[go: up one dir, main page]

CN114518996A - Anomaly detection method and system for mobile device, electronic device and storage medium - Google Patents

Anomaly detection method and system for mobile device, electronic device and storage medium Download PDF

Info

Publication number
CN114518996A
CN114518996A CN202210163209.4A CN202210163209A CN114518996A CN 114518996 A CN114518996 A CN 114518996A CN 202210163209 A CN202210163209 A CN 202210163209A CN 114518996 A CN114518996 A CN 114518996A
Authority
CN
China
Prior art keywords
library
plug
dynamic link
feature
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210163209.4A
Other languages
Chinese (zh)
Other versions
CN114518996B (en
Inventor
周荃
王文斌
郭玉桥
陈樑华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN202210163209.4A priority Critical patent/CN114518996B/en
Priority to PCT/CN2022/090759 priority patent/WO2023159768A1/en
Publication of CN114518996A publication Critical patent/CN114518996A/en
Application granted granted Critical
Publication of CN114518996B publication Critical patent/CN114518996B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3409Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • G06F9/44526Plug-ins; Add-ons
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • G06N20/10Machine learning using kernel methods, e.g. support vector machines [SVM]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Quality & Reliability (AREA)
  • Computer Hardware Design (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Medical Informatics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses an abnormality detection method and system for mobile equipment, electronic equipment and a storage medium, wherein the abnormality detection method for the mobile equipment comprises the following steps: acquiring a dynamic link library when the mobile equipment requests application, and splitting the dynamic link library to obtain a plurality of plug-in libraries; acquiring first label data and a plurality of feature information of each plug-in library, and inputting the feature information and the first label data into a support vector machine model to obtain a risk score of the plug-in library; obtaining the weight of the plug-in library through Newton's cooling law according to the risk score; weighting according to the weight of the plug-in library and the corresponding risk score to obtain a dynamic link library score; and judging whether the corresponding mobile equipment is abnormal equipment or not according to the dynamic link library score. According to the invention, when the mobile equipment is detected, the blacklist is not required to be relied on, and based on the identification detection of the plug-in library, the coverage rate of abnormal equipment detection can be improved, and the abnormal detection efficiency is improved.

Description

移动设备的异常检测方法、系统、电子设备及存储介质Anomaly detection method, system, electronic device and storage medium of mobile device

技术领域technical field

本发明涉及人工智能技术领域,特别是涉及一种移动设备的异常检测方法、系统、电子设备及存储介质。The present invention relates to the technical field of artificial intelligence, and in particular, to an abnormality detection method, system, electronic device and storage medium of a mobile device.

背景技术Background technique

现如今对移动端的异常检测在维护业务安全中起着重要的作用,相关技术中,异常检测时在系统上会包含有一些检测设备异常的风险标签,可检查设备是否越狱、设备越狱检测是否被绕过、设备是否被篡改信息等风险,但是,使用风险标签不仅受限于版本,而且某些标签需要黑名单维护,因此风险标签识别异常风险时,导致效率低下、易漏过风险,无法有效提高异常设备检测的覆盖率。Nowadays, abnormal detection on mobile terminals plays an important role in maintaining business security. In related technologies, some risk tags for detecting device abnormality are included in the system during abnormal detection, which can check whether the device is jailbroken and whether the device jailbreak detection is blocked. Risks such as bypassing, whether the device has been tampered with information, etc. However, the use of risk labels is not only limited by the version, and some labels require blacklist maintenance. Therefore, when risk labels identify abnormal risks, it will lead to low efficiency, easy to miss risks, and cannot be effective. Improve the coverage of abnormal device detection.

发明内容SUMMARY OF THE INVENTION

以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this article. This summary is not intended to limit the scope of protection of the claims.

本发明实施例提供了一种移动设备的异常检测方法、系统、电子设备及存储介质,能够提高对异常设备检测的覆盖率,提高异常检测效率。The embodiments of the present invention provide an abnormality detection method, system, electronic device and storage medium for a mobile device, which can improve the coverage rate of abnormal device detection and improve the abnormality detection efficiency.

第一方面,本发明实施例提供了一种移动设备的异常检测方法,包括:获取移动设备请求应用时的动态链接库,并将所述动态链接库拆分得到若干个插件库;获取各个所述插件库的第一标签数据和多个特征信息,将所述特征信息和所述第一标签数据输入至支持向量机模型中,得到所述插件库的风险评分;根据所述风险评分通过牛顿冷却定律得到所述插件库的权重;根据所述插件库的权重和对应的所述风险评分加权得到动态链接库评分;根据所述动态链接库评分判断对应的所述移动设备是否为异常设备。In a first aspect, an embodiment of the present invention provides an abnormality detection method for a mobile device, including: acquiring a dynamic link library when the mobile device requests an application, and splitting the dynamic link library to obtain several plug-in libraries; the first label data and a plurality of feature information of the plug-in library, input the feature information and the first label data into the support vector machine model, and obtain the risk score of the plug-in library; The cooling law obtains the weight of the plug-in library; the dynamic link library score is obtained according to the weight of the plug-in library and the corresponding risk score; and whether the corresponding mobile device is an abnormal device is judged according to the dynamic link library score.

在一些实施例中,所述特征信息包括词评分特征,所述词评分特征根据以下步骤得到:获取所述插件库的插件库名称,并将所述插件库名称拆分成若干个单词;选取所述单词中的目标单词,计算得到每个所述目标单词的同质性特征和差异性特征;根据所述同质性特征和所述差异性特征得到对应所述插件库的词评分特征。In some embodiments, the feature information includes word scoring features, and the word scoring features are obtained according to the following steps: acquiring the plugin library name of the plugin library, and splitting the plugin library name into several words; selecting For the target words in the words, the homogeneity feature and the difference feature of each target word are obtained by calculation; the word scoring feature corresponding to the plug-in library is obtained according to the homogeneity feature and the difference feature.

在一些实施例中,所述计算得到每个所述目标单词的同质性特征和差异性特征,包括:获取第二标签数据,并根据所述第二标签数据确定多个所述插件库中的异常插件库和正常插件库;获取包含所述目标单词的所述异常插件库的第一请求数、全部所述异常插件库的第二请求数和包含所述目标单词的所述正常插件库的第三请求数;根据所述第一请求数和所述第二请求数的比例关系得到所述同质性特征,并根据包含所述第一请求数和所述第三请求数的比例关系得到所述差异性特征。In some embodiments, the computing to obtain the homogeneity feature and the difference feature of each of the target words includes: acquiring second tag data, and determining a plurality of plugin libraries according to the second tag data. The abnormal plug-in library and the normal plug-in library; obtain the first request number of the abnormal plug-in library containing the target word, the second request number of all the abnormal plug-in libraries and the normal plug-in library containing the target word. the third number of requests; the homogeneity feature is obtained according to the proportional relationship between the first request number and the second request number; to obtain the differential characteristics.

在一些实施例中,所述根据所述同质性特征和所述差异性特征得到对应所述插件库的词评分特征,包括:在所述插件库的所有单词的所述同质性特征和所述差异性特征中,选取同质性特征最大值和差异性特征最大值;根据所述同质性特征最大值和所述差异性特征最大值的乘积得到所述词评分特征。In some embodiments, the obtaining the word scoring feature corresponding to the plug-in library according to the homogeneity feature and the difference feature, includes: the homogeneity feature of all words in the plug-in library and Among the difference features, the maximum value of the homogeneity feature and the maximum value of the difference feature are selected; the word scoring feature is obtained according to the product of the maximum value of the homogeneity feature and the maximum value of the difference feature.

在一些实施例中,所述特征信息还包括所述插件库名称中的连字符信息、所述插件库名称中的字符信息、所述插件库在包含所述异常插件库的所述动态链接库中的数量、所述插件库在所述动态链接库下的数量和拆分得到的所述单词的数量中的至少一种。In some embodiments, the feature information further includes hyphen information in the name of the plug-in library, character information in the name of the plug-in library, and the information of the plug-in library in the dynamic link library including the abnormal plug-in library. At least one of the number of , the number of the plug-in library under the dynamic link library, and the number of the split words.

在一些实施例中,所述将所述特征信息和所述第一标签数据输入至支持向量机模型中,得到所述插件库的风险评分,包括:计算多个所述特征信息之间的相关系数;获取用于特征筛选的第一预设阈值;当所述特征信息之间的所述相关系数大于所述第一预设阈值,保留其中至少一个所述特征信息;将保留的所述特征信息和所述第一标签数据输入至所述支持向量机模型中,得到所述风险评分。In some embodiments, the inputting the feature information and the first label data into a support vector machine model to obtain the risk score of the plug-in library includes: calculating a correlation between a plurality of the feature information coefficient; obtain a first preset threshold for feature screening; when the correlation coefficient between the feature information is greater than the first preset threshold, retain at least one of the feature information; the feature to be retained The information and the first label data are input into the support vector machine model to obtain the risk score.

在一些实施例中,所述根据所述动态链接库评分判断对应的所述移动设备是否为异常设备,包括:获取根据异常动态链接库样本得到的第二预设阈值;当所述动态链接库评分大于所述第二预设阈值,确定对应的所述移动设备为异常设备。In some embodiments, judging whether the corresponding mobile device is an abnormal device according to the dynamic link library score includes: obtaining a second preset threshold obtained according to an abnormal dynamic link library sample; If the score is greater than the second preset threshold, it is determined that the corresponding mobile device is an abnormal device.

第二方面,本发明实施例还提供了一种移动设备的异常检测系统,包括:数据获取模块,用于获取移动设备请求应用时的动态链接库,并将所述动态链接库拆分得到若干个插件库;数据处理模块,用于获取各个所述插件库的第一标签数据和多个特征信息,将所述特征信息和所述第一标签数据输入至支持向量机模型中得到所述插件库的风险评分;异常评分模块,用于根据所述风险评分通过牛顿冷却定律得到所述插件库的权重,并根据所述插件库的权重和对应的所述风险评分加权得到动态链接库评分;异常检测模块,用于根据所述动态链接库评分判断对应的所述移动设备是否为异常设备。In a second aspect, an embodiment of the present invention also provides an anomaly detection system for a mobile device, including: a data acquisition module for acquiring a dynamic link library when the mobile device requests an application, and splitting the dynamic link library to obtain several a plug-in library; a data processing module for acquiring the first label data and a plurality of feature information of each of the plug-in libraries, and inputting the feature information and the first label data into the support vector machine model to obtain the plug-in The risk score of the library; the abnormal score module is used to obtain the weight of the plug-in library according to the risk score through Newton's law of cooling, and obtain the dynamic link library score according to the weight of the plug-in library and the corresponding risk score weighting; An abnormality detection module, configured to judge whether the corresponding mobile device is an abnormal device according to the dynamic link library score.

第三方面,本发明实施例还提供了一种电子设备,其特征在于,包括存储器、处理器,所述存储器存储有计算机程序,所述处理器执行所述计算机程序时实现第一方面所述的移动设备的异常检测方法。In a third aspect, an embodiment of the present invention further provides an electronic device, which is characterized by comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the first aspect when executing the computer program. Anomaly detection method for mobile devices.

第四方面,本发明实施例还提供了一种计算机可读存储介质,所述存储介质存储有程序,所述程序被处理器执行实现如第一方面所述的移动设备的异常检测方法。In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, where the storage medium stores a program, and the program is executed by a processor to implement the method for detecting anomaly of a mobile device according to the first aspect.

本发明实施例至少包括以下有益效果:The embodiments of the present invention at least include the following beneficial effects:

本发明公开实施例提出的一种移动设备的异常检测方法、系统、电子设备及存储介质,其中,移动设备的异常检测系统在执行异常检测方法时,先获取移动设备在请求应用时的动态链接库,并拆分得到若干个插件库,基于插件库进行异常检测,系统通过获取插件库的第一标签数据和多个特征信息,输入到支持向量机模型后,可以得到插件库的风险评分,进而计算得到插件库的权重,将插件库的权重和风险评分加权可以得到动态链接库评分,通过对动态链接库评分的判断,可以判断动态链接库评分对应的移动设备是否为异常设备,本发明实施例在检测移动设备的时候不需要依赖黑名单,基于对插件库的识别检测,能够提高对异常设备检测的覆盖率,提高异常检测效率。An anomaly detection method, system, electronic device, and storage medium for a mobile device proposed by the disclosed embodiments of the present invention, wherein, when the anomaly detection system for a mobile device executes the anomaly detection method, it first obtains the dynamic link of the mobile device when requesting an application The system obtains the first label data and multiple feature information of the plug-in library, and inputs it into the support vector machine model to obtain the risk score of the plug-in library. Then, the weight of the plug-in library is obtained by calculating, and the weight of the plug-in library and the risk score are weighted to obtain the dynamic link library score. By judging the dynamic link library score, it can be judged whether the mobile device corresponding to the dynamic link library score is an abnormal device. The present invention The embodiment does not need to rely on the blacklist when detecting the mobile device, and based on the identification and detection of the plug-in library, the coverage rate of abnormal device detection can be improved, and the abnormality detection efficiency can be improved.

本发明的其他特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本发明而了解。本发明的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Other features and advantages of the present invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the description, claims and drawings.

附图说明Description of drawings

附图用来提供对本发明技术方案的进一步理解,并且构成说明书的一部分,与本发明的实施例一起用于解释本发明的技术方案,并不构成对本发明技术方案的限制。The accompanying drawings are used to provide a further understanding of the technical solutions of the present invention, and constitute a part of the description. They are used to explain the technical solutions of the present invention together with the embodiments of the present invention, and do not constitute a limitation on the technical solutions of the present invention.

图1是本发明一实施例提供的移动设备的异常检测方法流程示意图;1 is a schematic flowchart of an abnormality detection method for a mobile device provided by an embodiment of the present invention;

图2是本发明另一实施例提供的移动设备的异常检测方法流程示意图;2 is a schematic flowchart of an abnormality detection method for a mobile device provided by another embodiment of the present invention;

图3是本发明另一实施例提供的移动设备的异常检测方法流程示意图;3 is a schematic flowchart of an abnormality detection method for a mobile device provided by another embodiment of the present invention;

图4是本发明另一实施例提供的移动设备的异常检测方法流程示意图;4 is a schematic flowchart of an abnormality detection method for a mobile device provided by another embodiment of the present invention;

图5是本发明另一实施例提供的移动设备的异常检测方法流程示意图;5 is a schematic flowchart of an abnormality detection method for a mobile device provided by another embodiment of the present invention;

图6是本发明另一实施例提供的移动设备的异常检测方法流程示意图;6 is a schematic flowchart of an abnormality detection method for a mobile device provided by another embodiment of the present invention;

图7是本发明一实施例提供的移动设备的异常检测系统示意图;7 is a schematic diagram of an abnormality detection system for a mobile device according to an embodiment of the present invention;

图8是本发明一实施例提供的电子设备示意图。FIG. 8 is a schematic diagram of an electronic device according to an embodiment of the present invention.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本发明,并不用于限定本发明。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

应了解,在本发明实施例的描述中,若干个的含义是一个以上,多个(或多项)的含义是两个以上,大于、小于、超过等理解为不包括本数,以上、以下、以内等理解为包括本数。如果有描述到“第一”、“第二”等只是用于区分技术特征为目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量或者隐含指明所指示的技术特征的先后关系。It should be understood that, in the description of the embodiments of the present invention, the meaning of several is more than one, the meaning of multiple (or multiple) is more than two, and greater than, less than, exceeding, etc. are understood as not including this number, above, below, Within, etc., are understood to include this number. If there is a description of "first", "second", etc., it is only for the purpose of distinguishing technical features, and cannot be understood as indicating or implying relative importance, or implicitly indicating the number of indicated technical features or implicitly indicating the indicated The sequence of technical characteristics.

除非另有定义,本文所使用的所有的技术和科学术语与属于本发明的技术领域的技术人员通常理解的含义相同。本文中所使用的术语只是为了描述本发明实施例的目的,不是旨在限制本发明。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terms used herein are for the purpose of describing the embodiments of the present invention only, and are not intended to limit the present invention.

本发明实施例提供一种移动设备的异常检测方法、系统、电子设备及存储介质,能够提高对异常设备检测的覆盖率,提高异常检测效率。Embodiments of the present invention provide an abnormality detection method, system, electronic device and storage medium for a mobile device, which can improve the coverage rate of abnormal device detection and improve the abnormality detection efficiency.

本发明实施例中公开的移动设备的异常检测方法,具体通过如下实施例进行说明。The anomaly detection method for a mobile device disclosed in the embodiments of the present invention is specifically described by the following embodiments.

参照图1所示,图1是本发明公开实施例提供的移动设备的异常检测方法的一个可选的流程图,图1中的方法可以包括但不限于包括步骤S110、步骤S120、步骤S130、步骤S140、步骤S150和步骤S160。Referring to FIG. 1 , FIG. 1 is an optional flowchart of an abnormality detection method for a mobile device provided by an embodiment of the present disclosure. The method in FIG. 1 may include, but is not limited to, steps S110 , S120 , S130 , Step S140, Step S150 and Step S160.

步骤S110,获取移动设备请求应用时的动态链接库,并将动态链接库拆分得到若干个插件库。Step S110: Obtain a dynamic link library when the mobile device requests an application, and split the dynamic link library to obtain several plug-in libraries.

在本发明的一些实施例中,移动设备的异常检测方法应用在移动设备的异常检测系统中,异常检测系统可获取移动设备请求应用时的动态链接库(Dynamic-link library,DLL)数据,对收集的动态链接库进行整理和存储,动态链接库是一个包含函数和数据的模块,它可以被其他模块(应用或其他DLL)使用,由于每个动态链接库均由若干个插件库组成,因此将每个动态链接库拆分成若干个插件库,也即为将每个动态链接库数据拆分成若干个插件库数据。In some embodiments of the present invention, the anomaly detection method of the mobile device is applied in the anomaly detection system of the mobile device, and the anomaly detection system can obtain the dynamic link library (Dynamic-link library, DLL) data when the mobile device requests the application. The collected dynamic link library is organized and stored. The dynamic link library is a module containing functions and data, which can be used by other modules (applications or other DLLs). Since each dynamic link library is composed of several plug-in libraries, so Splitting each dynamic link library into several plug-in libraries means splitting each dynamic link library data into several plug-in library data.

需要说明的是,本发明实施例中的移动设备可以为任意形式的移动终端,例如,移动设备可以是手机、平板电脑或其他形式的移动终端,对此本发明实施例不对其做具体限制。It should be noted that the mobile device in this embodiment of the present invention may be a mobile terminal in any form, for example, the mobile device may be a mobile phone, a tablet computer, or other forms of mobile terminals, which are not specifically limited in this embodiment of the present invention.

步骤S120,获取各个插件库的第一标签数据和多个特征信息,将特征信息和第一标签数据输入至支持向量机模型中,得到插件库的风险评分。Step S120: Obtain the first label data and a plurality of feature information of each plug-in library, input the feature information and the first label data into the support vector machine model, and obtain the risk score of the plug-in library.

在本发明的一些实施例中,异常检测系统在拆分得到若干个插件库后,可以获取插件库的第一标签数据和多个插件库对应的特征信息,当动态链接库拆分为多个插件库时,异常检测系统可分别获取各个插件库的第一标签数据和各个插件库的多个特征信息,当动态链接库拆分为一个插件库时,则获取该插件库的第一标签数据和多个特征信息,本发明后续实施例中以拆分得到多个插件库为例子,第一标签数据为插件库的标签数据,随后异常检测系统可将得到的多个特征信息和第一标签数据输入至支持向量机(SVM)模型中,经过支持向量机模型的处理可以得到插件库对应的风险评分,该风险评分用于表征插件库异常的可能性。In some embodiments of the present invention, after splitting to obtain several plug-in libraries, the anomaly detection system can obtain the first label data of the plug-in library and the feature information corresponding to the multiple plug-in libraries. When the dynamic link library is split into multiple plug-in libraries When the plug-in library is used, the anomaly detection system can obtain the first label data of each plug-in library and multiple feature information of each plug-in library respectively. When the dynamic link library is split into one plug-in library, it can obtain the first label data of the plug-in library. and multiple feature information, in the subsequent embodiments of the present invention, taking splitting to obtain multiple plug-in libraries as an example, the first tag data is the tag data of the plug-in library, and then the anomaly detection system can combine the obtained multiple feature information and the first tag The data is input into the support vector machine (SVM) model, and the risk score corresponding to the plug-in library can be obtained through the processing of the support vector machine model, and the risk score is used to characterize the possibility of abnormality of the plug-in library.

步骤S130,根据风险评分通过牛顿冷却定律得到插件库的权重。In step S130, the weight of the plug-in library is obtained through Newton's cooling law according to the risk score.

在本发明的一些实施例中,异常检测系统在得到插件库的风险评分后,通过牛顿冷却定律来计算得到各个插件库的权重,例如,异常检测系统根据插件库的风险评分从高到低排序,当排位第e位的插件库的权重为排名第一的权重的1/e,如排位第30位的插件库的权重为排名第一的权重的1/30,利用牛顿冷却定律,计算得到所有插件库评分的权重,在满足本发明实施例要求的前提下,异常检测系统还可以通过其他方式计算的插件库的权重。In some embodiments of the present invention, after obtaining the risk score of the plug-in library, the anomaly detection system calculates the weight of each plug-in library through Newton's cooling law. For example, the anomaly detection system sorts the plug-in library from high to low according to the risk score of the plug-in library. , when the weight of the plug-in library ranked e is 1/e of the weight of the first-ranked plug-in library, for example, the weight of the plug-in library ranked 30 is 1/30 of the weight of the first-ranked plug-in library, using Newton's cooling law, The weights of the scores of all the plug-in libraries are obtained by calculation, and on the premise that the requirements of the embodiments of the present invention are met, the anomaly detection system may also calculate the weights of the plug-in libraries in other ways.

步骤S140,根据插件库的权重和对应的风险评分加权得到动态链接库评分。In step S140, the dynamic link library score is obtained by weighting according to the weight of the plug-in library and the corresponding risk score.

在本发明的一些实施例中,异常检测系统在得到各个插件库的权重后,将步骤S120中得到的风险评分和对应的插件库权重计算得到对应的动态链接库评分,可以理解的是,每个动态链接库有若干个插件库组成,每个插件库有评分和权重,加权求和得到动态链接库的评分得到动态链接库评分。In some embodiments of the present invention, after obtaining the weight of each plug-in library, the anomaly detection system calculates the risk score obtained in step S120 and the corresponding plug-in library weight to obtain the corresponding dynamic link library score. Each dynamic link library is composed of several plug-in libraries, each plug-in library has a score and a weight, and the weighted summation obtains the score of the dynamic link library to obtain the dynamic link library score.

步骤S150,根据动态链接库评分判断对应的移动设备是否为异常设备。Step S150: Determine whether the corresponding mobile device is an abnormal device according to the dynamic link library score.

在本发明的一些实施例中,异常检测系统在得到动态链接库评分后,基于动态链接库评分的大小来判断对应的移动设备是否为异常设备,本发明实施例在检测移动设备的时候不需要依赖黑名单,基于对插件库的识别检测,能够提高对异常设备检测的覆盖率,提高异常检测效率。In some embodiments of the present invention, after obtaining the dynamic link library score, the abnormality detection system determines whether the corresponding mobile device is an abnormal device based on the size of the dynamic link library score. Relying on the blacklist, based on the identification and detection of the plug-in library, can improve the coverage of abnormal device detection and improve the efficiency of abnormal detection.

需要说明的是,本发明实施例中的移动设备的异常检测方法可以应用在人工智能领域中,提高人工智能对移动设备异常的检测效率,本发明实施例中的移动设备的异常检测方法还可以应用在业务风险决策系统(ARES)中,业务风险决策系统在执行本发明实施例中的异常检测方法后,可以对异常移动设备进行识别,无需依赖插件库黑名单,能够提高对异常设备检测的覆盖率,提高异常检测效率,在此不对其应用场景做具体限制。It should be noted that the method for detecting anomalies of mobile devices in the embodiments of the present invention can be applied in the field of artificial intelligence to improve the efficiency of detecting abnormalities of mobile devices by artificial intelligence, and the methods for detecting anomalies in mobile devices in the embodiments of the present invention may also Applied in the business risk decision system (ARES), after executing the abnormality detection method in the embodiment of the present invention, the business risk decision system can identify abnormal mobile devices without relying on the plug-in library blacklist, which can improve the detection efficiency of abnormal devices. Coverage and improve the efficiency of anomaly detection. There are no specific restrictions on its application scenarios here.

在本发明的一些实施例中,插件库的多个特征信息中包括词评分特征,参照图2所示,本发明实施例中的词评分特征可以根据以下步骤得到,包括但不限于以下步骤S210、步骤S220和步骤S230。In some embodiments of the present invention, multiple feature information of the plug-in library includes word scoring features. Referring to FIG. 2 , the word scoring features in the embodiments of the present invention can be obtained according to the following steps, including but not limited to the following step S210 , step S220 and step S230.

步骤S210,获取插件库的插件库名称,并将插件库名称拆分成若干个单词。Step S210: Obtain the plug-in library name of the plug-in library, and split the plug-in library name into several words.

步骤S220,选取单词中的目标单词,计算得到每个目标单词的同质性特征和差异性特征。Step S220, selecting target words in the words, and calculating the homogeneity feature and difference feature of each target word.

步骤S230,根据同质性特征和差异性特征得到对应插件库的词评分特征。Step S230, obtaining the word scoring feature of the corresponding plug-in library according to the homogeneity feature and the difference feature.

在本发明的一些实施例中,插件库通过多个特征信息和第一标签数据一起输入至支持向量机模型来得到风险评分,而多个特征信息中就包含了插件库的词评分特征,插件库的词评分特征根据插件库名称来得到,异常检测系统可获取插件库的插件库名称,并进行拆分得到若干个单词,在进行计算的时候,针对每个单词进行计算,在针对某个单词时,选定其为目标单词,词评分特征根据单词的词特征得到,包括同质性特征和差异性特征,因此计算每个目标单词的同质性特征和差异性特征,从而根据同质性特征和差异性特征得到对应插件库的词评分特征,词评分特征可以表征单词对应的插件库的正异性,因此选定词评分特征作为特征信息中的一种,可以提高所得到的风险评分的准确性。可以理解的是,本发明实施例中的同质性特征和差异性特征可以根据单词在不同类型的插件库中的请求数得到。In some embodiments of the present invention, the plug-in library obtains a risk score by inputting multiple pieces of feature information together with the first label data into the support vector machine model, and the multiple pieces of feature information include the word scoring features of the plug-in library. The word scoring feature of the library is obtained according to the name of the plug-in library. The anomaly detection system can obtain the name of the plug-in library of the plug-in library, and split it to obtain several words. When calculating, calculate for each word. When the word is selected as the target word, the word scoring feature is obtained according to the word feature of the word, including the homogeneity feature and the difference feature, so the homogeneity feature and the difference feature of each target word are calculated, so that according to the homogeneity feature The word score feature of the corresponding plug-in library can be obtained from the sexual feature and the difference feature. The word score feature can represent the positive and negative sex of the plug-in library corresponding to the word. Therefore, selecting the word score feature as one of the feature information can improve the obtained risk score. accuracy. It can be understood that, the homogeneity feature and the difference feature in the embodiment of the present invention can be obtained according to the number of requests for words in different types of plug-in libraries.

需要说明的是,异常检测系统可以根据多种算法来对插件库名称进行拆分,本发明实施例中的异常检测系统采用匹配法对插件库名称拆分成单词,每个插件库名称都可以拆分成若干个单词,匹配拆分可以根据实际需要设置,在一实施例中,异常检测系统基于插件库名称基本都是驼峰命名的形式,因此在对插件库名称进行拆分的时候,按照驼峰命名的规则拆分插件库名称得到若干个单词。在另一实施例中,异常检测系统还可以根据中文分词算法来对插件库名称进行拆分,中文分词算法主要使用两种,分别为正向最大匹配法和逆向最大匹配法,异常检测系统可以根据正向最大匹配法和逆向最大匹配法将插件库名称拆分得到若干个单词。It should be noted that the anomaly detection system can split the plug-in library name according to a variety of algorithms, and the anomaly detection system in the embodiment of the present invention uses the matching method to split the plug-in library name into words, and each plug-in library name can be Split into several words, and the matching split can be set according to actual needs. In one embodiment, the anomaly detection system is basically in the form of camel case based on the name of the plug-in library. Therefore, when splitting the name of the plug-in library, according to CamelCase rules split the plugin library name to get several words. In another embodiment, the anomaly detection system can also split the plug-in library name according to a Chinese word segmentation algorithm. There are mainly two types of Chinese word segmentation algorithms, namely the forward maximum matching method and the reverse maximum matching method. The anomaly detection system can According to the forward maximum matching method and the reverse maximum matching method, the name of the plug-in library is split to obtain several words.

参照图3所示,本发明实施例中异常检测方法的步骤S220中,还可以包括但不限于以下步骤S310、步骤S320和步骤S330。Referring to FIG. 3 , step S220 of the abnormality detection method in the embodiment of the present invention may further include but not limited to the following steps S310 , S320 and S330 .

步骤S310,获取第二标签数据,并根据第二标签数据确定多个插件库中的异常插件库和正常插件库。Step S310: Acquire second tag data, and determine an abnormal plug-in library and a normal plug-in library in the plurality of plug-in libraries according to the second tag data.

步骤S320,获取包含目标单词的异常插件库的第一请求数、全部异常插件库的第二请求数和包含目标单词的正常插件库的第三请求数。Step S320: Obtain the first request number of abnormal plug-in libraries containing the target word, the second request number of all abnormal plug-in libraries, and the third request number of normal plug-in libraries containing the target word.

步骤S330,根据第一请求数和第二请求数的比例关系得到同质性特征,并根据包含第一请求数和第三请求数的比例关系得到差异性特征。Step S330, obtaining the homogeneity feature according to the proportional relationship between the first request number and the second request number, and obtaining the differential feature according to the proportional relationship including the first request number and the third request number.

在本发明的一些实施例中,异常检测系统会在拆分动态链接库得到插件库时,按插件库聚合计数,计算每个插件库的请求数,而插件库的词评分特征根据插件库内单词的同质性特征和差异性特征得到,在计算得到同质性特征和差异性特征的过程中,异常检测系统需判断插件库中的异常差价库和正常插件库,异常检测系统先获取第二标签数据,并根据第二标签数据确定多个插件库中的异常插件库和正常插件库,第二标签数据为异常检测系统获取的用于判断插件库正异常情况的标签数据,可以为根据现有的异常插件库和正常插件库的标签数据得到的,并跟异常检测系统在先存储的第一标签数据进行对比,判断已存储的插件库为异常插件库或正常插件库中的一种,由于插件库数量为多个,因此将得到多个异常插件库和多个正常插件库,随后在计算目标单词的同质性特征和差异性特征时,获取包含该目标单词的异常插件库的第一请求数、全部异常插件库的第二请求数和包含目标单词的正常插件库的第三请求数,并根据第一请求数和第二请求数的比例关系得到同质性特征,根据包含第一请求数和第三请求数的比例关系得到差异性特征。In some embodiments of the present invention, when splitting the dynamic link library to obtain the plug-in library, the anomaly detection system will aggregate the count of the plug-in library, and calculate the number of requests for each plug-in library, and the word scoring feature of the plug-in library is based on the content of the plug-in library. The homogeneity feature and difference feature of the word are obtained. In the process of calculating the homogeneity feature and difference feature, the anomaly detection system needs to determine the abnormal price difference library and the normal plugin library in the plug-in library. The anomaly detection system first obtains the first Second tag data, and determine abnormal plug-in libraries and normal plug-in libraries in the plurality of plug-in libraries according to the second tag data. The second tag data is the tag data obtained by the abnormality detection system and used to determine whether the plug-in library is abnormal. The label data of the existing abnormal plug-in library and the normal plug-in library are obtained, and compared with the first label data previously stored by the abnormality detection system, it is judged that the stored plug-in library is one of the abnormal plug-in library or the normal plug-in library. , because the number of plug-in libraries is multiple, multiple abnormal plug-in libraries and multiple normal plug-in libraries will be obtained, and then when calculating the homogeneity and difference characteristics of the target word, the abnormal plug-in library containing the target word will be obtained. The first number of requests, the second number of requests for all abnormal plug-in libraries, and the third number of requests for normal plug-in libraries containing the target word, and the homogeneity feature is obtained according to the proportional relationship between the first number of requests and the number of second requests. The proportional relationship between the number of first requests and the number of third requests obtains the distinctive feature.

具体的,在一实施例中,异常检测系统根据第一请求数除以第二请求数可以得到目标单词的同质性特征,而根据第一请求数和第三请求数之和可以得到包含目标单词的全部插件库的请求数,并根据第一请求数除以包含目标单词的全部插件库的请求数可以得到差异性特征。Specifically, in one embodiment, the anomaly detection system can obtain the homogeneity feature of the target word according to the first number of requests divided by the second number of requests, and can obtain the inclusion target word according to the sum of the first number of requests and the third number of requests The number of requests of all plug-in repositories of the word, and the difference feature can be obtained by dividing the first request number by the number of requests of all plug-in repositories containing the target word.

参照图4所示,本发明实施例中异常检测方法的步骤S230中,还可以包括但不限于以下步骤S410和步骤S420。Referring to FIG. 4 , step S230 of the abnormality detection method in the embodiment of the present invention may further include but not limited to the following steps S410 and S420.

步骤S410,在插件库的所有单词的同质性特征和差异性特征中,选取同质性特征最大值和差异性特征最大值。Step S410, from the homogeneity features and difference features of all words in the plug-in library, select the maximum value of the homogeneity feature and the maximum value of the difference feature.

步骤S420,根据同质性特征最大值和差异性特征最大值的乘积得到词评分特征。In step S420, the word scoring feature is obtained according to the product of the maximum value of the homogeneity feature and the maximum value of the difference feature.

在本发明的一些实施例中,插件库的词评分特征根据插件库内单词的同质性特征和差异性特征得到,异常检测系统在某个插件库的所有单词的同质性特征和差异性特征中,选择同质性特征最大值和差异性特征最大值,将同质性特征最大值和差异性特征最大值相乘即得到该插件库的词评分特征,可以理解的是,取同质性特征最大值和差异性特征最大值来计算的依据在于,一个插件库的名称可以拆分成多个单词,每个单词又可分别计算出词评分特征,进而计算出每个单词对插件库的评分,取这些评分的最大值,可以作为插件库词评分特征,因此本发明实施例中直接选取同质性特征最大值和差异性特征最大值来计算。In some embodiments of the present invention, the word scoring features of the plug-in library are obtained according to the homogeneity characteristics and difference characteristics of words in the plug-in library, and the homogeneity characteristics and difference characteristics of all words in a certain plug-in library by the anomaly detection system Among the features, select the maximum value of the homogeneity feature and the maximum value of the difference feature, and multiply the maximum value of the homogeneity feature and the maximum value of the difference feature to obtain the word scoring feature of the plug-in library. The basis for calculating the maximum value of the sexual feature and the maximum value of the difference feature is that the name of a plug-in library can be divided into multiple words, and each word can calculate the word score feature separately, and then calculate the plug-in library for each word. The maximum value of these scores can be used as the plug-in library word scoring feature. Therefore, in the embodiment of the present invention, the maximum value of the homogeneity feature and the maximum value of the difference feature are directly selected for calculation.

在本发明的一些实施例中,插件库的特征信息还包括插件库名词中的连字符信息、插件库名词中的字符信息、插件库在包含异常插件库的动态链接库中的数量、插件库在动态链接库下的数量和拆分得到的单词的数量中的至少一种,通过上述多个特征信息来计算得到插件库的风险评分,可以提高风险评分的准确性,在满足本发明实施例要求的前提下,除了词评分特征外,异常检测系统可以根据判断需要再获取插件库的其他信息并作为特征信息中的一个,来计算插件库的风险评分。In some embodiments of the present invention, the feature information of the plug-in library further includes hyphen information in the noun of the plug-in library, character information in the noun of the plug-in library, the number of the plug-in library in the dynamic link library including the abnormal plug-in library, the plug-in library At least one of the number under the dynamic link library and the number of split words, the risk score of the plug-in library is calculated through the above-mentioned multiple feature information, which can improve the accuracy of the risk score. Under the premise of requirements, in addition to the word scoring feature, the anomaly detection system can obtain other information of the plug-in library as one of the feature information according to judgment needs, to calculate the risk score of the plug-in library.

可以理解的是,插件库名词中的连字符信息可以包括插件库名称中连字符个数和数字个数等;插件库名词中的字符信息可以包括插件库字符长度等;异常检测系统会在整理动态链接库时,按动态链接库聚合计数,计算每个动态链接库的请求次数,并将包含异常插件库的动态链接库标记为异常,插件库在包含异常插件库的动态链接库中的数量即为插件库在异常动态链接库中出现的数量;异常检测系统可以根据动态链接库拆分得到多个插件库,因此插件库在动态链接库下的数量即为插件库在所有插件库中出现的数量。It can be understood that the hyphen information in the noun of the plug-in library can include the number of hyphens and numbers in the name of the plug-in library; the character information in the noun of the plug-in library can include the character length of the plug-in library, etc.; When a dynamic link library is used, the aggregate count is calculated by the dynamic link library, the number of requests for each dynamic link library is calculated, and the dynamic link library containing the abnormal plug-in library is marked as abnormal. The number of plug-in libraries in the dynamic link library containing the abnormal plug-in library That is, the number of plug-in libraries that appear in the abnormal dynamic link library; the abnormality detection system can split multiple plug-in libraries according to the dynamic link library. Therefore, the number of plug-in libraries under the dynamic link library is the number of plug-in libraries that appear in all plug-in libraries. quantity.

参照图5所示,本发明实施例中异常检测方法的步骤S120中,还可以包括但不限于以下步骤S510、步骤S520、步骤S530和步骤S540。Referring to FIG. 5 , step S120 of the abnormality detection method in the embodiment of the present invention may further include but not limited to the following steps S510 , S520 , S530 and S540 .

步骤S510,计算多个特征信息之间的相关系数。Step S510, calculating a correlation coefficient between multiple pieces of feature information.

步骤S520,获取用于特征筛选的第一预设阈值。Step S520, acquiring a first preset threshold for feature screening.

步骤S530,当特征信息之间的相关系数大于第一预设阈值,保留其中至少一个特征信息。Step S530, when the correlation coefficient between the feature information is greater than the first preset threshold, at least one of the feature information is retained.

步骤S540,将保留的特征信息和第一标签数据输入至支持向量机模型中,得到风险评分。Step S540: Input the reserved feature information and the first label data into the support vector machine model to obtain a risk score.

在本发明的一些实施例中,异常检测系统在计算得到风险评分的过程中,会对插件库的多个特征信息进行筛选,以减少计算的难度,优化和简化计算,其中,本发明实施例中通过对特征信息进行相关性的判断,计算多个特征信息之间的相关系数,相关系数是用以反映变量之间相关关系密切程度的统计指标,是一种非确定性的关系,是研究变量之间线性相关程度的系数,相关系数按积差方法计算,以两变量与各自平均值的离差为基础,通过两个离差相乘以反映两变量之间相关程度,相关性是描述随机变量之间线性关系的统计指标,相关系数绝对值越大,表明变量之间的线性关系越强,随后异常检测系统将得到的相关系数与第一预设阈值进行对比判断,第一预设阈值是预先设置好的一个对比阈值,第一预设阈值用于特征筛选,是基于实际计算的效果设定的阈值,当特征信息之间的相关系数大于第一预设阈值,保留其中至少一个特征信息,并将保留的特征信息和第一标签数据输入至支持向量机模型中,得到风险评分。In some embodiments of the present invention, in the process of calculating the risk score, the anomaly detection system will screen multiple feature information of the plug-in library to reduce the difficulty of calculation and optimize and simplify the calculation. By judging the correlation of feature information, the correlation coefficient between multiple feature information is calculated. The correlation coefficient is a statistical indicator used to reflect the closeness of the correlation between variables. The coefficient of the degree of linear correlation between variables. The correlation coefficient is calculated according to the product difference method. It is based on the deviation of the two variables from their respective averages. The degree of correlation between the two variables is reflected by multiplying the two deviations. The correlation is a description A statistical indicator of the linear relationship between random variables. The larger the absolute value of the correlation coefficient, the stronger the linear relationship between the variables. Then, the abnormality detection system compares the obtained correlation coefficient with the first preset threshold. The threshold is a preset comparison threshold. The first preset threshold is used for feature screening and is a threshold set based on the actual calculated effect. When the correlation coefficient between the feature information is greater than the first preset threshold, at least one of them is reserved. feature information, and input the retained feature information and the first label data into the support vector machine model to obtain a risk score.

需要说明的是,本发明实施例中通过计算特征信息两两之间的相关系数,当特征信息之间的相关系数大于第一预设阈值,保留其中一个特征信息,可以理解的是,在满足本发明实施例要求的前提下,也可以针对两个以上的特征信息求得相关系数,还可以设定进行相关性判断的几个特征信息,指定的特征信息进行相关性的判断,可以指定两个或两个以上,在此本发明实施例不对其做具体限制,可根据实际应用场景设置。It should be noted that, in the embodiment of the present invention, by calculating the correlation coefficient between pairs of feature information, when the correlation coefficient between the feature information is greater than the first preset threshold, one of the feature information is retained. Under the premise required by the embodiment of the present invention, the correlation coefficient can also be obtained for more than two feature information, and several feature information for correlation judgment can also be set, and the specified feature information is used for correlation judgment. There are one or more than two, which are not specifically limited in this embodiment of the present invention, and can be set according to actual application scenarios.

需要说明的是,本发明实施例中的特征信息可以包括词评分特征、插件库名词中的连字符信息、插件库名词中的字符信息、插件库在包含异常插件库的动态链接库中的数量、插件库在动态链接库下的数量和拆分得到的单词的数量等,并对上述特征信息两两之间进行相关性的判断,求得两两特征信息之间的相关系数,当相关系数大于第一预设阈值,保留其中一个特征信息,随后将保留的特征信息输入至支持向量机模型中,得到风险评分,可以理解的是,本发明实施例中的词评分特征,在进行相关系数判断的过程中,始终会保留,并最后最后特征信息中的一个输入至支持向量机模型中,这是由于词评分特征的计算原理所决定的,词评分特征跟其他特征信息之间难以存在强相关性,因此始终得以保留。It should be noted that the feature information in this embodiment of the present invention may include word scoring features, hyphen information in the noun of the plug-in library, character information in the noun of the plug-in library, and the number of the plug-in library in the dynamic link library including the abnormal plug-in library. , the number of the plug-in library under the dynamic link library and the number of words obtained by splitting, etc., and judge the correlation between the above feature information, and obtain the correlation coefficient between the two feature information. When the correlation coefficient greater than the first preset threshold, retain one of the feature information, and then input the retained feature information into the support vector machine model to obtain a risk score. In the process of judgment, it will always be retained, and finally one of the final feature information is input into the support vector machine model. This is determined by the calculation principle of the word scoring feature, and there is no strong relationship between the word scoring feature and other feature information. Relevance is therefore always preserved.

参照图6所示,本发明实施例中异常检测方法的步骤S150中,还可以包括但不限于以下步骤S610和步骤S620。Referring to FIG. 6 , step S150 of the abnormality detection method in the embodiment of the present invention may further include but not limited to the following steps S610 and S620.

步骤S610,获取根据异常动态链接库样本得到的第二预设阈值。Step S610, acquiring a second preset threshold value obtained according to the abnormal dynamic link library sample.

步骤S610,当动态链接库评分大于第二预设阈值,确定对应的移动设备为异常设备。Step S610, when the dynamic link library score is greater than the second preset threshold, determine that the corresponding mobile device is an abnormal device.

在本发明的一些实施例中,异常检测系统在得到动态链接库评分后,根据动态链接库的大小来判断对应的移动设备是否为异常设备,并通过设定的第二预设阈值来进行动态链接库评分大小的判断,异常检测系统获取根据异常动态链接库样本得到的第二预设阈值,异常动态链接库样本为已知数据样本,通过已知的异常的动态链接库样本来划定阈值,得到第二预设阈值,当动态链接库评分大于第二预设阈值,确定对应的移动设备为异常设备,说明当动态链接库评分大于第二预设阈值时,与现有已知的异常动态链接库样本类似,均可以归属于异常设备,而当动态链接库评分小于或等于第二预设阈值,确定对应的移动设备为正常设备,说明此时与现有已知的异常动态链接库样本并不相同,因此设备为正常设备,本发明实施例在检测移动设备的时候不需要依赖黑名单,基于对插件库的识别检测,能够提高对异常设备检测的覆盖率,提高异常检测效率。In some embodiments of the present invention, after obtaining the dynamic link library score, the abnormality detection system determines whether the corresponding mobile device is an abnormal device according to the size of the dynamic link library, and performs dynamic To judge the size of the link library score, the anomaly detection system obtains the second preset threshold value obtained according to the abnormal dynamic link library sample. The abnormal dynamic link library sample is a known data sample, and the threshold value is defined by the known abnormal dynamic link library sample. , obtain a second preset threshold, when the dynamic link library score is greater than the second preset threshold, determine that the corresponding mobile device is an abnormal device, indicating that when the dynamic link library score is greater than the second preset threshold, it is different from the known abnormality The dynamic link library samples are similar and can be attributed to abnormal devices. When the dynamic link library score is less than or equal to the second preset threshold, it is determined that the corresponding mobile device is a normal device, indicating that this time is different from the known abnormal dynamic link library. The samples are not the same, so the devices are normal devices. The embodiments of the present invention do not need to rely on a blacklist when detecting mobile devices. Based on the identification and detection of the plug-in library, the coverage rate of abnormal device detection can be improved, and the abnormal detection efficiency can be improved.

具体的,在一具体实施例中,本发明实施例中的异常检测方法可以有如下具体步骤:Specifically, in a specific embodiment, the abnormality detection method in the embodiment of the present invention may have the following specific steps:

步骤1):收集异常插件库与正常插件库的标签数据和用户移动设备的请求应用时的设备动态链接库的数据。Step 1): Collect the label data of the abnormal plug-in library and the normal plug-in library, and the data of the device dynamic link library when the user's mobile device requests the application.

步骤2):整理动态链接库的数据,首先,按动态链接库聚合计数,计算每个动态链接库的请求次数,其次,将包含异常插件库的动态链接库标记为异常。Step 2): Arranging the data of the dynamic link library, first, count the number of requests of each dynamic link library according to the aggregate count of the dynamic link library, and secondly, mark the dynamic link library including the abnormal plug-in library as abnormal.

步骤3):整理插件库数据,每个动态链接库数据都由若干个插件库组成,将每个动态链接库数据拆分成插件库数据,按插件库聚合计数,计算每个插件库的请求数。Step 3): Arrange the plug-in library data, each dynamic link library data is composed of several plug-in libraries, split each dynamic link library data into plug-in library data, aggregate and count by the plug-in library, and calculate the request of each plug-in library number.

步骤4):插件库名称分词,采用匹配法对插件库名称拆分成单词,每个插件库名称都可以拆分成若干个词语。Step 4): The plug-in library name is divided into words, and the plug-in library name is split into words by matching method, and each plug-in library name can be split into several words.

步骤5):计算词特征,计算每个单词的同质性特征,以及差异性特征,其中:Step 5): Calculate word features, calculate the homogeneity feature and difference feature of each word, where:

同质性特征=包含某个目标单词的异常插件库的请求数/全部异常插件库的请求数;Homogeneity feature = the number of requests for abnormal plug-in libraries containing a certain target word / the number of requests for all abnormal plug-in libraries;

差异性特征=包含某个目标单词异常插件库的请求数/(包含某个目标单词的全部插件库的请求数-包含某个目标单词异常插件库的请求数)。Difference feature = the number of requests for a plug-in library containing a certain target word abnormality/(the number of requests for all plug-in libraries containing a certain target word - the number of requests for a plug-in library containing a certain target word abnormality).

步骤6):计算插件库词评分特征。选取插件库内单词中的同质性特征最大值和差异性特征最大值,对于每一个插件库的词评分特征计算公式如下:Step 6): Calculate the word scoring feature of the plug-in library. Select the maximum homogeneity feature and the maximum difference feature in the words in the plug-in library, and the calculation formula of the word scoring feature for each plug-in library is as follows:

插件库的词评分特征=同质性特征最大值*差异性特征最大值。The word scoring feature of the plug-in library = the maximum value of homogeneity features * the maximum value of different features.

步骤7):计算插件库特征信息,插件库特征信息包括:插件库名称中连字符个数、数字个数、插件库字符长度、插件库在异常动态链接库中出现的数量、插件库在所有插件库中出现的数量、拆分出的单词数量、词评分特征等。Step 7): Calculate the plug-in library feature information, the plug-in library feature information includes: the number of hyphens in the plug-in library name, the number of numbers, the character length of the plug-in library, the number of the plug-in library in the abnormal dynamic link library, the number of the plug-in library in all The number of occurrences in the plugin library, the number of split words, word scoring features, etc.

步骤8):插件库特征筛选。计算步骤7)中各特征信息的相关性,若相关系数超过第一预设阈值的特征信息,保留其一即可。Step 8): feature screening of the plug-in library. The correlation of each feature information in step 7) is calculated, and if the correlation coefficient exceeds the feature information of the first preset threshold, one of them can be reserved.

步骤9):计算插件库的风险评分,将步骤8)中保留的特征信息以及插件库的标签数据输入支持向量机模型中,得到插件库的风险评分。Step 9): Calculate the risk score of the plug-in library, input the feature information retained in step 8) and the label data of the plug-in library into the support vector machine model, and obtain the risk score of the plug-in library.

步骤10):计算插件库权重,根据风险评分通过牛顿冷却定律,计算各插件库的权重。Step 10): Calculate the weight of the plug-in library, and calculate the weight of each plug-in library through Newton's cooling law according to the risk score.

步骤11):计算动态链接库评分,使用步骤9)中的插件库的风险评分与步骤10)中的插件库权重,计算动态链接库评分。Step 11): Calculate the dynamic link library score, using the risk score of the plug-in library in step 9) and the weight of the plug-in library in step 10) to calculate the dynamic link library score.

步骤12):标记异常设备,当动态链接库评分大于第二预设阈值时,标记该动态链接库对应的移动设备为异常设备。Step 12): marking an abnormal device, when the dynamic link library score is greater than the second preset threshold, marking the mobile device corresponding to the dynamic link library as an abnormal device.

需要说明的是,当本发明实施例中的异常检测方法应用在业务风险决策系统时,可以为业务风险决策系统提高对异常设备识别的覆盖率,同时,在不依赖黑名单的情况下,任然可以识别出异常设备,提升了风险识别效率,保障了业务安全。It should be noted that, when the anomaly detection method in the embodiment of the present invention is applied to the business risk decision-making system, the coverage rate of identifying abnormal devices can be improved for the business risk decision-making system. However, abnormal devices can be identified, which improves the efficiency of risk identification and ensures business security.

参照图7所示,本发明实施例还提供了一种移动设备的异常检测系统100,异常检测系统100可执行上述实施例中的异常检测方法,异常检测系统100包括:数据获取模块101、数据处理模块102、异常评分模块103和异常检测模块104,数据获取模块101主要用于获取数据,包括动态链接库的数据等,数据处理模块102可以对来自数据获取模块101的数据进行处理,以得到风险评分,异常评分模块103主要用于根据来自数据处理模块102的数据求得动态链接库评分,用于进行异常评分判断,而异常检测模块104主要用于根据动态链接库评分来判断对应的移动设备是否为异常设备。Referring to FIG. 7 , an embodiment of the present invention further provides an anomaly detection system 100 for a mobile device. The anomaly detection system 100 can execute the anomaly detection method in the foregoing embodiment. The anomaly detection system 100 includes: a data acquisition module 101, a data The processing module 102, the abnormality scoring module 103 and the abnormality detection module 104, the data acquisition module 101 is mainly used to acquire data, including the data of the dynamic link library, etc. The data processing module 102 can process the data from the data acquisition module 101 to obtain Risk score, the abnormal score module 103 is mainly used to obtain the dynamic link library score according to the data from the data processing module 102, and is used to judge the abnormal score, and the abnormality detection module 104 is mainly used to judge the corresponding mobile according to the dynamic link library score. Whether the device is an abnormal device.

具体的,数据获取模块101用于获取移动设备请求应用时的动态链接库,并将动态链接库拆分得到若干个插件库;数据处理模块102用于获取各个插件库的第一标签数据和多个特征信息,将特征信息和第一标签数据输入至支持向量机模型中得到插件库的风险评分;异常评分模块103用于根据风险评分通过牛顿冷却定律得到插件库的权重,并根据插件库的权重和对应的风险评分加权得到动态链接库评分;异常检测模块104用于根据动态链接库评分判断对应的移动设备是否为异常设备。Specifically, the data acquisition module 101 is used to acquire the dynamic link library when the mobile device requests the application, and split the dynamic link library to obtain several plug-in libraries; the data processing module 102 is used to acquire the first tag data and multiple plug-in libraries of each plug-in library. The feature information and the first label data are input into the support vector machine model to obtain the risk score of the plug-in library; the abnormality scoring module 103 is used to obtain the weight of the plug-in library according to the risk score through Newton's law of cooling, and according to the risk score of the plug-in library. The weight and the corresponding risk score are weighted to obtain the dynamic link library score; the abnormality detection module 104 is configured to judge whether the corresponding mobile device is an abnormal device according to the dynamic link library score.

本发明实施例中的异常检测系统100可以为业务风险决策系统,异常检测系统100通过执行上述实施例中的异常检测方法,在检测移动设备的时候不需要依赖黑名单,基于对插件库的识别检测,能够提高对异常设备检测的覆盖率,提高异常检测效率。The anomaly detection system 100 in this embodiment of the present invention may be a business risk decision-making system. By executing the anomaly detection method in the above embodiment, the anomaly detection system 100 does not need to rely on a blacklist when detecting a mobile device, and is based on the identification of the plug-in library. Detection can improve the coverage of abnormal device detection and improve the efficiency of abnormal detection.

图8示出了本发明实施例提供的电子设备200。电子设备200包括:存储器201、处理器202及存储在存储器201上并可在处理器202上运行的计算机程序,计算机程序运行时用于执行上述的移动设备的异常检测方法。FIG. 8 shows an electronic device 200 provided by an embodiment of the present invention. The electronic device 200 includes: a memory 201, a processor 202, and a computer program stored in the memory 201 and running on the processor 202. When the computer program runs, it is used to execute the above-mentioned abnormality detection method for a mobile device.

处理器202和存储器201可以通过总线或者其他方式连接。The processor 202 and the memory 201 may be connected by a bus or other means.

存储器201作为一种非暂态计算机可读存储介质,可用于存储非暂态软件程序以及非暂态性计算机可执行程序,如本发明实施例描述的移动设备的异常检测方法。处理器202通过运行存储在存储器201中的非暂态软件程序以及指令,从而实现上述的移动设备的异常检测方法。As a non-transitory computer-readable storage medium, the memory 201 can be used to store non-transitory software programs and non-transitory computer-executable programs, such as the method for detecting anomaly of a mobile device described in the embodiments of the present invention. The processor 202 executes the non-transitory software programs and instructions stored in the memory 201 to implement the above-mentioned abnormality detection method for the mobile device.

存储器201可以包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需要的应用程序;存储数据区可存储执行上述的移动设备的异常检测方法。此外,存储器201可以包括高速随机存取存储器201,还可以包括非暂态存储器201,例如至少一个储存设备存储器件、闪存器件或其他非暂态固态存储器件。在一些实施方式中,存储器201可选包括相对于处理器202远程设置的存储器201,这些远程存储器201可以通过网络连接至该电子设备200。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 201 may include a storage program area and a storage data area, wherein the storage program area may store an operating system and an application program required by at least one function; the storage data area may store the above-mentioned abnormality detection method for a mobile device. Additionally, memory 201 may include high-speed random access memory 201, and may also include non-transitory memory 201, such as at least one storage device storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory 201 may optionally include memory 201 located remotely from the processor 202, and these remote memories 201 may be connected to the electronic device 200 through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

实现上述的移动设备的异常检测方法所需的非暂态软件程序以及指令存储在存储器201中,当被一个或者多个处理器202执行时,执行上述的移动设备的异常检测方法,例如,执行图1中的方法步骤S110至步骤S150、图2中的方法步骤S210至步骤S230、图3中的方法步骤S310至步骤S330、图4中的方法步骤S410至步骤S420、图5中的方法步骤S510至步骤S540、图6中的方法步骤S610至步骤S620。The non-transitory software programs and instructions required to implement the above-mentioned abnormality detection method for mobile devices are stored in the memory 201, and when executed by one or more processors 202, perform the above-mentioned abnormality detection method for mobile devices, for example, execute Method steps S110 to S150 in FIG. 1 , method steps S210 to S230 in FIG. 2 , method steps S310 to S330 in FIG. 3 , method steps S410 to S420 in FIG. 4 , method steps in FIG. 5 Steps S510 to S540, and steps S610 to S620 of the method in FIG. 6 .

本发明实施例还提供了计算机可读存储介质,存储有计算机可执行指令,计算机可执行指令用于执行上述的移动设备的异常检测方法。Embodiments of the present invention further provide a computer-readable storage medium storing computer-executable instructions, where the computer-executable instructions are used to execute the above-mentioned abnormality detection method for a mobile device.

在一实施例中,该计算机可读存储介质存储有计算机可执行指令,该计算机可执行指令被一个或多个控制处理器执行,例如,执行图1中的方法步骤S110至步骤S150、图2中的方法步骤S210至步骤S230、图3中的方法步骤S310至步骤S330、图4中的方法步骤S410至步骤S420、图5中的方法步骤S510至步骤S540、图6中的方法步骤S610至步骤S620。In one embodiment, the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are executed by one or more control processors, for example, performing steps S110 to S150 of the method in FIG. The method steps S210 to S230 in FIG. 3 , the method steps S310 to S330 in FIG. 3 , the method steps S410 to S420 in FIG. Step S620.

以上所描述的装置实施例仅仅是示意性的,其中作为分离部件说明的单元可以是或者也可以不是物理上分开的,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The apparatus embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统可以被实施为软件、固件、硬件及其适当的组合。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、储存设备存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包括计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Those of ordinary skill in the art can understand that all or some of the steps and systems in the methods disclosed above can be implemented as software, firmware, hardware, and appropriate combinations thereof. Some or all physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit . Such software may be distributed on computer-readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As is known to those of ordinary skill in the art, the term computer storage media includes both volatile and nonvolatile implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data flexible, removable and non-removable media. Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, magnetic tape, storage device storage or other magnetic storage devices, or Any other medium that can be used to store the desired information and that can be accessed by a computer. In addition, communication media typically include computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and can include any information delivery media, as is well known to those of ordinary skill in the art .

还应了解,本发明实施例提供的各种实施方式可以任意进行组合,以实现不同的技术效果。It should also be understood that various implementation manners provided in the embodiments of the present invention may be arbitrarily combined to achieve different technical effects.

本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、设备中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。Those of ordinary skill in the art can understand that all or some of the steps in the methods disclosed above, functional modules/units in the systems, and devices can be implemented as software, firmware, hardware, and appropriate combinations thereof.

在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.

以上是对本发明的较佳实施进行了具体说明,但本发明并不局限于上述实施方式,熟悉本领域的技术人员在不违背本发明精神的共享条件下还可作出种种等同的变形或替换,这些等同的变形或替换均包括在本发明权利要求所限定的范围内。The above is a specific description of the preferred implementation of the present invention, but the present invention is not limited to the above-mentioned embodiments, and those skilled in the art can also make various equivalent deformations or replacements under the shared conditions that do not violate the spirit of the present invention, These equivalent modifications or substitutions are all included within the scope defined by the claims of the present invention.

Claims (10)

1. An anomaly detection method for a mobile device, comprising:
acquiring a dynamic link library when a mobile device requests application, and splitting the dynamic link library to obtain a plurality of plug-in libraries;
acquiring first label data and a plurality of feature information of each plug-in library, and inputting the feature information and the first label data into a support vector machine model to obtain a risk score of the plug-in library;
obtaining the weight of the plug-in library through Newton's cooling law according to the risk score;
weighting according to the weight of the plug-in library and the corresponding risk score to obtain a dynamic link library score;
and judging whether the corresponding mobile equipment is abnormal equipment or not according to the dynamic link library score.
2. The abnormality detection method according to claim 1, characterized in that the feature information includes a word score feature obtained according to the steps of:
Acquiring the name of the plug-in library, and splitting the name of the plug-in library into a plurality of words;
selecting target words in the words, and calculating to obtain the homogeneity characteristic and the difference characteristic of each target word;
and obtaining word scoring characteristics corresponding to the plug-in library according to the homogeneity characteristics and the difference characteristics.
3. The method of claim 2, wherein the computing a homogeneity feature and a variability feature of each of the target words comprises:
acquiring second label data, and determining an abnormal plug-in library and a normal plug-in library in the plurality of plug-in libraries according to the second label data;
acquiring a first request number of the abnormal plug-in library containing the target word, a second request number of all the abnormal plug-in libraries and a third request number of the normal plug-in library containing the target word;
and obtaining the homogeneity characteristic according to the proportional relation between the first request number and the second request number, and obtaining the difference characteristic according to the proportional relation between the first request number and the third request number.
4. The anomaly detection method of the mobile device according to claim 2, wherein the deriving a word score feature corresponding to the plug-in library according to the homogeneity feature and the variability feature comprises:
Selecting a homogeneity characteristic maximum value and a difference characteristic maximum value from the homogeneity characteristic and the difference characteristic of all words in the plug-in library;
and obtaining the word scoring characteristics according to the product of the homogeneity characteristic maximum value and the difference characteristic maximum value.
5. The abnormality detection method according to claim 2, characterized in that said feature information further includes at least one of hyphenation information in said plug-in library name, character information in said plug-in library name, number of said plug-in libraries in said dynamic link library containing said abnormal plug-in library, number of said plug-in libraries under said dynamic link library, and number of said words obtained by splitting.
6. The anomaly detection method of the mobile device according to claim 1, wherein the inputting the feature information and the first tag data into a support vector machine model to obtain a risk score of the plug-in library comprises:
calculating a correlation coefficient between a plurality of the characteristic information;
acquiring a first preset threshold value for feature screening;
when the correlation coefficient between the characteristic information is larger than the first preset threshold value, retaining at least one of the characteristic information;
Inputting the retained feature information and the first tag data into the support vector machine model to obtain the risk score.
7. The method according to claim 1, wherein the determining whether the corresponding mobile device is an abnormal device according to the score of the dynamic link library comprises:
acquiring a second preset threshold value obtained according to the abnormal dynamic link library sample;
and when the dynamic link library score is larger than the second preset threshold value, determining that the corresponding mobile equipment is abnormal equipment.
8. An anomaly detection system for a mobile device, comprising:
the data acquisition module is used for acquiring a dynamic link library when the mobile equipment requests application and splitting the dynamic link library to obtain a plurality of plug-in libraries;
the data processing module is used for acquiring first label data and a plurality of feature information of each plug-in library, and inputting the feature information and the first label data into a support vector machine model to obtain a risk score of the plug-in library;
the abnormal scoring module is used for obtaining the weight of the plug-in library through a Newton cooling law according to the risk score and obtaining a dynamic link library score according to the weight of the plug-in library and the corresponding risk score weighting;
And the abnormity detection module is used for judging whether the corresponding mobile equipment is abnormal equipment or not according to the dynamic link library score.
9. An electronic device, comprising a memory storing a computer program, and a processor implementing the abnormality detection method for a mobile device according to any one of claims 1 to 7 when the processor executes the computer program.
10. A computer-readable storage medium characterized in that the storage medium stores a program executed by a processor to implement the abnormality detection method of a mobile device according to any one of claims 1 to 7.
CN202210163209.4A 2022-02-22 2022-02-22 Abnormality detection method and system for mobile device, electronic device and storage medium Active CN114518996B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210163209.4A CN114518996B (en) 2022-02-22 2022-02-22 Abnormality detection method and system for mobile device, electronic device and storage medium
PCT/CN2022/090759 WO2023159768A1 (en) 2022-02-22 2022-04-29 Anomaly detection method and system for mobile device, electronic device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210163209.4A CN114518996B (en) 2022-02-22 2022-02-22 Abnormality detection method and system for mobile device, electronic device and storage medium

Publications (2)

Publication Number Publication Date
CN114518996A true CN114518996A (en) 2022-05-20
CN114518996B CN114518996B (en) 2025-09-16

Family

ID=81599680

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210163209.4A Active CN114518996B (en) 2022-02-22 2022-02-22 Abnormality detection method and system for mobile device, electronic device and storage medium

Country Status (2)

Country Link
CN (1) CN114518996B (en)
WO (1) WO2023159768A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6041363A (en) * 1996-03-29 2000-03-21 Sun Microsystems, Inc, Imbedding virtual device driver (VxD) calls in a dynamic link library (DLL)
JP2007317089A (en) * 2006-05-29 2007-12-06 Olympus Corp System, method and program for automatically updating software
CN103995906A (en) * 2014-06-13 2014-08-20 北京京东尚科信息技术有限公司 Abnormity processing method and device
CN112214768A (en) * 2020-10-16 2021-01-12 新华三信息安全技术有限公司 Malicious process detection method and device
US20210200746A1 (en) * 2019-12-30 2021-07-01 Royal Bank Of Canada System and method for multivariate anomaly detection
US20210264294A1 (en) * 2020-02-26 2021-08-26 Samsung Electronics Co., Ltd. Systems and methods for predicting storage device failure using machine learning
CN113609478A (en) * 2021-07-16 2021-11-05 浙江吉利控股集团有限公司 IOS platform application program tampering detection method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109063481B (en) * 2018-07-27 2023-04-07 平安科技(深圳)有限公司 Risk detection method and device
US11586731B2 (en) * 2019-09-26 2023-02-21 Microsoft Technology Licensing, Llc Risk-aware entity linking
US11503062B2 (en) * 2020-05-08 2022-11-15 Ebay Inc. Third-party application risk assessment in an authorization service

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6041363A (en) * 1996-03-29 2000-03-21 Sun Microsystems, Inc, Imbedding virtual device driver (VxD) calls in a dynamic link library (DLL)
JP2007317089A (en) * 2006-05-29 2007-12-06 Olympus Corp System, method and program for automatically updating software
CN103995906A (en) * 2014-06-13 2014-08-20 北京京东尚科信息技术有限公司 Abnormity processing method and device
US20210200746A1 (en) * 2019-12-30 2021-07-01 Royal Bank Of Canada System and method for multivariate anomaly detection
US20210264294A1 (en) * 2020-02-26 2021-08-26 Samsung Electronics Co., Ltd. Systems and methods for predicting storage device failure using machine learning
CN112214768A (en) * 2020-10-16 2021-01-12 新华三信息安全技术有限公司 Malicious process detection method and device
CN113609478A (en) * 2021-07-16 2021-11-05 浙江吉利控股集团有限公司 IOS platform application program tampering detection method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
陈锦富;卢炎生;谢晓东;: "软件错误注入测试技术研究", 软件学报, no. 06, 15 June 2009 (2009-06-15), pages 37 - 55 *
韦雄;徐田玉;刘海云;: "全范围模拟机虚拟DCS通信故障的分析与处理", 机电信息, no. 20, 15 July 2020 (2020-07-15), pages 19 - 20 *

Also Published As

Publication number Publication date
WO2023159768A1 (en) 2023-08-31
CN114518996B (en) 2025-09-16

Similar Documents

Publication Publication Date Title
CN105389722B (en) Malicious order identification method and device
CN109587008B (en) Method, device and storage medium for detecting abnormal flow data
CN113222942A (en) Training method of multi-label classification model and method for predicting labels
CN110704603B (en) Method and device for discovering current hot event through information
US10372702B2 (en) Methods and apparatus for detecting anomalies in electronic data
CN113706249B (en) Data recommendation method and device, electronic equipment and storage medium
CN111586695A (en) Short message identification method and related equipment
CN109446393B (en) Network community topic classification method and device
CN107291774B (en) Error sample identification method and device
CN114363019A (en) Method, device and equipment for training phishing website detection model and storage medium
CN115204889A (en) Text processing method and device, computer equipment and storage medium
CN110533452A (en) Product information method for pushing, device, computer equipment and storage medium
CN111783786A (en) Image identification method, system, electronic device and storage medium
CN114595313B (en) Information retrieval result processing method, device, server and storage medium
CN114518996A (en) Anomaly detection method and system for mobile device, electronic device and storage medium
CN113076485B (en) Resource recommendation method, device, equipment and storage medium based on intelligent degradation
CN114138972B (en) Text category identification method and device
CN111523011B (en) Cold and hot wallet intelligent label system based on block chain technology distributed graph calculation engine
CN112312590B (en) Equipment communication protocol identification method and device
CN111708908B (en) Video tag adding method and device, electronic equipment and computer readable storage medium
CN109885710B (en) User image depicting method based on differential evolution algorithm and server
CN113691525A (en) Traffic data processing method, device, equipment and storage medium
CN117171589B (en) Data segmentation method, device, equipment and storage medium
CN113868660B (en) Training method, device and equipment for malicious software detection model
CN110245146B (en) User identification method and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant