligent Traffic System, ITS), also called intelligent transportation system (Intelligent Transportation System), which is a comprehensive transportation system for effectively and comprehensively applying advanced scientific technologies (information technology, computer technology, data communication technology, sensor technology, electronic control technology, automatic control theory, operation research, artificial intelligence and the like) to transportation, service control and vehicle manufacturing, and enhancing the connection among vehicles, roads and users, thereby forming a comprehensive transportation system for guaranteeing safety, improving efficiency, improving environment and saving energy.
The technology of the application can be applied to the vehicle-mounted terminal to accurately analyze whether the vehicle-mounted terminal can be applied to execute abnormal behaviors, thereby further guaranteeing the safety of vehicle running.
In order to facilitate understanding of the technical scheme provided by the application, an apparatus detection method provided by the embodiment of the application will be described below in conjunction with an actual application scenario.
Referring to fig. 1, fig. 1 is a schematic diagram of a method for detecting a device in an actual application scenario, where a computer device may be a server 101 for performing device detection.
As shown in fig. 1, when detecting whether a device to be detected is to be used for executing abnormal behavior, the server 101 may first obtain application installation information corresponding to the device to be detected, where the application installation information is used to identify a plurality of applications to be analyzed installed in the device to be detected, and the applications include application 1, application 2, …, and application N.
It should be emphasized that, when the application installation information is obtained, the application installation information is performed under the premise that the user corresponding to the device to be detected is informed and allowed, on the one hand, the application installation information may be actively submitted to the server 101 by the user, for example, the user wants to detect the probability that the device to be detected is used for executing the abnormal behavior, and then the application installation information corresponding to the device to be detected may be actively uploaded, so that the server 101 returns the abnormal probability to the user. On the other hand, the server 101 may actively acquire the application installation information from the user, but when acquiring, the server 101 may request the user for authorization to acquire the application installation information, for example, when acquiring, the authorization confirmation interface may be displayed to the user through the device to be detected, the authorization confirmation interface may include "whether to allow acquisition of the application installation information" and may include "yes" and "no" controls, if the user clicks the "yes" control, it is indicated that the user allows the server 101 to acquire the application installation information corresponding to the device to be detected, and at this time, the server 101 starts to acquire the application installation information; otherwise, if the user clicks the "no" control, it indicates that the user is not allowed to acquire the application installation information, and at this time, the server 101 does not acquire the application installation information corresponding to the device to be detected.
The server 101 may determine a sub-application feature corresponding to each application to be analyzed, where the sub-application feature is used to characterize an abnormality rate feature and an application installation order feature corresponding to the application to be analyzed. Taking application 1 as an example, the total number of devices installed with application 1 and the number of devices used for executing abnormal behaviors can determine the abnormal rate corresponding to application 1, the installation sequence of application 1 in a plurality of devices can reflect the application installation sequence characteristics of application 1, and the sub-application characteristics corresponding to application 1 can be determined by combining the information of the two aspects.
The application characteristics corresponding to the equipment to be detected can be determined by combining the sub-application characteristics respectively corresponding to the N applications, the application characteristics can characterize the overall abnormal rate characteristics of a plurality of applications to be analyzed installed on the equipment to be detected and the relevance of the plurality of applications to be analyzed on the application installation sequence, so that whether the equipment to be detected can be used for executing abnormal behaviors can be accurately analyzed according to the application characteristics, the abnormal probability corresponding to the equipment to be detected is determined, and the abnormal probability is used for identifying the probability that the equipment to be detected is used for executing the abnormal behaviors. Therefore, the application can combine some objective data which can be automatically collected, realize automatic and accurate analysis of the abnormal probability of the equipment to be detected, does not need to be manually participated, does not need to rely on manual experience, and improves the efficiency of equipment detection.
Next, an apparatus detecting method provided by an embodiment of the present application will be described with reference to the accompanying drawings.
Referring to fig. 2, fig. 2 is a flowchart of a device detection method according to an embodiment of the present application, in which the computer device may be any one of the computer devices having a device detection function, the method includes:
s201: and acquiring application installation information corresponding to the equipment to be detected.
The application installation information is used for identifying a plurality of applications to be analyzed installed in the device to be detected, the applications to be analyzed can be all applications installed in the device to be detected, or can be part of applications selected from the applications installed in the device to be detected according to certain requirements, the application installation information is not limited herein, and the device to be detected can be any device provided with the applications, for example, a mobile phone, a computer and the like.
S202: and determining the corresponding sub-application characteristics of the target application.
To achieve an automated accurate detection of a device, it is first necessary to determine the information dimension that can be used to characterize the device for performing the probability of abnormal behavior. In the present application, the computer device can perform abnormality probability analysis on the device based on the characteristics of two dimensions of the abnormality rate of the application and the application installation order of the application.
The principle is that, first, the abnormality rate of an application, which refers to the probability that a device in which the application is installed is used to perform abnormal behavior, can be analyzed by collecting abnormal behavior execution conditions of the device in which the application is installed, as an objective value. It is understood that the abnormality rate of an application can reflect, to a certain extent, the probability that the device in which the application is installed is used to perform abnormal behavior, for example, if a plurality of applications installed in the device to be detected all have a high abnormality rate, the probability that the device to be detected in which the applications are installed is used to perform abnormal behavior is also high to a certain extent.
Secondly, the application installation order of the application can also characterize to some extent the probability that the device is used to perform the abnormal behavior. For example, a certain abnormal behavior may require a plurality of applications to be completed in cooperation, wherein a certain application is installed under the guidance of a previously installed application, and thus an application installation order of the application in a device for executing the abnormal behavior is generally located after a previous application, based on which a probability that the device in which the applications are installed is used to execute the abnormal behavior can be analyzed by analyzing correlations between application installation orders respectively corresponding to the applications. In summary, by combining the features of the two dimensions, the probability that the device is used to perform abnormal behavior can be analyzed more accurately.
In addition, the application adopts the characteristics of the two dimensions to analyze, and the characteristics can be obtained by analyzing the existing data through the computer equipment, and belong to the existing objective data, so that the characterization of the application is objective and accurate, and the objective requirement of the computer equipment on the data for analysis when the computer equipment automatically detects the equipment is met, and the computer equipment does not need to have subjective analysis capability.
Based on the above, when the device detection is performed, the computer device can combine the features of the two dimensions to obtain the sub-application features corresponding to each application to be analyzed respectively. Taking a target application as an example, sub-application features corresponding to the target application are determined based on an abnormality rate corresponding to the target application and application installation sequences corresponding to the target application in a plurality of devices respectively, wherein the target application can be any one of a plurality of applications to be analyzed, the abnormality rate is used for representing the probability that the device for installing the target application is used for executing abnormal behaviors, and the sub-application features are used for representing abnormality rate features corresponding to the target application and application installation sequence features in the plurality of devices. The plurality of devices are features for analyzing an application installation order of the target application, the application installation order refers to an installation order of the application in the devices, and the plurality of devices may be any devices in which a plurality of applications including the target application are installed.
S203: and determining the application characteristics corresponding to the equipment to be detected according to the sub-application characteristics respectively corresponding to the plurality of applications to be analyzed.
Because each sub-application feature can represent the abnormal rate feature and the application installation sequence feature of the corresponding application, the application feature determined by combining the sub-application features respectively corresponding to the plurality of applications to be analyzed can represent the overall abnormal rate feature of the application installed by the device to be detected from the overall application angle installed by the device to be detected, and the relevance between the installed applications in the application installation sequence, the two aspects of features can represent the probability that the device is used for executing the abnormal behavior, so the application feature can be used for analyzing the probability that the device to be detected is used for executing the abnormal behavior.
S204: and determining the abnormal probability corresponding to the equipment to be detected according to the application characteristics.
Wherein the anomaly probability is used to identify the probability that the device to be detected is used to perform the anomalous behavior. Therefore, through the anomaly probability, the computer equipment can distinguish whether the equipment to be detected is equipment for executing the anomaly behavior, and a detection result aiming at the equipment to be detected is obtained, so that corresponding processing can be carried out on the equipment to be detected based on different detection results, and the use and application safety of the equipment are ensured.
According to the technical scheme, in order to accurately detect the equipment for executing the abnormal behavior on the premise of not depending on human participation and human experience, the probability that the equipment provided with multiple applications is used for executing the abnormal behavior can be analyzed based on the characteristics of the known abnormal rate of the applications and the installation sequence characteristics of the applications in the equipment. The application can realize automatic analysis of the abnormal probability of the equipment to be detected based on the known objective data such as the abnormal rate and the application installation sequence, and on the premise of ensuring the analysis accuracy, the application does not need to rely on artificial experience, so that the analysis efficiency is relatively higher, the analysis range is wider, the consumption of labor cost is reduced, and the application is more suitable for the environment of quick update of application. In addition, the method and the device for detecting the abnormality of the equipment based on the application are used for detecting the abnormality of the equipment based on the whole of a plurality of applications installed on the equipment to be detected, and even if specific applications which cannot be accurately analyzed exist in the equipment, the equipment can be analyzed by combining with other applications, so that the detection limit is small, and the applicability is high.
Next, details of steps in the above-described device detection method will be described in detail.
The manner of determining the sub-application features corresponding to the application based on the features in two dimensions may include a variety of ways. In one possible implementation, the computer device may utilize a Word vector model (Word to vector, abbreviated as Word2 vec) to accurately analyze and characterize context linkages between multiple words in a sentence to accurately characterize the relevance of different applications in application installation order.
In this implementation, the sub-application features corresponding to the target application may be determined by:
first, the computer device may determine abnormality rate information corresponding to the target application according to an abnormality rate corresponding to the target application, where the abnormality rate information is used to characterize the abnormality rate corresponding to the target application. For example, the anomaly rate information may be the anomaly rate itself corresponding to the target application, or may be other information determined based on the anomaly rate.
The computer device may determine feature information corresponding to the target device according to abnormality rate information corresponding to each of a plurality of applications installed in the target device and an application installation order of the plurality of applications in the target device, where the feature information includes abnormality rate information corresponding to each of a plurality of applications arranged in the application installation order of the plurality of applications in the target device, and the target device may be any device of the plurality of devices, and the plurality of applications includes the target application. By the method, the characteristic information can be used for representing the abnormality rate corresponding to the applications and the application installation sequence in the target equipment.
The word vector model has the capability of accurately analyzing and characterizing the context relation among a plurality of words in a sentence, and the feature information is composed of a plurality of pieces of abnormal rate information, so that the abnormal rate information can be regarded as words, the feature information can be regarded as sentences, the feature information corresponding to a plurality of devices is respectively input into the word vector model, the sub-application features corresponding to a plurality of applications are determined, the word vector model is used for taking the feature information as sentence units, the abnormal rate information as word units, the feature corresponding to each piece of abnormal rate information is determined, and the sub-application features corresponding to the target application are features corresponding to the abnormal rate information corresponding to the target application. Since the word vector model is determined based on the content of the word and the distribution of the word in the sentence when determining the feature corresponding to the word, in the application, the content of the word is used for representing the abnormal rate of the application, and the distribution of the word in the sentence is used for representing the application installation sequence of the application, the feature corresponding to the abnormal rate information determined in the way can be combined with the abnormal rate feature represented by the abnormal rate information and the application installation sequence feature of the application, so that the sub-application feature corresponding to the target application can be determined.
It can be understood that, as can be seen from the analysis principle of the word vector model, the word vector model determines the corresponding feature for each different anomaly rate information, and the anomaly rate corresponding to each application may be different, so when the anomaly rate information corresponding to each application is different, the number of samples corresponding to each anomaly rate information is less, and it may be difficult for the word vector model to extract the accurate feature.
Based on this, in one possible implementation manner, in order to facilitate accurate feature extraction of the word vector model, a sufficient analysis sample corresponding to each piece of abnormality rate information is provided for the word vector model, and when determining the abnormality rate information, the computer device may classify the applications based on the abnormality rates corresponding to the applications, so that applications that are closer in abnormality rate correspond to the same abnormality rate information, so that the number of samples corresponding to each piece of abnormality rate information may be increased.
The computer device may divide a plurality of abnormal rate intervals, where each abnormal rate interval has a corresponding interval identifier, and interval identifiers corresponding to different abnormal rate intervals are different. When determining the abnormality rate information corresponding to the target application according to the abnormality rate corresponding to the target application, the computer device may determine a target abnormality rate section corresponding to the abnormality rate corresponding to the target application among the plurality of abnormality rate sections, and then determine a section identifier corresponding to the target abnormality rate section as the abnormality rate information corresponding to the target application. Therefore, the applications with the abnormal rates in the same interval correspond to the same interval identifier, so that the same abnormal rate information can be applied to a plurality of applications which are relatively close to each other in the abnormal rate, and the number of application samples corresponding to the same abnormal rate information is enriched. On the one hand, the abnormal rate information is still determined based on the abnormal rate of the application, and when the abnormal rates corresponding to different applications are large in difference, different abnormal rate intervals are corresponding to the different abnormal rate information, so that the identification effect of the abnormal rate information on the abnormal rate difference is guaranteed, and the abnormal rate corresponding to the application can be still represented more accurately; on the other hand, the number of analysis samples corresponding to the single abnormal rate information is increased, the total number of types of the abnormal rate information is reduced, the word vector model is helped to learn the characteristics of each abnormal rate information more fully and finely, the accuracy of the determined sub-application characteristics is improved, and the model is helped to converge rapidly.
As shown in the following table, the following table shows a method for dividing an abnormal rate interval, and a plurality of boxes can be obtained through the division of the abnormal rate interval, each box corresponds to one abnormal rate interval, and the number of the box is the abnormal rate information.
Through the mode, the method and the device can determine the characteristics corresponding to each interval identifier, and the interval identifier corresponds to an abnormal rate interval. Meanwhile, the characteristics corresponding to each section identifier are determined based on all samples in one abnormal rate section, so that the characteristics can more accurately represent the characteristics of the abnormal rate in two dimensions of the abnormal rate and the application installation sequence of the application in the abnormal rate section. Thus, when there is a need for determining the sub-application feature for a new application, in one possible implementation, the computer device may directly determine the sub-application feature based on the feature corresponding to the section identifier corresponding to each section, without performing a new analysis based on the anomaly rate and the application installation order of the application.
For example, in performing step S202, the computer device may perform steps S2021-S2022 (not shown), steps S2021-S2022 being one possible implementation of step S202, including:
S2021: and determining a target abnormal rate section corresponding to the abnormal rate corresponding to the target application in the plurality of abnormal rate sections.
It should be emphasized that the implementation in the embodiments of the present application is performed on the premise that the features corresponding to the respective anomaly rate intervals are known. In the embodiment of the application, the computer equipment can directly determine the abnormality rate corresponding to the target application without analyzing the characteristics of the target application in two dimensions of the abnormality rate and the application installation sequence, and then determine the target abnormality rate interval corresponding to the target application.
S2022: and determining the characteristics corresponding to the interval identification corresponding to the target abnormal rate interval as sub-application characteristics corresponding to the target application.
According to the method, the sub-application characteristics corresponding to each application can be determined without carrying out characteristic extraction for the same application or the application in the same abnormal rate interval, so that the accuracy of the sub-application characteristics is ensured, and meanwhile, the detection efficiency of the equipment is improved to a certain extent. For example, when a new device to be detected is obtained for detection, the computer device may determine sub-application features corresponding to each application directly based on the abnormal rates corresponding to the applications installed in the device to be detected, and based on the mapping relationship between the abnormal rate interval and the features, thereby simplifying the feature extraction step.
In addition, the manner of determining the application features corresponding to the device to be detected based on the sub-application features respectively corresponding to the plurality of applications to be analyzed may also include a plurality of ways. In one possible implementation manner, when performing step S203, the computer device may perform step S2031 (not shown in the figure), where step S2031 is one possible implementation manner of step S203, including:
s2031: and determining the average value of the sub-application features corresponding to the multiple applications to be analyzed as the application feature corresponding to the target device.
By averaging the sub-application features respectively corresponding to the applications to be analyzed, features of the applications to be analyzed in two dimensions of the anomaly rate and the application installation sequence can be fused, so that the obtained application features can effectively represent the overall anomaly rate features and the application installation sequence features of the applications to be detected, and the application features can be used for analyzing the anomaly probability of the devices to be detected.
As described above, the order in which the plurality of applications are installed in the device can characterize to some extent whether the device is to be used to perform the abnormal behavior, for example, performing a certain abnormal behavior requires utilizing the plurality of applications in a certain order, and thus the plurality of applications may be installed in a certain order, so that whether the device is to be used to perform the abnormal behavior can be analyzed based on a certain specific application installation order among the plurality of applications. Based on this, in one possible implementation, in order to be able to more accurately analyze the probability that the device to be detected is used to perform the abnormal behavior based on the application characteristics, the computer device may incorporate the actual application installation order of the plurality of applications to be analyzed in the device to be detected into the application characteristics.
The computer device may determine, first, a target application installation order corresponding to the plurality of applications to be analyzed in the device to be detected, where the target application installation order is an order of the device to be detected when the plurality of applications to be analyzed are installed. The target application installation order may be determined based on the application installation information, or may be determined based on other information.
In performing step S203, the computer device may perform step S2032 (not shown in the figure), where step S2032 is one possible implementation of step S203, and includes:
s2032: and determining the application characteristics corresponding to the target equipment according to the installation sequence of the target application and the sub-application characteristics respectively corresponding to the plurality of applications to be analyzed.
The feature distribution sequence of the sub-application features corresponding to the applications to be analyzed in the application features corresponding to the target device meets the target application installation sequence, that is, the computer device can arrange and splice the sub-application features corresponding to the applications to be analyzed based on the precedence relationship of the applications to be analyzed in the target application installation sequence, so as to obtain the application features corresponding to the equipment to be detected. The application features can be used for characterizing the overall abnormal rate features and application installation sequence features of the applications installed by the equipment to be detected through the sub-application features respectively corresponding to the applications to be analyzed, and characterizing the application installation sequence features of the applications to be analyzed in the equipment to be detected through the distribution sequence among the sub-application features, so that more accurate analysis on whether the equipment to be detected is used for executing abnormal behaviors is facilitated.
Further, in one possible implementation, to enable a more targeted analysis of whether a device is used to perform an abnormal behavior based on an application installation order, a computer device may enhance the targeting of the device for performing the abnormal behavior when extracting features of the application installation order dimension.
For example, in this implementation manner, when determining the sub-application feature corresponding to the target application, the feature of the dimension of the application installation sequence is extracted based on the application installation sequences corresponding to the target application in the multiple devices, so that the sub-application feature can accurately represent the application installation sequence feature when the target application is used to execute the abnormal behavior, and the multiple devices may be devices for executing the abnormal behavior. Therefore, the sub-application features determined in the mode can accurately represent the application installation sequence features of the target application in the equipment when the equipment provided with the target application is used for executing abnormal behaviors.
Furthermore, since the application features can characterize the actual application installation sequence of the plurality of applications to be analyzed in the device to be detected, and the application installation sequence features of the plurality of applications to be analyzed in the device for executing the abnormal behavior can be characterized by the sub-application features included in the application features, whether the device to be detected is used for executing the abnormal behavior can be detected more specifically by comparing the application installation sequences in the two aspects, for example, if the actual application installation sequence of the plurality of applications to be analyzed in the device to be detected is analyzed based on the application features and the application installation sequence of the plurality of applications to be analyzed in the device assembly for executing the abnormal behavior are closer, the probability that the device to be detected has higher for executing the abnormal behavior can be determined.
The above describes various ways of extracting application features, and next, how to select an application to be analyzed for anomaly probability analysis of a device to be detected will be described in detail.
It can be understood that the method analyzes whether each application to be analyzed is used for executing the characterization effect of the abnormal behavior of the device to be detected from the application perspective, so as to determine the probability that the device to be detected is used for executing the abnormal behavior.
In performing step S201, the computer device may perform steps S2011-S2012 (not shown in the figures), where steps S2011-S2012 are one possible implementation of step S201, and include:
s2011: and acquiring initial application installation information corresponding to the equipment to be detected.
The initial application installation information is used for identifying a plurality of installed applications corresponding to the equipment to be detected, the plurality of installed applications can be all applications installed in the equipment to be detected, and the plurality of applications to be analyzed are applications determined from the plurality of installed applications.
S2012: and determining whether the equipment to be detected is used for executing a plurality of applications to be analyzed with larger abnormal behavior characterization strength from the plurality of installed applications according to the characterization strength information and the preset threshold value respectively corresponding to the plurality of installed applications, and obtaining application installation information corresponding to the equipment to be detected.
The characterization dynamics information is used for characterizing whether the installed application is used for performing the characterization dynamics of the abnormal behavior on the device to be detected, and the characterization dynamics information can include various types, and is described in detail below. In order to accurately analyze the probability that the device to be detected is used for executing the abnormal behavior based on the applications to be analyzed, the computer device can preset a preset threshold value, the preset threshold value is used for determining whether the device to be detected is used for executing the application to be analyzed with larger abnormal behavior characterization force, and a plurality of applications with stronger characterization force can be determined from the plurality of installed applications by combining characterization force information respectively corresponding to the plurality of installed applications and the preset threshold value, and can be used as the application to be analyzed for carrying out abnormal detection on the device to be detected. After determining the applications to be analyzed, the computer device may obtain application installation information for identifying the applications.
The characterization force information can be of various types based on different characterization force determining modes.
First, it can be understood that since an application for performing abnormal behavior is disabled and deleted because it is detected, the iteration speed of this portion of application is generally faster in the device, that is, the application for performing abnormal behavior is lost after being installed for a short time, and thus, to some extent, the application for performing abnormal behavior is generally an application recently installed in the device to be detected.
Based on this, in one possible implementation manner, the characterization strength information includes installed duration information corresponding to each of the plurality of installed applications, the installed duration information is used to identify an installed duration corresponding to the installed application in the device to be detected, and the preset threshold may include an installed duration threshold. From the above analysis, it is known that, in general, the longer the installed duration, i.e., the earlier the application is installed, the smaller the characterization strength of whether the device to be detected is used to perform abnormal behavior. Thus, in performing step S2012, the computer device may perform step S20121 (not shown in the figures), step S20121 being one possible implementation of step S2012, including:
S20121: and determining a plurality of applications to be analyzed, of which the corresponding installed duration does not exceed the installed duration threshold, from the plurality of installed applications according to the installed duration information and the installed duration threshold respectively corresponding to the plurality of installed applications.
In this way, the computer device can screen the recently installed application from the plurality of installed applications for analysis, for example, the threshold value of the installed duration can be set to N days, and then the application installed within N days can be screened as the application to be analyzed, which has a strong characterization force.
Further, since the device for executing the abnormal behavior occupies a smaller proportion of the entire device, the application for executing the abnormal behavior generally has a lower use heat, i.e., the number of devices in which the abnormal application is installed is smaller, and the number of times the abnormal application is installed is smaller. Based on this, in another possible implementation, the computer device may analyze the characterization strength of the application for whether the device to be detected is used to perform the abnormal behavior based on the usage heat to which the application corresponds.
In this implementation manner, the characterization strength information may include installation frequency information corresponding to each of the plurality of installed applications, where the installation frequency information is used to identify an installation frequency corresponding to the installed application, and the preset threshold includes an installation frequency threshold. In general, the more applications are installed, the more devices that use the applications, the higher the heat of use corresponding to the applications, the lower the probability that the applications are used for executing abnormal behaviors, and therefore the lower the corresponding characterization strength. Based on this, in performing step S2012, the computer device may perform step S20122 (not shown in the figure), step S20122 being one possible implementation of step S2012, including:
S20122: and determining a plurality of applications to be analyzed, of which the corresponding installation times do not exceed the installation times threshold value, from the plurality of installed applications according to the installation times information and the installation times threshold value respectively corresponding to the plurality of installed applications.
In this way, the computer device can determine that the application with low use heat is used as the application to be analyzed from the installed applications, and the application with relatively higher probability can be applied to execute the abnormal behavior, so that the method has stronger characterization strength on whether the device to be detected is used for executing the abnormal behavior.
In addition to the above, the computer device may also perform application screening in a variety of other ways, not limited herein. For example, when initial application installation information is obtained, the computer device may screen out an application whose corresponding information is incomplete, and the information corresponding to the application may have errors, so that it is difficult to accurately analyze the characterization strength of the application.
The determination method of the abnormality rate may include a plurality of types. In one possible implementation, the anomaly rate corresponding to the target application may be determined by:
the computer device may first obtain a plurality of installed devices on which the target application is installed, then determine the total number of the plurality of installed devices and the number of devices for performing abnormal actions among the plurality of installed devices, and determine the abnormal rate corresponding to the target application according to the ratio of the number of devices for performing abnormal actions among the plurality of installed devices to the total number of devices of the plurality of installed devices, where the ratio indicates the probability that the device on which the target application is installed is used to perform abnormal actions. Therefore, the abnormal rate can be determined through data collection without manual analysis, and dependence on manual experience is avoided.
Next, the analysis process of the anomaly probability will be described in detail.
In one possible implementation, to improve the analysis accuracy of the anomaly probability, the computer device may utilize a model training technique to construct a model for determining the anomaly probability according to the application features, and obtain a more accurate anomaly probability for the features of fine granularity and high precision of the feature analysis by the model.
In performing step S204, the computer device may perform step S2041 (not shown in the figure), step S2041 being one possible implementation of step S204, including:
s2041: and determining the abnormal probability corresponding to the equipment to be detected according to the application characteristics through an abnormal analysis model.
The anomaly analysis model is used for determining anomaly probabilities corresponding to the equipment according to the application characteristics of the equipment.
Specifically, the anomaly analysis model may be trained by:
firstly, a computer device can acquire a sample device set, wherein the sample device set comprises a plurality of sample devices, the plurality of sample devices respectively have corresponding application features and device labels, the device labels are used for identifying whether the sample devices are used for executing abnormal behaviors, and the application features are consistent with the characterization functions and the determination modes of the application features and are used for characterizing the integral features of the sample devices in two dimensions of an abnormal rate and an application installation sequence.
The computer device may respectively use a plurality of sample devices as target sample devices, determine, according to an initial anomaly detection model (i.e., an anomaly detection model before model training), a target sample device corresponding to a pending device tag according to an application feature corresponding to the target sample device, where the pending device tag is determined by using a probability that the target sample device determined by the initial anomaly detection model is used to execute an anomaly, that is, the initial anomaly detection model is first based on a probability that the application feature analysis target sample device is used to execute the anomaly (for example, may be a result output by the model at an output layer), then determine, based on the analyzed probability, a pending device tag corresponding to the pending sample device, for example, may be a tag determined by the model based on a probability output by the output layer and a specific value for determining the tag, and if the probability is greater than the specific value, determine that the pending device tag is used to execute the anomaly, otherwise not used to execute the anomaly. The pending equipment label is an analysis result of whether the target sample equipment analyzed by the initial abnormality detection model is used for executing abnormal behaviors.
Because the device tag corresponding to the target sample device can identify whether the target sample device is actually used for executing the abnormal behavior, the accuracy of the initial abnormal detection model in analyzing whether the target sample device is used for executing the abnormal behavior can be represented according to the difference between the device tag to be determined and the device tag corresponding to the target sample device, and the accuracy of the initial abnormal detection model in determining the abnormal probability based on the application characteristics can be represented. Therefore, the computer equipment can adjust model parameters of the initial abnormality detection model according to the difference between the equipment label to be determined and the equipment label corresponding to the target sample equipment, so that the initial abnormality detection model gradually approaches to the equipment label corresponding to the target sample equipment based on the equipment label to be determined corresponding to the application characteristic corresponding to the target sample equipment.
After the abnormal probability corresponding to the equipment to be detected is accurately analyzed in the mode, the computer equipment can carry out targeted various subsequent treatments on the equipment to be detected based on the abnormal probability, so that the safety of equipment use and application use is ensured. For example, in one possible manner, part of the actions may only allow higher security devices to perform actions, such as loans, in order to guarantee security.
Therefore, in order to ensure the safety of the part of the behaviors, when the execution requests for the behaviors are acquired, the computer device may analyze the safety of the device according to the abnormal probability and then decide whether to execute the behaviors by the running device.
For example, the computer device may obtain an execution request for the target behavior by the device to be detected, the execution request being for requesting execution of the target behavior, i.e., execution of the target behavior by the device to be detected. The computer device may preset a preset probability threshold for determining whether the device has a high probability of performing an abnormal behavior. Based on the execution request of the device to be detected for the target behavior, and the abnormal probability corresponding to the device to be detected is larger than the preset probability threshold, the device to be detected has higher probability for executing the abnormal behavior, the risk degree is higher, and the safety is lower, at this time, the computer device can reject the execution request to ensure the safety of the target behavior, and the target behavior can be any behavior executed by the device.
In order to facilitate understanding of the technical scheme provided by the application, an apparatus detection method provided by the embodiment of the application will be described below in conjunction with an actual application scenario.
Referring to fig. 3, fig. 3 is a flowchart of a method for detecting a device in an actual application scenario provided by an embodiment of the present application, where in the actual application scenario, a computer device may be any one of the computer devices having a device detection function.
The method comprises the following steps:
s301: and acquiring installation flow information corresponding to the equipment to be detected.
The installation pipeline information may identify various information contents, for example, may identify an application installed in the device to be detected, a time of application installation, etc., for example, the installation pipeline information may be cloud inspection pipeline data, and the data contents of the data may be as shown in the following table:
/>
the above table includes cloud checking (application installation) information corresponding to a plurality of devices, and an application installation sequence among the plurality of applications can be reflected through a first installation time, and the plurality of devices can be used as devices to be detected in the embodiment of the present application, and a device identifier (Identity document, abbreviated as ID) is used for identifying the devices.
S302: and screening a plurality of applications installed on the equipment to be detected based on the installation flow information, and determining a plurality of applications to be analyzed.
The embodiment of the application can screen the application in combination with three aspects:
in a first aspect, a computer device may screen applications installed within N days;
in the second aspect, the computer device can screen out the application with blank content in the installation flow information, and the application is low in information reliability and easy to generate error information due to information loss;
in a third aspect, a computer device may screen out applications for which the number of applications installed is greater than a preset value.
In combination with the above three aspects, the computer device may determine, from a plurality of applications, an application to be analyzed with a strong characterization strength, where the device to be detected is used to perform the abnormal behavior. The information of the screened application to be analyzed is shown in the following table:
s303: and determining abnormality rate intervals corresponding to the plurality of applications to be analyzed respectively and an application installation sequence in the plurality of devices.
The determination of the anomaly rate of an application can be as follows:
abnormal rate of application = number of devices for executing abnormal behavior to install the application/total number of devices to install the application
The abnormality rate intervals divided by the embodiment of the application can be shown in the table of the content, the plurality of devices can be any devices for performing application analysis, and the computer device can determine the application installation sequence in the plurality of devices according to the acquired application installation time, wherein the application installation sequence is shown in the following table:
S304: and determining the corresponding characteristics of each interval identifier through a word vector model based on the interval identifier corresponding to the abnormal rate interval and the application installation sequence.
The computer device may determine an abnormal rate interval corresponding to each application to be analyzed according to the abnormal rate corresponding to each application to be analyzed, and use an interval identifier corresponding to the interval as abnormal rate information corresponding to each application to be analyzed, as shown in the following table:
/>
then, the application names in the application installation sequence information in the plurality of devices are replaced by corresponding abnormal rate information, so that the characteristic information corresponding to each device is obtained, wherein the characteristic information is shown in the following table:
the feature information corresponding to each device is input into the word vector model, so that M-dimensional features corresponding to each piece of abnormality rate information (namely each section identifier) can be obtained, as shown in the following table:
/>
s305: and determining sub-application features corresponding to the application to be analyzed based on the abnormal rate interval corresponding to the application to be analyzed.
The computer device may determine M-dimensional features corresponding to the anomaly rate intervals corresponding to the applications to be analyzed as sub-application features corresponding to the applications.
S306: and determining the application characteristics corresponding to the equipment to be detected according to the sub-application characteristics respectively corresponding to the plurality of applications to be analyzed.
The construction process of the application features may be as shown in fig. 4, and for any device to be detected, the computer device may average M-dimensional features corresponding to a plurality of applications to be analyzed included in the device to be detected in each dimension, so as to obtain the application features corresponding to the device to be detected.
S307: and determining the abnormal probability corresponding to the equipment to be detected according to the application characteristics through the abnormal detection model.
According to the embodiment of the application, a distributed gradient enhancement library (Xgboost) model is adopted as an anomaly detection model, so that the anomaly probability corresponding to each device to be detected is determined, for example, in the embodiment of the application, the anomaly probability can be represented by a risk score, and the higher the risk score is, the higher the probability for executing the anomaly behavior is. The risk score determining process may be as shown in fig. 5, and after determining the application feature corresponding to the device to be detected, the computer device may input the application feature into the Xgboost algorithm model to obtain the risk score corresponding to the device to be detected. The determined risk score may be as shown in the following table:
s308: and managing the equipment to be detected according to the abnormal probability.
The computer device may rate the risk of performing the abnormal behavior corresponding to each device to be detected based on the risk score, as shown in the following table:
The results after fractionation can be shown in the following table:
/>
aiming at highly suspicious devices, when the devices apply for executing certain applications, the devices are timely perceived and intercepted by an online system; aiming at the equipment with medium and low suspicious degree, the real-time detection can be mainly carried out, and the interception treatment is not carried out temporarily. By means of grading management for different risk rating devices, safety and stability of execution of various behaviors can be guaranteed.
Based on the device detection method provided by the foregoing embodiment, the present application further provides a device detection apparatus, referring to fig. 6, fig. 6 is a block diagram of a device detection apparatus provided by the embodiment of the present application, where the apparatus 600 includes an obtaining unit 601, a first determining unit 602, a second determining unit 603, and a third determining unit 604:
the acquiring unit 601 is configured to acquire application installation information corresponding to a device to be detected, where the application installation information is used to identify a plurality of applications to be analyzed installed in the device to be detected;
the first determining unit 602 is configured to determine sub-application features corresponding to a target application, where the sub-application features corresponding to the target application are determined based on an anomaly rate corresponding to the target application and an application installation order corresponding to the target application in a plurality of devices, the target application is any one of the plurality of applications to be analyzed, the anomaly rate is used to represent a probability that a device in which the target application is installed is used to perform an anomaly, and the sub-application features are used to represent an anomaly rate feature corresponding to the target application and an application installation order feature in the plurality of devices;
The second determining unit 603 is configured to determine application features corresponding to the to-be-detected device according to sub-application features corresponding to the multiple to-be-analyzed applications respectively;
the third determining unit 604 is configured to determine, according to the application feature, an anomaly probability corresponding to the device to be detected, where the anomaly probability is used to identify a probability that the device to be detected is used to perform an anomaly action.
In one possible implementation, the sub-application feature corresponding to the target application is determined by:
determining abnormality rate information corresponding to the target application according to the abnormality rate corresponding to the target application, wherein the abnormality rate information is used for representing the abnormality rate corresponding to the target application;
determining feature information corresponding to a target device according to abnormality rate information respectively corresponding to a plurality of applications installed in the target device and application installation sequences of the plurality of applications in the target device, wherein the feature information comprises abnormality rate information respectively corresponding to a plurality of applications arranged in the application installation sequences of the plurality of applications in the target device, the target device is any device in the plurality of devices, and the plurality of applications comprise the target application;
The feature information corresponding to the plurality of devices is input into a word vector model, sub-application features corresponding to the plurality of applications are determined, the word vector model is used for taking the feature information as sentence units, the abnormality rate information as word units, the feature corresponding to each abnormality rate information is determined, and the sub-application feature corresponding to the target application is the feature corresponding to the abnormality rate information corresponding to the target application.
In a possible implementation manner, the apparatus further includes a dividing unit:
the dividing unit is used for dividing a plurality of abnormal rate intervals, each abnormal rate interval is provided with a corresponding interval identifier, and the interval identifiers corresponding to different abnormal rate intervals are different;
the determining the abnormality rate information corresponding to the target application according to the abnormality rate corresponding to the target application includes:
determining a target abnormal rate interval corresponding to the abnormal rate corresponding to the target application in the plurality of abnormal rate intervals;
and determining the section identifier corresponding to the target abnormal rate section as abnormal rate information corresponding to the target application.
In one possible implementation manner, the first determining unit 602 is specifically configured to:
determining the target abnormal rate interval corresponding to the abnormal rate corresponding to the target application in the plurality of abnormal rate intervals;
And determining the characteristics corresponding to the interval identification corresponding to the target abnormal rate interval as sub-application characteristics corresponding to the target application.
In a possible implementation manner, the second determining unit 603 is specifically configured to:
and determining the average value of the sub-application features corresponding to the plurality of applications to be analyzed as the application feature corresponding to the target equipment.
In a possible implementation manner, the apparatus further includes a fourth determining unit:
the fourth determining unit is configured to determine a target application installation order corresponding to the plurality of applications to be analyzed in the device to be detected;
the second determining unit 603 is specifically configured to:
and determining the application characteristics corresponding to the target equipment according to the target application installation sequence and the sub-application characteristics respectively corresponding to the plurality of applications to be analyzed, wherein the characteristic distribution sequence of the sub-application characteristics respectively corresponding to the plurality of applications to be analyzed in the application characteristics corresponding to the target equipment meets the target application installation sequence.
In one possible implementation, the plurality of devices are devices for performing abnormal behavior.
In one possible implementation manner, the acquiring unit 601 is specifically configured to:
Acquiring initial application installation information corresponding to the equipment to be detected, wherein the initial application installation information is used for identifying a plurality of installed applications corresponding to the equipment to be detected;
according to the characterization strength information and a preset threshold value which correspond to the plurality of installed applications respectively, determining whether the equipment to be detected is used for executing the plurality of applications to be analyzed with larger abnormal behavior characterization strength from the plurality of installed applications, obtaining application installation information corresponding to the equipment to be detected, wherein the characterization strength information is used for characterizing whether the installed applications are used for executing the characterization strength of the abnormal behavior on the equipment to be detected, and the preset threshold value is used for determining whether the equipment to be detected is used for executing the applications to be analyzed with larger abnormal behavior characterization strength.
In a possible implementation manner, the characterization strength information includes installed duration information corresponding to each of the plurality of installed applications, the installed duration information is used to identify an installed duration corresponding to the installed application in the device to be detected, the preset threshold includes an installed duration threshold, and the obtaining unit 601 is specifically configured to:
and determining the plurality of applications to be analyzed, of which the corresponding installed duration does not exceed the installed duration threshold, from the plurality of installed applications according to the installed duration information and the installed duration threshold respectively corresponding to the plurality of installed applications.
In a possible implementation manner, the characterization strength information includes installation times information corresponding to the plurality of installed applications, the installation times information is used for identifying the installation times corresponding to the installed applications, the preset threshold includes an installation times threshold, and the obtaining unit 601 is specifically configured to:
and determining the applications to be analyzed, of which the corresponding installation times do not exceed the installation times threshold value, from the plurality of installed applications according to the installation times information and the installation times threshold value respectively corresponding to the plurality of installed applications.
In one possible implementation, the anomaly rate corresponding to the target application is determined by:
acquiring a plurality of installed devices on which the target application is installed;
and determining the abnormality rate corresponding to the target application according to the ratio of the number of devices used for executing the abnormal behavior in the plurality of installed devices to the total number of devices of the plurality of installed devices.
In one possible implementation manner, the third determining unit 604 is specifically configured to:
determining the abnormal probability corresponding to the equipment to be detected according to the application characteristics through an abnormal analysis model;
The anomaly analysis model is trained by:
acquiring a sample equipment set, wherein the sample equipment set comprises a plurality of sample equipment, the plurality of sample equipment respectively has corresponding application characteristics and equipment labels, and the equipment labels are used for identifying whether the sample equipment is used for executing abnormal behaviors;
respectively taking the plurality of sample devices as target sample devices, and determining a to-be-determined device label corresponding to the target sample devices according to application characteristics corresponding to the target sample devices through an initial abnormality detection model, wherein the to-be-determined device label is determined by the probability that the target sample devices determined through the initial abnormality detection model are used for executing abnormal behaviors;
and adjusting model parameters of the initial anomaly detection model according to the difference between the equipment label to be determined and the equipment label corresponding to the target sample equipment to obtain the anomaly detection model.
In a possible implementation manner, the apparatus further includes an execution unit:
the execution unit is configured to reject the execution request based on acquiring an execution request of the device to be detected for a target behavior, where the abnormality probability corresponding to the device to be detected is greater than a preset probability threshold, and the execution request is used for requesting execution of the target behavior.
The embodiment of the application also provides a computer device, please refer to fig. 7, wherein the computer device may be a terminal device, and the terminal device is taken as a mobile phone for example:
fig. 7 is a block diagram showing a part of the structure of a mobile phone related to a terminal device provided by an embodiment of the present application. Referring to fig. 7, the mobile phone includes: radio Frequency (RF) circuitry 710, memory 720, input unit 730, display unit 740, sensor 750, audio circuitry 760, wireless fidelity (Wireless Fidelity, wiFi) module 770, processor 780, and power supply 790. It will be appreciated by those skilled in the art that the handset construction shown in fig. 7 is not limiting of the handset and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components.
The following describes the components of the mobile phone in detail with reference to fig. 7:
the RF circuit 710 may be configured to receive and transmit signals during a message or a call, and specifically, receive downlink information of a base station and process the downlink information with the processor 780; in addition, the data of the design uplink is sent to the base station. Generally, RF circuitry 710 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (Low Noise Amplifier, LNA for short), a duplexer, and the like. In addition, the RF circuitry 710 may also communicate with networks and other devices via wireless communications. The wireless communication may use any communication standard or protocol, including but not limited to global system for mobile communications (Global System of Mobile communication, GSM for short), general packet radio service (General Packet Radio Service, GPRS for short), code division multiple access (Code Division Multiple Access, CDMA for short), wideband code division multiple access (Wideband Code Division Multiple Access, WCDMA for short), long term evolution (Long Term Evolution, LTE for short), email, short message service (Short Messaging Service, SMS for short), and the like.
The memory 720 may be used to store software programs and modules, and the processor 780 performs various functional applications and data processing of the handset by running the software programs and modules stored in the memory 720. The memory 720 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, application programs required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, phonebook, etc.) created according to the use of the handset, etc. In addition, memory 720 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.
The input unit 730 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the handset. In particular, the input unit 730 may include a touch panel 731 and other input devices 732. The touch panel 731, also referred to as a touch screen, may collect touch operations thereon or thereabout by a user (e.g., operations of the user on or thereabout the touch panel 731 using any suitable object or accessory such as a finger, a stylus, etc.), and drive the corresponding connection device according to a predetermined program. Alternatively, the touch panel 731 may include two parts of a touch detection device and a touch controller. The touch detection device detects the touch azimuth of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch detection device and converts it into touch point coordinates, which are then sent to the processor 780, and can receive commands from the processor 780 and execute them. In addition, the touch panel 731 may be implemented in various types such as resistive, capacitive, infrared, and surface acoustic wave. The input unit 730 may include other input devices 732 in addition to the touch panel 731. In particular, the other input devices 732 may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, mouse, joystick, etc.
The display unit 740 may be used to display information input by a user or information provided to the user and various menus of the mobile phone. The display unit 740 may include a display panel 741, and optionally, the display panel 741 may be configured in the form of a liquid crystal display (Liquid Crystal Display, LCD) or an Organic Light-Emitting Diode (OLED) or the like. Further, the touch panel 731 may cover the display panel 741, and when the touch panel 731 detects a touch operation thereon or thereabout, the touch operation is transferred to the processor 780 to determine the type of touch event, and then the processor 780 provides a corresponding visual output on the display panel 741 according to the type of touch event. Although in fig. 7, the touch panel 731 and the display panel 741 are two separate components to implement the input and output functions of the mobile phone, in some embodiments, the touch panel 731 and the display panel 741 may be integrated to implement the input and output functions of the mobile phone.
The handset may also include at least one sensor 750, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 741 according to the brightness of ambient light, and the proximity sensor may turn off the display panel 741 and/or the backlight when the mobile phone moves to the ear. The accelerometer sensor can be used for detecting the acceleration in all directions (generally three axes), detecting the gravity and the direction when the accelerometer sensor is static, and can be used for identifying the gesture of a mobile phone (such as transverse and vertical screen switching, related games, magnetometer gesture calibration), vibration identification related functions (such as pedometer and knocking), and other sensors such as gyroscopes, barometers, hygrometers, thermometers, infrared sensors which are also configured by the mobile phone are not repeated herein.
Audio circuitry 760, speaker 761, and microphone 762 may provide an audio interface between a user and a cell phone. The audio circuit 760 may transmit the received electrical signal converted from audio data to the speaker 761, and the electrical signal is converted into a sound signal by the speaker 761 to be output; on the other hand, microphone 762 converts the collected sound signals into electrical signals, which are received by audio circuit 760 and converted into audio data, which are processed by audio data output processor 780 for transmission to, for example, another cell phone via RF circuit 710 or for output to memory 720 for further processing.
WiFi belongs to a short-distance wireless transmission technology, and a mobile phone can help a user to send and receive emails, browse webpages, access streaming media and the like through a WiFi module 770, so that wireless broadband Internet access is provided for the user. Although fig. 7 shows the WiFi module 770, it is understood that it does not belong to the essential constitution of the mobile phone, and can be omitted entirely as required within the scope of not changing the essence of the invention.
The processor 780 is a control center of the mobile phone, connects various parts of the entire mobile phone using various interfaces and lines, and performs various functions of the mobile phone and processes data by running or executing software programs and/or modules stored in the memory 720 and calling data stored in the memory 720, thereby performing overall detection of the mobile phone. Optionally, the processor 780 may include one or more processing units; preferably, the processor 780 may integrate an application processor that primarily processes operating systems, user interfaces, applications, etc., with a modem processor that primarily processes wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 780.
The handset further includes a power supply 790 (e.g., a battery) for powering the various components, which may preferably be logically connected to the processor 780 through a power management system, such as to provide for managing charging, discharging, and power consumption by the power management system.
Although not shown, the mobile phone may further include a camera, a bluetooth module, etc., which will not be described herein.
In this embodiment, the processor 780 included in the terminal device further has the following functions:
acquiring application installation information corresponding to equipment to be detected, wherein the application installation information is used for identifying a plurality of applications to be analyzed installed in the equipment to be detected;
determining sub-application features corresponding to a target application, wherein the sub-application features corresponding to the target application are determined based on abnormality rates corresponding to the target application and application installation sequences corresponding to the target application in a plurality of devices respectively, the target application is any one of the plurality of applications to be analyzed, the abnormality rates are used for representing the probability that devices for installing the target application are used for executing abnormal behaviors, and the sub-application features are used for representing the abnormality rate features corresponding to the target application and the application installation sequence features in the plurality of devices;
Determining application characteristics corresponding to the equipment to be detected according to sub-application characteristics respectively corresponding to the plurality of applications to be analyzed;
and determining the abnormal probability corresponding to the equipment to be detected according to the application characteristics, wherein the abnormal probability is used for identifying the probability that the equipment to be detected is used for executing abnormal behaviors.
Referring to fig. 8, fig. 8 is a schematic diagram of a server 800 according to an embodiment of the present application, where the server 800 may have a relatively large difference due to different configurations or performances, and may include one or more central processing units (Central Processing Units, abbreviated as CPUs) 822 (e.g., one or more processors) and a memory 832, and one or more storage media 830 (e.g., one or more mass storage devices) storing application programs 842 or data 844. Wherein the memory 832 and the storage medium 830 may be transitory or persistent. The program stored in the storage medium 830 may include one or more modules (not shown), each of which may include a series of instruction operations on a server. Still further, the central processor 822 may be configured to communicate with the storage medium 830 to execute a series of instruction operations in the storage medium 830 on the server 800.
Server 800 may also include one or more power supplies 826, one or moreA wired or wireless network interface 850, one or more input/output interfaces 858, and/or one or more operating systems 841, such as Windows Server TM ,Mac OS X TM ,Unix TM , Linux TM ,FreeBSD TM Etc.
The steps performed by the server in the above embodiments may be based on the server structure shown in fig. 8.
The embodiments of the present application also provide a computer-readable storage medium storing a computer program for executing any one of the device detection methods described in the foregoing embodiments.
The embodiment of the application also provides a computer program product comprising a computer program which, when run on a computer device, causes the computer device to perform the device detection method of any of the above embodiments.
It will be appreciated that in the specific embodiments of the present application, data relating to user information (e.g., application installation information) and the like, when the above embodiments of the present application are applied to specific products or technologies, user permissions or consents need to be obtained, and the collection, use and processing of the relevant data need to comply with relevant laws and regulations and standards of relevant countries and regions.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, where the above program may be stored in a computer readable storage medium, and when the program is executed, the program performs steps including the above method embodiments; and the aforementioned storage medium may be at least one of the following media: read-only memory (ROM), RAM, magnetic disk or optical disk, etc., which can store program codes.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment is mainly described in a different point from other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, with reference to the description of the method embodiments in part. The apparatus and system embodiments described above are merely illustrative, in which elements illustrated as separate elements may or may not be physically separate, and elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The foregoing is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the technical scope of the present application should be included in the scope of the present application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.
Claims (16)
1. A method of device detection, the method comprising:
acquiring application installation information corresponding to equipment to be detected, wherein the application installation information is used for identifying a plurality of applications to be analyzed installed in the equipment to be detected;
determining sub-application features corresponding to a target application, wherein the sub-application features corresponding to the target application are determined based on abnormality rates corresponding to the target application and application installation sequences corresponding to the target application in a plurality of devices respectively, the target application is any one of the plurality of applications to be analyzed, the abnormality rates are used for representing the probability that devices for installing the target application are used for executing abnormal behaviors, and the sub-application features are used for representing the abnormality rate features corresponding to the target application and the application installation sequence features in the plurality of devices;
Determining application characteristics corresponding to the equipment to be detected according to sub-application characteristics respectively corresponding to the plurality of applications to be analyzed;
and determining the abnormal probability corresponding to the equipment to be detected according to the application characteristics, wherein the abnormal probability is used for identifying the probability that the equipment to be detected is used for executing abnormal behaviors.
2. The method of claim 1, wherein the sub-application feature corresponding to the target application is determined by:
determining abnormality rate information corresponding to the target application according to the abnormality rate corresponding to the target application, wherein the abnormality rate information is used for representing the abnormality rate corresponding to the target application;
determining feature information corresponding to a target device according to abnormality rate information respectively corresponding to a plurality of applications installed in the target device and application installation sequences of the plurality of applications in the target device, wherein the feature information comprises abnormality rate information respectively corresponding to a plurality of applications arranged in the application installation sequences of the plurality of applications in the target device, the target device is any device in the plurality of devices, and the plurality of applications comprise the target application;
the feature information corresponding to the plurality of devices is input into a word vector model, sub-application features corresponding to the plurality of applications are determined, the word vector model is used for taking the feature information as sentence units, the abnormality rate information as word units, the feature corresponding to each abnormality rate information is determined, and the sub-application feature corresponding to the target application is the feature corresponding to the abnormality rate information corresponding to the target application.
3. The method according to claim 2, wherein the method further comprises:
dividing a plurality of abnormal rate intervals, wherein each abnormal rate interval has a corresponding interval identifier, and the interval identifiers corresponding to different abnormal rate intervals are different;
the determining the abnormality rate information corresponding to the target application according to the abnormality rate corresponding to the target application includes:
determining a target abnormal rate interval corresponding to the abnormal rate corresponding to the target application in the plurality of abnormal rate intervals;
and determining the section identifier corresponding to the target abnormal rate section as abnormal rate information corresponding to the target application.
4. A method according to claim 3, wherein determining the sub-application feature corresponding to the target application comprises:
determining the target abnormal rate interval corresponding to the abnormal rate corresponding to the target application in the plurality of abnormal rate intervals;
and determining the characteristics corresponding to the interval identification corresponding to the target abnormal rate interval as sub-application characteristics corresponding to the target application.
5. The method according to claim 1, wherein the determining the application feature corresponding to the target device according to the sub-application feature corresponding to each of the plurality of applications to be analyzed includes:
And determining the average value of the sub-application features corresponding to the plurality of applications to be analyzed as the application feature corresponding to the target equipment.
6. The method according to claim 1, wherein the method further comprises:
determining the corresponding target application installation sequence of the plurality of applications to be analyzed in the equipment to be detected;
the determining the application features corresponding to the target device according to the sub-application features respectively corresponding to the plurality of applications to be analyzed includes:
and determining the application characteristics corresponding to the target equipment according to the target application installation sequence and the sub-application characteristics respectively corresponding to the plurality of applications to be analyzed, wherein the characteristic distribution sequence of the sub-application characteristics respectively corresponding to the plurality of applications to be analyzed in the application characteristics corresponding to the target equipment meets the target application installation sequence.
7. The method of claim 6, wherein the plurality of devices are devices for performing abnormal behavior.
8. The method of claim 1, wherein the obtaining application installation information corresponding to the device to be detected includes:
acquiring initial application installation information corresponding to the equipment to be detected, wherein the initial application installation information is used for identifying a plurality of installed applications corresponding to the equipment to be detected;
According to the characterization strength information and a preset threshold value which correspond to the plurality of installed applications respectively, determining whether the equipment to be detected is used for executing the plurality of applications to be analyzed with larger abnormal behavior characterization strength from the plurality of installed applications, obtaining application installation information corresponding to the equipment to be detected, wherein the characterization strength information is used for characterizing whether the installed applications are used for executing the characterization strength of the abnormal behavior on the equipment to be detected, and the preset threshold value is used for determining whether the equipment to be detected is used for executing the applications to be analyzed with larger abnormal behavior characterization strength.
9. The method according to claim 8, wherein the characterization strength information includes installed duration information corresponding to each of the plurality of installed applications, the installed duration information is used to identify an installed duration corresponding to the installed application in the device to be detected, the preset threshold includes an installed duration threshold, and the determining, from the plurality of installed applications, whether the device to be detected is used to execute the plurality of applications to be analyzed with greater abnormal behavior characterization strength according to the characterization strength information corresponding to each of the plurality of installed applications and the preset threshold includes:
And determining the plurality of applications to be analyzed, of which the corresponding installed duration does not exceed the installed duration threshold, from the plurality of installed applications according to the installed duration information and the installed duration threshold respectively corresponding to the plurality of installed applications.
10. The method according to claim 8, wherein the characterization effort information includes installation number information corresponding to each of the plurality of installed applications, the installation number information is used to identify an installation number corresponding to the installed application, the preset threshold includes an installation number threshold, and determining, from the plurality of installed applications, whether the device to be detected is used to execute the plurality of applications to be analyzed with greater abnormal behavior characterization effort according to the characterization effort information corresponding to each of the plurality of installed applications and the preset threshold includes:
and determining the applications to be analyzed, of which the corresponding installation times do not exceed the installation times threshold value, from the plurality of installed applications according to the installation times information and the installation times threshold value respectively corresponding to the plurality of installed applications.
11. The method of claim 1, wherein the anomaly rate for the target application is determined by:
Acquiring a plurality of installed devices on which the target application is installed;
and determining the abnormality rate corresponding to the target application according to the ratio of the number of devices used for executing the abnormal behavior in the plurality of installed devices to the total number of devices of the plurality of installed devices.
12. The method according to claim 1, wherein the determining the anomaly probability corresponding to the device to be detected according to the application feature includes:
determining the abnormal probability corresponding to the equipment to be detected according to the application characteristics through an abnormal analysis model;
the anomaly analysis model is trained by:
acquiring a sample equipment set, wherein the sample equipment set comprises a plurality of sample equipment, the plurality of sample equipment respectively has corresponding application characteristics and equipment labels, and the equipment labels are used for identifying whether the sample equipment is used for executing abnormal behaviors;
respectively taking the plurality of sample devices as target sample devices, and determining a to-be-determined device label corresponding to the target sample devices according to application characteristics corresponding to the target sample devices through an initial abnormality detection model, wherein the to-be-determined device label is determined by the probability that the target sample devices determined through the initial abnormality detection model are used for executing abnormal behaviors;
And adjusting model parameters of the initial anomaly detection model according to the difference between the equipment label to be determined and the equipment label corresponding to the target sample equipment to obtain the anomaly detection model.
13. The method according to claim 1, wherein the method further comprises:
and rejecting the execution request based on the acquisition of the execution request of the equipment to be detected for the target behavior, wherein the abnormal probability corresponding to the equipment to be detected is larger than a preset probability threshold, and the execution request is used for requesting to execute the target behavior.
14. A device detection apparatus, characterized in that the apparatus comprises an acquisition unit, a first determination unit, a second determination unit, and a third determination unit:
the acquisition unit is used for acquiring application installation information corresponding to equipment to be detected, and the application installation information is used for identifying a plurality of applications to be analyzed installed in the equipment to be detected;
the first determining unit is configured to determine sub-application features corresponding to a target application, where the sub-application features corresponding to the target application are determined based on an anomaly rate corresponding to the target application and an application installation order corresponding to the target application in a plurality of devices, the target application is any one of the plurality of applications to be analyzed, the anomaly rate is used to represent a probability that a device for installing the target application is used to execute an anomaly, and the sub-application features are used to represent the anomaly rate features corresponding to the target application and the application installation order features in the plurality of devices;
The second determining unit is configured to determine application features corresponding to the to-be-detected device according to sub-application features corresponding to the multiple to-be-analyzed applications respectively;
the third determining unit is configured to determine, according to the application feature, an anomaly probability corresponding to the device to be detected, where the anomaly probability is used to identify a probability that the device to be detected is used to execute an anomaly behavior.
15. A computer device, the computer device comprising a processor and a memory:
the memory is used for storing a computer program and transmitting the computer program to the processor;
the processor is configured to perform the device detection method of any one of claims 1-13 according to instructions in the computer program.
16. A computer-readable storage medium storing a computer program for executing the device detection method according to any one of claims 1 to 13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311327696.4A CN117056152B (en) | 2023-10-13 | 2023-10-13 | Equipment detection method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311327696.4A CN117056152B (en) | 2023-10-13 | 2023-10-13 | Equipment detection method and related device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117056152A true CN117056152A (en) | 2023-11-14 |
| CN117056152B CN117056152B (en) | 2024-02-09 |
Family
ID=88667836
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311327696.4A Active CN117056152B (en) | 2023-10-13 | 2023-10-13 | Equipment detection method and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117056152B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2931808A1 (en) * | 2016-05-31 | 2017-11-30 | Tracker Networks Inc. | Methos and systems for mobile device risk mamnagement |
| CN107896170A (en) * | 2017-11-08 | 2018-04-10 | 平安科技(深圳)有限公司 | Insure the monitoring method and device of application system |
| CN108595953A (en) * | 2018-04-04 | 2018-09-28 | 厦门雷德蒙软件开发有限公司 | Method for carrying out risk assessment on mobile phone application |
| CN109447701A (en) * | 2018-10-24 | 2019-03-08 | 麒麟合盛网络技术股份有限公司 | The anti-cheat method of application program, device and server-side |
| US20190230107A1 (en) * | 2018-01-24 | 2019-07-25 | Hrl Laboratories, Llc | System for continuous validation and threat protection of mobile applications |
| CN110554961A (en) * | 2019-08-16 | 2019-12-10 | 平安普惠企业管理有限公司 | abnormal software detection method and device, computer equipment and storage medium |
| CN111210335A (en) * | 2019-12-16 | 2020-05-29 | 北京淇瑀信息科技有限公司 | User risk identification method and device and electronic equipment |
| CN114238968A (en) * | 2021-11-30 | 2022-03-25 | 深圳市欢太科技有限公司 | Application program detection method and device, storage medium and electronic equipment |
-
2023
- 2023-10-13 CN CN202311327696.4A patent/CN117056152B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2931808A1 (en) * | 2016-05-31 | 2017-11-30 | Tracker Networks Inc. | Methos and systems for mobile device risk mamnagement |
| CN107896170A (en) * | 2017-11-08 | 2018-04-10 | 平安科技(深圳)有限公司 | Insure the monitoring method and device of application system |
| US20190230107A1 (en) * | 2018-01-24 | 2019-07-25 | Hrl Laboratories, Llc | System for continuous validation and threat protection of mobile applications |
| CN108595953A (en) * | 2018-04-04 | 2018-09-28 | 厦门雷德蒙软件开发有限公司 | Method for carrying out risk assessment on mobile phone application |
| CN109447701A (en) * | 2018-10-24 | 2019-03-08 | 麒麟合盛网络技术股份有限公司 | The anti-cheat method of application program, device and server-side |
| CN110554961A (en) * | 2019-08-16 | 2019-12-10 | 平安普惠企业管理有限公司 | abnormal software detection method and device, computer equipment and storage medium |
| CN111210335A (en) * | 2019-12-16 | 2020-05-29 | 北京淇瑀信息科技有限公司 | User risk identification method and device and electronic equipment |
| CN114238968A (en) * | 2021-11-30 | 2022-03-25 | 深圳市欢太科技有限公司 | Application program detection method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117056152B (en) | 2024-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11169827B2 (en) | Resource loading at application startup using attributes of historical data groups | |
| US20160241589A1 (en) | Method and apparatus for identifying malicious website | |
| CN103425736A (en) | Web information recognition method, device and system | |
| US20150112962A1 (en) | System and method for launching applications on a user device based on the user intent | |
| CN110825863B (en) | Text pair fusion method and device | |
| CN110162603B (en) | Intelligent dialogue method, dynamic storage method and device | |
| CN115022098A (en) | Artificial intelligence safety target range content recommendation method, device and storage medium | |
| CN112862021B (en) | Content labeling method and related device | |
| CN109450853B (en) | Malicious website determination method and device, terminal and server | |
| CN117056152B (en) | Equipment detection method and related device | |
| CN112131482B (en) | Aging determining method and related device | |
| CN111723783B (en) | Content identification method and related device | |
| CN113313155A (en) | Data processing method and related device | |
| CN114971662A (en) | Data tracking method, device, equipment and storage medium | |
| CN112163164B (en) | User tag determining method and related device | |
| CN117011649B (en) | Model training method and related device | |
| CN115809905A (en) | Object credibility assessment method and device and related products | |
| CN113568984A (en) | Data processing method and related device | |
| CN116151862A (en) | Data processing method, related device, equipment and storage medium | |
| CN117076927A (en) | Training method of behavior data prediction model, object representation method and related products | |
| CN116450384A (en) | Information processing method and related device | |
| CN115905416A (en) | Data processing method and related device | |
| CN117541834A (en) | Video clustering method and related device | |
| CN115081661A (en) | Data testing method and related device | |
| CN117194206A (en) | Data processing method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |