[go: up one dir, main page]

CN119691732B - Method for determining application security, electronic device, and computer-readable storage medium - Google Patents

Method for determining application security, electronic device, and computer-readable storage medium

Info

Publication number
CN119691732B
CN119691732B CN202411631763.6A CN202411631763A CN119691732B CN 119691732 B CN119691732 B CN 119691732B CN 202411631763 A CN202411631763 A CN 202411631763A CN 119691732 B CN119691732 B CN 119691732B
Authority
CN
China
Prior art keywords
target
application
probability
determining
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411631763.6A
Other languages
Chinese (zh)
Other versions
CN119691732A (en
Inventor
郁文清
邱阳
胡涵
吴卫民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Internet Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Internet Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Internet Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202411631763.6A priority Critical patent/CN119691732B/en
Publication of CN119691732A publication Critical patent/CN119691732A/en
Application granted granted Critical
Publication of CN119691732B publication Critical patent/CN119691732B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Telephonic Communication Services (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本申请公开了一种确定应用安全性的方法、电子设备和计算机可读存储介质,属于互联网领域。确定应用安全性的方法包括:获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征,所述目标应用为用于安装在云手机上的应用;将所述目标信息输入目标机器学习模型中;基于所述目标机器学习模型,确定所述目标应用的安全性。本申请用于确定应用的安全性。

This application discloses a method, electronic device, and computer-readable storage medium for determining application security, belonging to the field of the Internet. The method for determining application security includes: obtaining target information of a target application deployed in a sandbox environment, the target information reflecting the behavioral characteristics of the target application, wherein the target application is an application intended for installation on a cloud phone; inputting the target information into a target machine learning model; and determining the security of the target application based on the target machine learning model. This application is used to determine the security of applications.

Description

确定应用安全性的方法、电子设备和计算机可读存储介质Methods, electronic devices, and computer-readable storage media for determining application security

技术领域Technical Field

本申请属于互联网领域,具体涉及一种确定应用安全性的方法、电子设备和计算机可读存储介质。This application belongs to the Internet field and specifically relates to a method for determining application security, an electronic device, and a computer-readable storage medium.

背景技术Background Technology

云手机是在云端运行的虚拟手机。云手机的原理就是在服务器上使用虚拟机等技术分配一些资源,如CPU、内存等,安装上手机的各种操作系统,并虚拟WIFI的媒体访问控制(Media Access Control,MAC)、国际移动设备识别码(International Mobile EquipmentIdentity,IMEI)等信息,从而虚拟出仿真手机。A cloud phone is a virtual phone that runs in the cloud. The principle of a cloud phone is to use virtual machines and other technologies on a server to allocate resources such as CPU and memory, install various operating systems of a mobile phone, and virtualize information such as Wi-Fi Media Access Control (MAC) and International Mobile Equipment Identity (IMEI) to create a virtual simulation of a mobile phone.

相关技术中,针对用户新上传的应用基本是直接部署到用户所属的云手机上。然而,在用户上传的应用为存在风险的恶意应用的情况下,将该恶意应用直接部署在云手机上,可能会导致云手机存在安全风险。In related technologies, newly uploaded applications are generally deployed directly to the user's cloud phone. However, if the user-uploaded application is a malicious application with potential risks, directly deploying it on the cloud phone may expose the cloud phone to security vulnerabilities.

因而,需要一种确定应用安全性的方法,解决待部署在云手机上的应用存在安全风险的问题。Therefore, a method is needed to determine application security and address the security risks associated with applications to be deployed on cloud phones.

发明内容Summary of the Invention

本申请实施例提供一种确定应用安全性的方法、电子设备和计算机可读存储介质,能够解决相关技术待部署在云手机上的应用存在安全风险的问题。This application provides a method, electronic device, and computer-readable storage medium for determining application security, which can solve the problem of security risks in applications to be deployed on cloud phones.

第一方面,本申请实施例提供一种确定应用安全性的方法,包括:In a first aspect, embodiments of this application provide a method for determining application security, including:

获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征,所述目标应用为用于安装在云手机上的应用;Obtain target information of a target application deployed in a sandbox environment. The target information is used to reflect the behavioral characteristics of the target application, which is an application for installation on a cloud phone.

将所述目标信息输入目标机器学习模型中;The target information is input into the target machine learning model;

基于所述目标机器学习模型,确定所述目标应用的安全性。Based on the target machine learning model, the security of the target application is determined.

第二方面,本申请实施例提供一种确定应用安全性的装置,包括:Secondly, embodiments of this application provide an apparatus for determining application security, comprising:

获取模块,用于获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征,所述目标应用为用于安装在云手机上的应用;The acquisition module is used to acquire target information of a target application deployed in a sandbox environment. The target information is used to reflect the behavioral characteristics of the target application, which is an application for installation on a cloud phone.

处理模块,用于将所述目标信息输入目标机器学习模型中;基于所述目标机器学习模型,确定所述目标应用的安全性。The processing module is used to input the target information into the target machine learning model; and based on the target machine learning model, to determine the security of the target application.

第三方面,本申请实施例提供了一种电子设备,该电子设备包括处理器和存储器,所述存储器存储可在所述处理器上运行的程序或指令,所述程序或指令被所述处理器执行时实现如第一方面所述的方法的步骤。Thirdly, embodiments of this application provide an electronic device including a processor and a memory, wherein the memory stores programs or instructions executable on the processor, and the programs or instructions, when executed by the processor, implement the steps of the method described in the first aspect.

第四方面,本申请实施例提供了一种计算机可读存储介质,该计算机可读存储介质上存储程序或指令,所述程序或指令被执行时实现如第一方面所述的方法的步骤。Fourthly, embodiments of this application provide a computer-readable storage medium on which a program or instructions are stored, which, when executed, implement the steps of the method described in the first aspect.

第五方面,本申请实施例提供了一种计算机程序产品,该计算机程序产品包括计算机程序,该计算机程序在被处理器执行时实现如第一方面所述的方法的步骤。Fifthly, embodiments of this application provide a computer program product comprising a computer program that, when executed by a processor, implements the steps of the method described in the first aspect.

在本申请实施例中,获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征,所述目标应用为用于安装在云手机上的应用;将所述目标信息输入目标机器学习模型中;基于所述目标机器学习模型,确定所述目标应用的安全性。如此,在将目标应用部署在云手机之前,通过先通过沙盒环境获取目标应用的目标信息,并基于目标机器学习模型和目标信息确定目标应用的安全性,可以在云手机上部署目标应用之前先获取目标应用的安全性,只有确定为安全的目标应用才会部署在云手机上,解决相关技术待部署在云手机上的应用存在安全风险的问题。In this embodiment, target information of a target application deployed in a sandbox environment is obtained. This target information reflects the behavioral characteristics of the target application, which is an application intended for installation on a cloud phone. The target information is input into a target machine learning model. Based on the target machine learning model, the security of the target application is determined. Thus, by obtaining target information of the target application through a sandbox environment before deploying it on a cloud phone, and determining the security of the target application based on the target machine learning model and target information, the security of the target application can be assessed before deployment on the cloud phone. Only target applications determined to be secure will be deployed on the cloud phone, thus addressing the security risks associated with applications to be deployed on cloud phones in related technologies.

附图说明Attached Figure Description

为了更清楚地说明本发明实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本发明的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。To more clearly illustrate the technical solutions of the embodiments of the present invention, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present invention and should not be regarded as a limitation on the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

图1是本申请实施例提供的一种确定应用安全性的方法的流程图;Figure 1 is a flowchart of a method for determining application security provided in an embodiment of this application;

图2是本申请实施例提供的另一种确定应用安全性的方法的流程图;Figure 2 is a flowchart of another method for determining application security provided in an embodiment of this application;

图3是本申请实施例提供的另一种确定应用安全性的方法的流程图;Figure 3 is a flowchart of another method for determining application security provided in an embodiment of this application;

图4是本申请实施例提供的另一种确定应用安全性的方法的流程图;Figure 4 is a flowchart of another method for determining application security provided in an embodiment of this application;

图5是本申请实施例提供的一种确定应用安全性的装置的结构框图;Figure 5 is a structural block diagram of an apparatus for determining application security provided in an embodiment of this application;

图6是本申请实施例提供的电子设备的示意图。Figure 6 is a schematic diagram of an electronic device provided in an embodiment of this application.

具体实施方式Detailed Implementation

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions of the embodiments of this application will be clearly described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this application. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

本申请的说明书和权利要求书中的术语“第一”、“第二”等是用于区别类似的对象,而不用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施,且“第一”、“第二”等所区分的对象通常为一类,并不限定对象的个数,例如第一对象可以是一个,也可以是多个。此外,说明书以及权利要求中“和/或”表示所连接对象的至少其中之一,字符“/”,一般表示前后关联对象是一种“或”的关系。The terms "first," "second," etc., used in the specification and claims of this application are used to distinguish similar objects and not to describe a specific order or sequence. It should be understood that such use of data can be interchanged where appropriate so that embodiments of this application can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first," "second," etc., are generally of the same class and the number of objects is not limited; for example, a first object can be one or more. Furthermore, in the specification and claims, "and/or" indicates at least one of the connected objects, and the character "/" generally indicates that the preceding and following objects are in an "or" relationship.

本申请实施例提供的确定应用安全性的方法应用于云手机业务的情形中,特别地,可应用于为目标用户分配用于提供云手机服务功能的服务器节点。具体地,在目标用户上传一个新的应用到云手机安装时,先将该应用分配至沙盒环境进行部署和运行,同步对部署后的应用进行安全判断,在检测安全后将再该应用迁移至用户云手机的正常运行环境中。如此,确保只有安全的目标应用才会部署在云手机上,解决相关技术待部署在云手机上的应用存在安全风险的问题。The method for determining application security provided in this application embodiment is applied to cloud phone services, specifically, it can be used to allocate server nodes for providing cloud phone service functions to target users. Specifically, when a target user uploads a new application to the cloud phone for installation, the application is first deployed and run in a sandbox environment. A security check is performed on the deployed application simultaneously. After security is verified, the application is then migrated to the normal operating environment of the user's cloud phone. This ensures that only secure target applications are deployed on the cloud phone, addressing the security risks associated with applications deployed on cloud phones in related technologies.

本申请实施例提供的确定应用安全性的方法由目标设备执行,其中,目标设备可以是一台电子设备,也可以是多台电子设备。也就是说,本申请实施例提供的实现云手机的方法可以由一台电子设备执行,其中,所述电子设备可以为服务器,比如独立的物理服务器、由多个服务器组成的服务器集群以及能够进行云计算的云服务器。在本申请实施例提供的确定应用安全性的方法由多台电子设备执行的情况下,这多台电子设备可形成服务集群,它们相互配合完成各个步骤。The method for determining application security provided in this application embodiment is executed by a target device, which can be a single electronic device or multiple electronic devices. That is, the method for implementing a cloud phone provided in this application embodiment can be executed by a single electronic device, which can be a server, such as a standalone physical server, a server cluster consisting of multiple servers, or a cloud server capable of cloud computing. When the method for determining application security provided in this application embodiment is executed by multiple electronic devices, these multiple electronic devices can form a service cluster, and they cooperate to complete each step.

下面结合附图,通过具体的实施例及其应用场景对本申请实施例提供的确定应用安全性的方法进行详细地说明。The method for determining application security provided in this application will be described in detail below with reference to the accompanying drawings, through specific embodiments and application scenarios.

图1是本申请实施例提供的一种确定应用安全性的方法的流程图。参照图1,本申请实施例提供的一种确定应用安全性的方法可包括:Figure 1 is a flowchart of a method for determining application security according to an embodiment of this application. Referring to Figure 1, a method for determining application security according to an embodiment of this application may include:

步骤110,获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征,所述目标应用为用于安装在云手机上的应用;Step 110: Obtain target information of the target application deployed in the sandbox environment. The target information is used to reflect the behavioral characteristics of the target application, which is an application for installation on a cloud phone.

在本申请实施例中,沙盒环境(Sandbox Environment)是一个隔离的测试环境,允许在一个封闭的设置环境中运行软件、程序或代码,而不会影响外部的系统或环境。In this embodiment of the application, the sandbox environment is an isolated testing environment that allows software, programs, or code to run in a closed setup environment without affecting external systems or environments.

由于沙盒具有隔离环境特性,将目标应用安装在沙盒中,主要是隔离正常的云手机的环境,除此之外,沙盒与正常的云手机之间并没有其他差异,用户可以在沙盒中操作目标应用。为便于观察目标应用的行为,本申请实施例可在沙盒中安装用户常用的应用,模拟用户的数据(如短信、通讯录、通话记录、照片等),对应用临时开放权限。Because sandboxes provide an isolated environment, installing the target application within them primarily isolates it from the normal cloud phone environment. Aside from this, there are no other differences between a sandbox and a normal cloud phone; users can operate the target application within the sandbox. To facilitate observation of the target application's behavior, embodiments of this application can install frequently used applications within the sandbox, simulating user data (such as SMS messages, contacts, call logs, photos, etc.), and temporarily granting permissions to the applications.

本申请实施例中的目标应用为待安装到云手机上的应用。步骤110可以在将目标应用安装到云手机上之前执行。The target application in this embodiment is the application to be installed on the cloud phone. Step 110 can be performed before installing the target application on the cloud phone.

步骤120,将所述目标信息输入目标机器学习模型中;Step 120: Input the target information into the target machine learning model;

本申请实施例中的目标机器学习模型可以是通过训练得到的机器学习模型。在一个实施例中,目标机器学习模型为训练完成的机器学习模型。本申请实施例中的目标机器学习模型可以是梯度提升模型,例如轻量级梯度提升模型(LightGBM)。其中,LightGBM是一个基于梯度提升决策树(Gradient Boosted Decision Trees,GBDT)的高效、可扩展的机器学习算法,作为GBDT框架的算法的一员。The target machine learning model in this application embodiment can be a machine learning model obtained through training. In one embodiment, the target machine learning model is a machine learning model that has been trained. The target machine learning model in this application embodiment can be a gradient boosting model, such as the Lightweight Gradient Boosting Model (LightGBM). LightGBM is an efficient and scalable machine learning algorithm based on Gradient Boosted Decision Trees (GBDT), and is a member of the GBDT framework.

本申请实施例中的目标信息可包括基于多个单位时间得到的多个目标序列;其中,一个单位时间对应于一个目标序列,单位时间可以为1小时或1分钟等。在目标应用为单个孤本应用(孤本应用例如为目标用户自己编译/修改得到的应用,孤本应用并没有给其他用户使用)的情况下,可以采用自滑动的方式采集目标应用在多个单位时间的多个目标序列。举例而言,在监控目标应用的时间轴上,将1天的时间作为滑动的窗口,按照1小时(即一个单位时间)作为步长进行移动,每移动一次,得到目标应用的一个目标序列,移动24次之后,得到24个目标序列。The target information in this application embodiment may include multiple target sequences obtained based on multiple unit time periods; wherein, one unit time period corresponds to one target sequence, and the unit time period can be 1 hour or 1 minute, etc. When the target application is a single isolated application (for example, an application compiled/modified by the target user and not used by other users), a self-sliding method can be used to collect multiple target sequences of the target application over multiple unit time periods. For example, on the timeline of monitoring the target application, a one-day period is used as the sliding window, moving in steps of 1 hour (i.e., one unit time period). Each movement yields one target sequence of the target application; after 24 movements, 24 target sequences are obtained.

本申请实施例中的目标信息也可包括平均值序列,所述平均值序列基于所述多个应用的目标序列的平均值得到,所述多个应用的目标序列基于同一单位时间得到。在目标应用为非孤本应用的情况下,目标应用可以为在沙盒环境中同时运行的多个应用,这多个应用可以为同一应用。可采用互滑动的方式采集多个应用在同一单位时间的目标序列。举例而言,若单位时间为1小时,可得到在这1小时这多个应用的目标序列,若同时运行的同一应用的数目为5个,则可得到5个目标序列,然后即可计算这5个目标序列的平均值,得到平均值序列。The target information in this embodiment may also include an average value sequence, which is obtained based on the average of the target values of the multiple applications, and the target values of the multiple applications are obtained based on the same unit of time. When the target application is not an isolated application, the target application can be multiple applications running simultaneously in a sandbox environment, and these multiple applications can be the same application. A sliding method can be used to collect the target values of multiple applications within the same unit of time. For example, if the unit of time is 1 hour, the target values of the multiple applications within that 1 hour can be obtained. If the number of the same application running simultaneously is 5, then 5 target values can be obtained, and the average of these 5 target values can then be calculated to obtain the average value sequence.

其中,所述目标序列包括以下至少一种:与目标用户登录云手机相关联的序列、与所述目标应用申请权限相关联的序列、与调用所述云手机中除所述目标应用外的其他应用相关联的序列,以及与访问网站相关联的序列。序列中可以包含用于反映所述目标应用的行为特征的各种数值。The target sequence includes at least one of the following: a sequence associated with a target user logging into a cloud phone, a sequence associated with the target application requesting permissions, a sequence associated with calling other applications on the cloud phone besides the target application, and a sequence associated with accessing a website. The sequence may contain various numerical values reflecting the behavioral characteristics of the target application.

在一个具体的实施例中,所述目标序列包括:在单位周期内目标用户登录云手机的标志位序列,在单位周期内目标应用申请云手机中权限的标志位序列;在单位周期内云手机中指定权限的使用频次序列;在单位周期内云手机中指定权限的使用频次偏差序列;在单位周期内云手机中指定权限的使用算术序列;在单位周期内云手机中指定权限的使用算术偏差序列;在单位周期内调用云手机中除了所述目标应用外的其他应用的次数序列;在单位周期内调用云手机中指定类别的应用的次数序列;在单位周期内调用云手机中指定类别的应用的次数偏差序列;在单位周期内访问网站的次数序列;在单位周期内访问网站的次数偏差序列;以及在单位周期内访问网站的数据量序列。In one specific embodiment, the target sequence includes: a sequence of flags indicating target users logging into the cloud phone within a unit period; a sequence of flags indicating target applications requesting permissions in the cloud phone within a unit period; a sequence of usage frequency of specified permissions in the cloud phone within a unit period; a sequence of usage frequency deviation of specified permissions in the cloud phone within a unit period; an arithmetic sequence of usage of specified permissions in the cloud phone within a unit period; a sequence of arithmetic deviation of usage of specified permissions in the cloud phone within a unit period; a sequence of the number of times other applications in the cloud phone besides the target application are called within a unit period; a sequence of the number of times applications of a specified category are called in the cloud phone within a unit period; a sequence of the number of times applications of a specified category are called in the cloud phone within a unit period; a sequence of the number of times applications of a specified category are called in the cloud phone within a unit period; a sequence of the number of times a website is accessed within a unit period; a sequence of the number of times a website is accessed within a unit period; and a sequence of the amount of data accessed on the website within a unit period.

步骤130,基于所述目标机器学习模型,确定所述目标应用的安全性。Step 130: Determine the security of the target application based on the target machine learning model.

其中,所述目标机器学习模型的输出可以为概率值。可基于所述目标机器学习模型输出的概率值,确定目标应用的安全性。具体地,可将目标机器学习模型输出的概率值和阈值进行比较,所述阈值可以为针对恶意应用设置的阈值,在目标机器学习模型输出的概率值大于或等于阈值的情况下,可确定目标应用为恶意应用,在目标机器学习模型输出的概率值小于阈值的情况下,可确定目标应用为安全应用。The output of the target machine learning model can be a probability value. The security of the target application can be determined based on the probability value output by the target machine learning model. Specifically, the probability value output by the target machine learning model can be compared with a threshold, which can be a threshold set for malicious applications. If the probability value output by the target machine learning model is greater than or equal to the threshold, the target application can be determined to be a malicious application; if the probability value output by the target machine learning model is less than the threshold, the target application can be determined to be a safe application.

在本申请实施例中,获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征,所述目标应用为用于安装在云手机上的应用;将所述目标信息输入目标机器学习模型中;基于所述目标机器学习模型,确定所述目标应用的安全性。如此,在将目标应用部署在云手机之前,通过先通过沙盒环境获取目标应用的目标信息,并基于目标机器学习模型和目标信息确定目标应用的安全性,可以在云手机上部署目标应用之前先获取目标应用的安全性,只有确定为安全的目标应用才会部署在云手机上,解决相关技术待部署在云手机上的应用存在安全风险的问题。In this embodiment, target information of a target application deployed in a sandbox environment is obtained. This target information reflects the behavioral characteristics of the target application, which is an application intended for installation on a cloud phone. The target information is input into a target machine learning model. Based on the target machine learning model, the security of the target application is determined. Thus, by obtaining target information of the target application through a sandbox environment before deploying it on a cloud phone, and determining the security of the target application based on the target machine learning model and target information, the security of the target application can be assessed before deployment on the cloud phone. Only target applications determined to be secure will be deployed on the cloud phone, thus addressing the security risks associated with applications to be deployed on cloud phones in related technologies.

图2是本申请实施例提供的一种确定应用安全性的方法的流程图。参照图2,本申请实施例提供的一种确定应用安全性的方法可包括:Figure 2 is a flowchart of a method for determining application security according to an embodiment of this application. Referring to Figure 2, a method for determining application security according to an embodiment of this application may include:

步骤210,获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征,所述目标应用为用于安装在云手机上的应用;Step 210: Obtain target information of the target application deployed in the sandbox environment. The target information is used to reflect the behavioral characteristics of the target application, which is an application for installation on a cloud phone.

在本申请实施例中,在步骤210之前,可先接收目标用户上传的目标应用,在目标用户上传的目标应用满足目标条件的情况下,再将目标应用部署在沙盒环境中。也就是说,部署在沙盒环境中的目标应用为满足目标条件的应用。本申请实施例中的目标条件可以根据需要进行设置。在一个具体的实施例中,可以判断目标应用的安装包的信息摘要算法是否满足目标条件,具体地,可判断目标应用的安装包的信息摘要算法(例如MD5)是否出现在未知清单或恶意清单中;若目标应用的安装包的信息摘要算法(例如MD5)出现在未知清单或恶意清单中,则可将目标应用部署在沙盒环境中,进而获取部署在沙盒环境中的目标应用的目标信息。其中,未知清单初始为一些安全网站公布的风险应用的APK包的MD5,后续未知清单中某一应用被证明为存在风险时,将该应用的APK包的MD5移动至恶意清单中。恶意清单中的应用为禁止在云手机中安装的应用。未知清单中的应用为需要通过部署在沙盒环境中进行安全性验证的应用。若目标应用通过沙盒环境验证为安全应用,则可将目标应用放入安全清单中。In this embodiment, before step 210, the target application uploaded by the target user can be received first. If the target application uploaded by the target user meets the target conditions, the target application is then deployed in the sandbox environment. That is, the target application deployed in the sandbox environment is an application that meets the target conditions. The target conditions in this embodiment can be set as needed. In a specific embodiment, it can be determined whether the message digest algorithm of the target application's installation package meets the target conditions. Specifically, it can be determined whether the message digest algorithm (e.g., MD5) of the target application's installation package appears in the unknown list or the malicious list. If the message digest algorithm (e.g., MD5) of the target application's installation package appears in the unknown list or the malicious list, the target application can be deployed in the sandbox environment, thereby obtaining the target information of the target application deployed in the sandbox environment. The unknown list initially consists of the MD5 hashes of the APK packages of risky applications published by some security websites. Subsequently, when an application in the unknown list is proven to be risky, the MD5 hash of the application's APK package is moved to the malicious list. Applications in the malicious list are applications that are prohibited from being installed on cloud phones. Applications in the unknown list are applications that need to be deployed in the sandbox environment for security verification. If the target application is verified as a secure application through the sandbox environment, it can be added to the security list.

步骤220,将所述目标信息输入目标机器学习模型中;Step 220: Input the target information into the target machine learning model;

步骤230,基于所述目标机器学习模型,确定所述目标应用的安全性;Step 230: Determine the security of the target application based on the target machine learning model;

步骤240,在确定所述目标应用为安全应用的情况下,将所述目标应用安装至所述云手机中;Step 240: If the target application is determined to be a secure application, the target application is installed on the cloud phone;

步骤250,在确定所述目标应用为恶意应用的情况下,提示移除所述目标应用。Step 250: If the target application is determined to be a malicious application, prompt the user to remove the target application.

在本申请实施例中,在所述目标应用为恶意应用的情况下,禁止在云手机中安装目标应用。In this embodiment of the application, if the target application is a malicious application, the installation of the target application on the cloud phone is prohibited.

此外,在维护了安全清单、未知清单和恶意清单的情况下,若目标应用为安全应用,可将目标应用移动至安全清单中;若目标应用为恶意应用,则可将目标应用移动至恶意清单中。In addition, if a safe application, an unknown application, and a malicious application are maintained, the target application can be moved to the safe application list if it is a safe application, and to the malicious application list if it is a malicious application.

其中,步骤210-步骤230可参照前文描述。Steps 210-230 can be referred to the previous description.

在本申请实施例中,获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征,所述目标应用为用于安装在云手机上的应用;将所述目标信息输入目标机器学习模型中;基于所述目标机器学习模型,确定所述目标应用的安全性。如此,在将目标应用部署在云手机之前,通过先通过沙盒环境获取目标应用的目标信息,并基于目标机器学习模型和目标信息确定目标应用的安全性,可以在云手机上部署目标应用之前先获取目标应用的安全性,只有确定为安全的目标应用才会部署在云手机上,解决相关技术待部署在云手机上的应用存在安全风险的问题。In this embodiment, target information of a target application deployed in a sandbox environment is obtained. This target information reflects the behavioral characteristics of the target application, which is an application intended for installation on a cloud phone. The target information is input into a target machine learning model. Based on the target machine learning model, the security of the target application is determined. Thus, by obtaining target information of the target application through a sandbox environment before deploying it on a cloud phone, and determining the security of the target application based on the target machine learning model and target information, the security of the target application can be assessed before deployment on the cloud phone. Only target applications determined to be secure will be deployed on the cloud phone, thus addressing the security risks associated with applications to be deployed on cloud phones in related technologies.

图3是本申请实施例提供的一种确定应用安全性的方法的流程图。参照图3,本申请实施例提供的一种确定应用安全性的方法可包括:Figure 3 is a flowchart of a method for determining application security provided in an embodiment of this application. Referring to Figure 3, a method for determining application security provided in an embodiment of this application may include:

步骤310,获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征,所述目标信息包括基于多个单位时间得到的多个目标序列;其中,一个单位时间对应于一个目标序列;所述目标应用为用于安装在云手机上的应用;Step 310: Obtain target information of the target application deployed in the sandbox environment. The target information is used to reflect the behavioral characteristics of the target application. The target information includes multiple target sequences obtained based on multiple unit time periods; wherein, one unit time period corresponds to one target sequence; the target application is an application used to install on a cloud phone.

在本申请实施例中,所述目标应用可以为在沙盒环境中运行的单个应用。可以采用自滑动的方式采集目标应用在多个单位时间的多个目标序列。举例而言,在监控目标应用的时间轴上,将1天的时间作为滑动的窗口,按照1小时(即一个单位时间)作为步长进行移动,每移动一次,得到目标应用的一个目标序列,移动24次之后,得到24个目标序列。In this embodiment, the target application can be a single application running in a sandbox environment. Multiple target sequences of the target application can be collected over multiple time units using a self-sliding method. For example, on the timeline of the monitored target application, a one-day period is used as the sliding window, moving in steps of one hour (i.e., one unit of time). Each movement yields one target sequence of the target application; after 24 movements, 24 target sequences are obtained.

其中,所述目标序列包括以下至少一种:与目标用户登录云手机相关联的序列、与所述目标应用申请权限相关联的序列、与调用所述云手机中除所述目标应用外的其他应用相关联的序列,以及与访问网站相关联的序列。序列中可以包含用于反映所述目标应用的行为特征的各种数值。The target sequence includes at least one of the following: a sequence associated with a target user logging into a cloud phone, a sequence associated with the target application requesting permissions, a sequence associated with calling other applications on the cloud phone besides the target application, and a sequence associated with accessing a website. The sequence may contain various numerical values reflecting the behavioral characteristics of the target application.

步骤320,将所述多个目标序列输入目标机器学习模型中;Step 320: Input the multiple target sequences into the target machine learning model;

步骤330,基于所述目标机器学习模型,确定所述多个目标序列对应的多个概率值;Step 330: Based on the target machine learning model, determine multiple probability values corresponding to the multiple target sequences;

在本申请实施例中,目标序列的数目可以与基于目标机器学习模型得到的概率值的数目相同。例如,在将24个目标序列输入目标机器学习模型中的情况下,可得到24个目标序列对应的24个概率值。In this embodiment, the number of target sequences can be the same as the number of probability values obtained based on the target machine learning model. For example, when 24 target sequences are input into the target machine learning model, 24 probability values corresponding to the 24 target sequences can be obtained.

步骤340,基于所述多个概率值,确定第一概率范围,所述第一概率范围指示所述目标应用自身正常操作的概率范围;Step 340: Based on the plurality of probability values, determine a first probability range, wherein the first probability range indicates the probability range of the target application's normal operation.

在本申请实施例中,步骤340中基于所述多个概率值,确定第一概率范围,可包括:基于所述多个概率值,确定所述多个概率值的平均值和标准差;基于所述平均值和所述标准差,确定第一概率范围;其中,所述第一概率范围的最小值为所述平均值与所述标准差的差值,所述第一概率范围的最大值为所述平均值与所述标准差的和值。如此,可利用平均值和标准差确定第一概率范围,保证得到的第一概率范围符合数学规律,更具有准确性。In this embodiment, step 340, determining the first probability range based on the plurality of probability values, may include: determining the average and standard deviation of the plurality of probability values; and determining the first probability range based on the average and standard deviation. The minimum value of the first probability range is the difference between the average and the standard deviation, and the maximum value is the sum of the average and the standard deviation. Thus, the first probability range can be determined using the average and standard deviation, ensuring that the obtained first probability range conforms to mathematical laws and is more accurate.

步骤350,基于所述第一概率范围,确定第二概率范围和第三概率范围,所述第二概率范围的最小值大于或等于所述第一概率范围的最大值,所述第三概率范围的最大值小于或等于所述第一概率范围的最小值;Step 350: Based on the first probability range, determine a second probability range and a third probability range, wherein the minimum value of the second probability range is greater than or equal to the maximum value of the first probability range, and the maximum value of the third probability range is less than or equal to the minimum value of the first probability range.

在本申请实施例中,第二概率范围可以为大于或等于所述第一概率范围的最大值的范围,所述第三概率范围可以为小于或等于所述第一概率范围的最小值的范围。In this embodiment of the application, the second probability range can be a range greater than or equal to the maximum value of the first probability range, and the third probability range can be a range less than or equal to the minimum value of the first probability range.

步骤360,获取至少一个第一概率值和至少一个第二概率值;所述至少一个第一概率值为所述多个概率值中位于所述第二概率范围内的所有概率值,所述至少一个第二概率值为所述多个概率值中位于所述第三概率范围内的所有概率值;Step 360: Obtain at least one first probability value and at least one second probability value; the at least one first probability value is all probability values among the plurality of probability values that fall within the second probability range, and the at least one second probability value is all probability values among the plurality of probability values that fall within the third probability range;

步骤370,确定至少一个目标概率值,所述至少一个目标概率值为所述至少一个第一概率值和所述至少一个第二概率值中的数目较大者;Step 370: Determine at least one target probability value, wherein the at least one target probability value is the larger of the at least one first probability value and the at least one second probability value;

在本申请实施例中,若所述多个概率值为上文提到的24个概率值,这24个概率值中,落入第二概率范围内的概率值为4个,落入第三概率范围内的概率值为5个,则将落入第三概率范围内的这5个概率值确定为5个目标概率值。In this embodiment of the application, if the plurality of probability values are the 24 probability values mentioned above, and among these 24 probability values, 4 probability values fall within the second probability range and 5 probability values fall within the third probability range, then the 5 probability values falling within the third probability range are determined as 5 target probability values.

步骤380,计算所述至少一个目标概率值的平均值;Step 380: Calculate the average value of the at least one target probability value;

步骤390,基于所述至少一个目标概率值的平均值,确定所述目标应用的安全性;Step 390: Determine the security of the target application based on the average of the at least one target probability value;

在本申请实施例中,可通过将所述至少一个目标概率值的平均值与阈值进行比较确定目标应用的安全性,其中,阈值可以根据需要进行设置,例如阈值为0.5。在所述至少一个目标概率值的平均值大于或等于阈值的情况下,确定所述目标应用为恶意应用;在所述至少一个目标概率值的平均值小于所述阈值的情况下,确定所述目标应用为安全应用。In this embodiment, the security of a target application can be determined by comparing the average of the at least one target probability value with a threshold. The threshold can be set as needed, for example, a threshold of 0.5. If the average of the at least one target probability value is greater than or equal to the threshold, the target application is determined to be a malicious application; if the average of the at least one target probability value is less than the threshold, the target application is determined to be a safe application.

本申请实施例在确定所述目标应用为安全应用的情况下,可将所述目标应用安装至所述云手机中;在确定所述目标应用为恶意应用的情况下,可提示移除所述目标应用。In this embodiment of the application, if the target application is determined to be a safe application, the target application can be installed on the cloud phone; if the target application is determined to be a malicious application, a prompt can be made to remove the target application.

在本申请实施例中,在将目标应用部署在云手机之前,通过先通过沙盒环境获取目标应用的目标信息,并基于目标机器学习模型和目标信息确定目标应用的安全性,可以在云手机上部署目标应用之前先获取目标应用的安全性,只有确定为安全的目标应用才会部署在云手机上,解决相关技术待部署在云手机上的应用存在安全风险的问题。此外,在基于所述目标机器学习模型,确定所述目标应用的安全性的过程中,通过考虑第二概率范围和第三概率范围,此两种概率范围更能体现目标应用的恶意性质,能够保证据此缺点的目标应用的安全性更加准确。而且,针对多个概率值中落入第二概率范围和第三概率范围的概率值,通过引入投票机制和均值算法进一步确保了结果的准确性。In this embodiment, before deploying the target application on a cloud phone, target information of the target application is obtained through a sandbox environment. Based on the target machine learning model and the target information, the security of the target application is determined. This allows for the assessment of the target application's security before deployment on the cloud phone, ensuring that only applications deemed secure are deployed, thus addressing the security risks associated with applications deployed on cloud phones. Furthermore, in determining the security of the target application based on the target machine learning model, considering a second and third probability range—both of which better reflect the malicious nature of the target application—ensures a more accurate assessment of its security. Moreover, for probability values falling within the second and third probability ranges, a voting mechanism and an averaging algorithm are introduced to further ensure the accuracy of the results.

图4是本申请实施例提供的一种确定应用安全性的方法的流程图。参照图4,本申请实施例提供的一种确定应用安全性的方法可包括:Figure 4 is a flowchart of a method for determining application security provided in an embodiment of this application. Referring to Figure 4, a method for determining application security provided in an embodiment of this application may include:

步骤410,获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征;所述目标应用为在沙盒环境中同时运行的多个应用,且用于安装在云手机上;所述目标信息包括平均值序列,所述平均值序列基于所述多个应用的目标序列的平均值得到,所述多个应用的目标序列基于同一单位时间得到;Step 410: Obtain target information of the target application deployed in the sandbox environment. The target information is used to reflect the behavioral characteristics of the target application. The target application consists of multiple applications running simultaneously in the sandbox environment and is used to install on a cloud phone. The target information includes an average value sequence, which is obtained based on the average of the target sequences of the multiple applications. The target sequences of the multiple applications are obtained based on the same unit of time.

在本申请实施例中,所述目标应用可以为在沙盒环境中运行的多个应用。这多个应用可以为同一个应用。可以采用互滑动的方式采集这多个应用在同一单位时间的多个目标序列。举例而言,若单位时间为1小时,可得到在这1小时这多个应用的目标序列,若同时运行的同一应用的数目为5个,则可得到5个目标序列,然后即可计算这5个目标序列的平均值,得到平均值序列。In this embodiment, the target application can be multiple applications running in a sandbox environment. These multiple applications can be the same application. Multiple target sequences of these multiple applications within the same unit of time can be collected using an interleaved sliding method. For example, if the unit of time is 1 hour, the target sequences of these multiple applications within that 1 hour can be obtained. If the number of the same application running simultaneously is 5, then 5 target sequences can be obtained. The average of these 5 target sequences can then be calculated to obtain the average sequence.

其中,所述目标序列包括以下至少一种:与目标用户登录云手机相关联的序列、与所述目标应用申请权限相关联的序列、与调用所述云手机中除所述目标应用外的其他应用相关联的序列,以及与访问网站相关联的序列。序列中可以包含用于反映所述目标应用的行为特征的各种数值。The target sequence includes at least one of the following: a sequence associated with a target user logging into a cloud phone, a sequence associated with the target application requesting permissions, a sequence associated with calling other applications on the cloud phone besides the target application, and a sequence associated with accessing a website. The sequence may contain various numerical values reflecting the behavioral characteristics of the target application.

步骤420,将所述平均值序列输入目标机器学习模型中;Step 420: Input the average value sequence into the target machine learning model;

步骤430,基于所述目标机器学习模型,确定所述平均值序列对应的第三概率值;Step 430: Based on the target machine learning model, determine the third probability value corresponding to the average value sequence;

步骤440,针对所述多个应用中的每一个应用,基于所述目标机器学习模型,确定所述应用对应的第四概率值;Step 440: For each of the plurality of applications, determine the fourth probability value corresponding to the application based on the target machine learning model;

步骤450,基于所述第三概率值和所述第四概率值,确定总概率值;Step 450: Determine the total probability value based on the third probability value and the fourth probability value;

在本申请实施例中,步骤450可通过如下方式确定总概率值:确定第三概率值和第一权重的乘积,作为第一结果;确定第四概率值和第二权重的乘积,作为第二结果;将所述第一结果和所述第二结果之和,确定为总概率值;其中,所述第一权重小于所述第二权重。如此,由于第一权重小于第二权重,可以体现各个应用的差别,保证得到的总概率值能够体现出个体差异。In this embodiment, step 450 can determine the total probability value as follows: determine the product of a third probability value and a first weight as a first result; determine the product of a fourth probability value and a second weight as a second result; and sum the first result and the second result to determine the total probability value; wherein the first weight is less than the second weight. Thus, since the first weight is less than the second weight, the differences between various applications can be reflected, ensuring that the obtained total probability value reflects individual differences.

步骤460,基于所述总概率值,确定所述应用的安全性;Step 460: Determine the security of the application based on the total probability value;

在本申请实施例中,可将总概率值与预设阈值进行比较来确定应用的安全性。在一个实施例中,步骤460可通过如下方式确定应用的安全性:在总概率值大于或等于预设阈值的情况下,确定此应用为安全应用;在总概率值小于预设阈值的情况下,确定此应用为恶意应用。其中,预设阈值可以根据需要来设置,例如预设阈值为0.5。In this embodiment, the security of an application can be determined by comparing the total probability value with a preset threshold. In one embodiment, step 460 can determine the security of an application as follows: if the total probability value is greater than or equal to the preset threshold, the application is determined to be a secure application; if the total probability value is less than the preset threshold, the application is determined to be a malicious application. The preset threshold can be set as needed, for example, a preset threshold of 0.5.

步骤470,基于所述多个应用中每一个应用的安全性,确定所述目标应用的安全性;Step 470: Determine the security of the target application based on the security of each of the multiple applications;

在本申请实施例中,步骤470所述基于所述多个应用中每一个应用的安全性,确定所述目标应用的安全性可包括:在所述多个应用中每一个应用均为安全应用的情况下,确定所述目标应用为安全应用;在所述多个应用中存在至少一个恶意应用的情况下,确定所述目标应用为恶意应用。如此,可以较大程度地排除恶意应用,保证针对目标应用确定的安全性具有较高的可信度。In this embodiment, step 470, determining the security of the target application based on the security of each of the plurality of applications, may include: determining the target application as a secure application if each of the plurality of applications is a secure application; and determining the target application as a malicious application if at least one malicious application exists among the plurality of applications. This approach can largely eliminate malicious applications and ensure a high degree of reliability in determining the security of the target application.

在本申请实施例中,在确定所述目标应用为安全应用的情况下,将所述目标应用安装至所述云手机中;在确定所述目标应用为恶意应用的情况下,可提示移除所述目标应用。In this embodiment of the application, if the target application is determined to be a safe application, the target application is installed on the cloud phone; if the target application is determined to be a malicious application, a prompt may be made to remove the target application.

在本申请实施例中,在将目标应用部署在云手机之前,通过先通过沙盒环境获取目标应用的目标信息,并基于目标机器学习模型和目标信息确定目标应用的安全性,可以在云手机上部署目标应用之前先获取目标应用的安全性,只有确定为安全的目标应用才会部署在云手机上,解决相关技术待部署在云手机上的应用存在安全风险的问题。此外,在基于所述目标机器学习模型,确定所述目标应用的安全性的过程中,通过综合考虑平均值序列对应的第三概率值以及各个应用自身对应的第四概率值,如此既考虑了整体情况又考虑了个体情况,可以保证得到的总概率值能够更加具有针对性,从而进一步确保了结果的准确性。In this embodiment, before deploying the target application on a cloud phone, target information of the target application is obtained through a sandbox environment. Based on the target machine learning model and the target information, the security of the target application is determined. This allows for the assessment of the target application's security before deployment on the cloud phone; only applications deemed secure are deployed, thus addressing the security risks associated with applications deployed on cloud phones. Furthermore, in determining the security of the target application based on the target machine learning model, the third probability value corresponding to the average sequence and the fourth probability value corresponding to each application are comprehensively considered. This approach considers both the overall and individual circumstances, ensuring that the obtained total probability value is more targeted and further guaranteeing the accuracy of the results.

下面通过详细示例对本申请实施例提供的确定应用(APP)安全性的方法进行进一步论述。需了解的是,下面的论述仅是示例,下面的内容在不冲突的情况下均可以与上面附图中所论述的各个实施例相结合。The method for determining application (APP) security provided in this application will be further discussed below with detailed examples. It should be understood that the following discussion is merely illustrative, and the content below can be combined with the various embodiments described in the accompanying drawings without conflict.

在本申请实施例中可维护三份清单,第一份清单是安全清单,记录了安全应用的APK包的MD5,第二份清单是未知清单,记录了并未明确风险的应用的APK包的MD5,第三份清单是恶意清单,记录了恶意应用的APK包的MD5。In this application embodiment, three lists can be maintained. The first list is a security list, which records the MD5 hash of the APK package of a secure application. The second list is an unknown list, which records the MD5 hash of the APK package of an application for which no risk is clearly defined. The third list is a malicious list, which records the MD5 hash of the APK package of a malicious application.

第一份清单初始可以是采集各大厂商或应用商城公布的安全应用的MD5,考虑到某些用户会使用历史的应用进行尝试,安全应用各个版本的APK包的MD5都记录在第一份清单中,后续第二份清单中应用被证明为安全时,将该应用的APK包的MD5移动至第一份清单中。The first list can initially collect the MD5 hashes of security applications published by major manufacturers or app stores. Considering that some users may try using previous applications, the MD5 hashes of the APK packages of various versions of security applications are recorded in the first list. When an application in the second list is proven to be secure, the MD5 hash of that application's APK package is moved to the first list.

第二份清单未知清单初始为一些安全网站公布的风险应用的APK包的MD5,后续第二份清单中应用被证明为存在风险时,将该应用的APK包的MD5移动至第三份清单恶意清单中。The second list, the Unknown List, initially consists of the MD5 hashes of the APK packages of risky applications published by some security websites. Subsequently, when an application in the second list is proven to be risky, the MD5 hash of that application's APK package is moved to the third list, the Malicious List.

目标用户在向云手机上传应用的APK包时,可对APK包生成MD5,然后将上传的应用的MD5与第一份清单、第二份清单与第三份清单进行比较。如果命中第一份清单,则允许在用户的云手机中安装应用。如果命中第二份清单未知清单,则将应用安装至沙盒中,并在用户的云手机中显示应用的图标,表示已经安装应用。如果命中第三份清单恶意清单,则禁止在用户的云手机中安装应用。如果未命中任一份清单,则使用杀毒软件对应用进行查杀,如果杀毒软件提示存在风险,则将MD5写入第二份清单未知清单中,将应用安装至沙盒中,并在用户的云手机中显示应用的图标,表示已经安装应用。When a target user uploads an application's APK package to a cloud phone, an MD5 hash is generated for the APK package. This MD5 hash is then compared to a first, second, and third list of malicious listings. If the first list is matched, the application is allowed to be installed on the user's cloud phone. If the second list (unknown list) is matched, the application is installed in a sandbox, and its icon is displayed on the user's cloud phone to indicate that it has been installed. If the third list (malicious list) is matched, installation is prohibited. If none of the lists are matched, antivirus software scans the application. If the antivirus software flags a risk, the MD5 hash is added to the second list (unknown list), the application is installed in a sandbox, and its icon is displayed on the user's cloud phone to indicate that it has been installed.

针对安装在沙盒中的目标应用,在不解析恶意目标应用的内部代码的情况下,可通过观察检测获取用于反映所述目标应用的行为特征的目标信息。具体地,恶意应用一般存在如下几种自主行为:其一,非法申请手机的权限,从而非法采集手机中的用户数据;其二,非法调用手机上其他应用,从而非法采集其他应用的用户数据;其三,非法访问网站,将用户数据传输出去。For target applications installed in a sandbox, target information reflecting the behavioral characteristics of the target application can be obtained through observation and detection without parsing the internal code of the malicious target application. Specifically, malicious applications generally exhibit the following autonomous behaviors: first, illegally requesting permissions on the phone to illegally collect user data from the phone; second, illegally calling other applications on the phone to illegally collect user data from those applications; and third, illegally accessing websites and transmitting user data.

由于用户在操作安全应用时,也可能具有上述行为,两者之间并不存在明显的区别特性,因此,如果单纯依赖如静态阈值、同比阈值和预测值等应用特定行为的特征数值设置比较策略会导致检测产生一定偏差。Since users may also exhibit the aforementioned behaviors when operating security applications, and there are no obvious differences between the two, relying solely on characteristic values of application-specific behaviors, such as static thresholds, year-on-year thresholds, and predicted values, to set comparison strategies can lead to certain biases in detection.

有鉴于此,本申请实施例将检测安全应用、恶意应用视为二分类的问题,创新性地对应用的行为设计了全面的特征,采用LightGBM(Light Gradient Boosting Machine)检测安全应用与恶意应用,并对结果进行平滑,在低资源消耗的同时,达到了较高的准确率和召回率。In view of this, the embodiments of this application treat the detection of secure applications and malicious applications as a binary classification problem, and innovatively design comprehensive features for the behavior of applications. LightGBM (Light Gradient Boosting Machine) is used to detect secure applications and malicious applications, and the results are smoothed. While consuming low resources, it achieves high accuracy and recall.

下面对构造目标序列的过程进行论述。以1天为采样的单位时间周期,在1天的时间内,将采样的频率设置为1分钟,分别对应用采集如下序列,反映应用行为的特征:The process of constructing the target sequence is discussed below. Using a 1-day sampling period, and setting the sampling frequency to 1 minute within that day, the following sequences were collected from the application to reflect the characteristics of its behavior:

1、序列A:在单位周期内目标用户登录云手机的标志位序列1. Sequence A: The sequence of flags indicating when a target user logs into the cloud phone within a unit period.

序列A为用户登录云手机的标志位序列,在1分钟时间内,如果用户登录云手机的时间占比大于或等于1/2,则认为用户在该1分钟内登录云手机,将采样点的值置为1,如果用户登录云手机的时间占比小于1/2,则认为用户在该1分钟内未登录云手机,将采样点的值置为0。Sequence A is the flag sequence for user login to the cloud phone. If the user's login time is greater than or equal to 1/2 within 1 minute, it is considered that the user has logged into the cloud phone within 1 minute, and the value of the sampling point is set to 1. If the user's login time is less than 1/2, it is considered that the user has not logged into the cloud phone within 1 minute, and the value of the sampling point is set to 0.

用户正常使用应用会对应用的行为造成一定程度的影响,因此可考虑用户使用云手机的时间,作为应用行为的特征。Normal user use of the application will have a certain impact on the application's behavior. Therefore, the time users spend using cloud phones can be considered as a characteristic of application behavior.

2、序列B:在单位周期内目标应用申请云手机中权限的标志位序列2. Sequence B: A sequence of flags indicating permissions requested by the target application in the cloud phone within a unit period.

序列B为云手机中n个权限的序列,如果应用申请了n个权限中的某个权限,则将该权限对应的值置为1,如果应用未申请某个权限,则将该权限对应的值置为0。其中,n为正整数。Sequence B is a sequence of n permissions in the cloud phone. If the application requests a certain permission among the n permissions, the value corresponding to that permission is set to 1; if the application does not request a certain permission, the value corresponding to that permission is set to 0. Here, n is a positive integer.

3、序列C1~Cn:在单位周期内云手机中指定权限的使用频次序列3. Sequence C1 ~ Cn : The frequency sequence of specified permissions used in the cloud phone within a unit period.

其中,序列Ci(i∈n)为云手机中第i个权限的使用频次序列,在1分钟时间内,统计应用使用第i个权限的次数,形成序列CiWherein, sequence C <sub>i </sub> (i∈n) is the frequency sequence of the i-th permission in the cloud phone. Within 1 minute, the number of times the application uses the i-th permission is counted to form sequence C <sub>i</sub> .

4、序列C1'~Cn':在单位周期内云手机中指定权限的使用频次偏差序列4. Sequence C1 '~ Cn ': Frequency deviation sequence of specified permissions used in the cloud phone within a unit period.

序列Ci'(i∈n)为云手机中第i个权限的使用频次偏差序列,体现的是当前应用使用权限与正常应用使用权限之间在频次上的差异。The sequence C <sub>i </sub>' (i∈n) is the frequency deviation sequence of the i-th permission in the cloud phone, which reflects the difference in frequency between the current application's permission and the normal application's permission.

对于市面上的一些典型的安全应用,尤其是不同类别的超级应用,比如,地图类别下知名度较高的应用和聊天类别下知名度较高的应用,这些应用的行为较为规范,可以作为参考。针对k个(其中,k为大于1的整数)知名度较高的应用均按照第3点分别统计C1~Cn,得到k组C1~Cn,然后对这k组C1~Cn取平均值,得到C1avg~Cnavg,分别将C1~Cn减去对应的C1avg~Cnavg,并取绝对值,得到C1'~Cn'。以C1为例,C1对应的平均值为C1avg,C1减去C1avg可得到一差值,将此差值再取绝对值即可得到C1'。For some typical security applications on the market, especially super apps of different categories, such as well-known apps in the map category and well-known apps in the chat category, these applications have relatively standardized behavior and can be used as a reference. For k well-known apps (where k is an integer greater than 1), we statistically analyze C1 to Cn according to point 3, obtaining k groups of C1 to Cn . Then, we take the average of these k groups of C1 to Cn to obtain C1avg to Cnavg . We then subtract the corresponding C1avg to Cnavg from C1 to Cn and take the absolute value to obtain C1 ' to Cn '. Taking C1 as an example, the average value of C1 is C1avg . Subtracting C1avg from C1 gives a difference. Taking the absolute value of this difference gives C1 '.

5、序列D1~Dn:在单位周期内云手机中指定权限的使用算术序列5. Sequences D1 ~ Dn : Arithmetic sequences for specifying permissions in the cloud phone within a unit period.

序列Di(i∈n)为云手机中第i个权限的使用算术序列,在1分钟时间内,统计当前应用使用第i个权限的次数,如果该次数大于或等于阈值r,则将该1分钟的采样点置为1,如果该次数小于阈值r,则将该1分钟的采样点置为0,形成序列DiThe sequence Di (i∈n) is the arithmetic sequence of the use of the i-th permission in the cloud phone. Within 1 minute, the number of times the current application uses the i-th permission is counted. If the number is greater than or equal to the threshold r, the sampling point of the 1 minute is set to 1. If the number is less than the threshold r, the sampling point of the 1 minute is set to 0, thus forming the sequence Di.

6、D1'~Dn':在单位周期内云手机中指定权限的使用算术偏差序列6. D1 '~ Dn ': The arithmetic deviation sequence of specified permissions in the cloud phone within a unit period.

序列Di'(i∈n)为云手机中第i个权限的使用算术偏差序列,体现的是当前应用使用权限与正常应用使用权限之间在算术上的差异。The sequence D <sub>i</sub> ' (i∈n) is the arithmetic deviation sequence of the i-th permission in the cloud phone, which reflects the arithmetic difference between the current application's permission and the normal application's permission.

对于市面上的一些典型的安全应用,尤其是不同类别的超级应用,比如,地图类别下知名度较高的应用和聊天类别下知名度较高的应用,这些应用的行为较为规范,可以作为参考。针对k个(其中,k为大于1的整数)知名度较高的应用均按照第5点分别统计D1~Dn,得到k组D1~Dn,然后对这k组D1~Dn取平均值,得到D1avg~Dnavg,分别将D1~Dn减去D1avg~Dnavg,并取绝对值,得到D1'~Dn'。以D1为例,D1对应的平均值为D1avg,D1减去D1avg可得到一差值,将此差值再取绝对值即可得到D1'。For some typical security applications on the market, especially super apps of different categories, such as well-known apps in the map category and well-known apps in the chat category, these applications have relatively standardized behavior and can be used as a reference. For k well-known apps (where k is an integer greater than 1), we statistically analyze D1 to Dn according to point 5, obtaining k groups of D1 to Dn . Then, we take the average of these k groups of D1 to Dn to obtain D1avg to Dnavg . We then subtract D1avg to Dnavg from each of D1 to Dn and take the absolute value to obtain D1 ' to Dn '. Taking D1 as an example, the average value corresponding to D1 is D1avg . Subtracting D1avg from D1 gives a difference, and taking the absolute value of this difference gives D1 '.

7、序列E:在单位周期内调用云手机中除了所述目标应用外的其他应用的次数序列7. Sequence E: The sequence of the number of times other applications in the cloud phone besides the target application are called within a unit period.

序列E为调用云手机的其他应用的次数序列,在1分钟时间内,统计当前应用调用其他应用的次数,形成序列E。Sequence E is the sequence of the number of times the current application calls other applications on the cloud phone. Within 1 minute, the number of times the current application calls other applications is counted to form sequence E.

8、序列F1~Fm:在单位周期内调用云手机中指定类别的应用的次数序列8. Sequence F1 ~ Fm : The sequence of the number of times a specified type of application in the cloud phone is invoked within a unit period.

将云手机的其他应用划分为m个类别,序列Fj(j∈m)为调用云手机中第j个类别的应用的次数序列,在1分钟时间内,统计应用调用云手机中第j个类别的应用的次数,形成序列F。The other applications of the cloud phone are divided into m categories. The sequence Fj (j∈m) is the sequence of the number of times the application of the j-th category in the cloud phone is called. Within 1 minute, the number of times the application calls the application of the j-th category in the cloud phone is counted to form the sequence F.

9、序列F1'~Fm':在单位周期内调用云手机中指定类别的应用的次数偏差序列9. Sequence F1 '~ Fm ': The deviation sequence of the number of times a specified type of application in the cloud phone is called within a unit period.

序列Fj'(j∈m)为调用云手机中第j个类别的应用的次数偏差序列,体现的是当前应用调用其他应用与正常应用调用其他应用之间在次数上的差异。The sequence Fj ' (j∈m) is the deviation sequence of the number of times the application of the j-th category in the cloud phone is called, which reflects the difference in the number of times the current application calls other applications and the normal application calls other applications.

对于市面上的一些典型的安全应用,尤其是不同类别的超级应用,比如,地图类别下知名度较高的应用和聊天类别下知名度较高的应用,这些应用的行为较为规范,可以作为参考。针对k个(其中,k为大于1的整数)知名度较高的应用按照第5点分别统计F1~Fm,得到k组F1~Fm,然后对这k组F1~Fm取平均值,得到F1avg~Fmavg,分别将F1~Fm减去F1avg~Fmavg,并取绝对值,得到F1'~Fm'。以F1为例,F1对应的平均值为F1avg,F1减去F1avg可得到一差值,将此差值再取绝对值即可得到F1'。For some typical security applications on the market, especially super apps of different categories, such as well-known apps in the map category and well-known apps in the chat category, these applications have relatively standardized behavior and can be used as a reference. For k well-known apps (where k is an integer greater than 1), calculate F1 ~ Fm according to point 5, obtaining k groups of F1 ~ Fm . Then, average these k groups of F1 ~ Fm to obtain F1avg ~ Fmavg . Subtract F1avg ~ Fmavg from F1 ~ Fm and take the absolute value to obtain F1 ' ~ Fm '. Taking F1 as an example, the average value corresponding to F1 is F1avg . Subtracting F1avg from F1 gives a difference. Taking the absolute value of this difference gives F1 '.

10、序列G:在单位周期内访问网站的次数序列10. Sequence G: The sequence of website visits within a unit period.

序列G为访问网站的次数序列,在1分钟时间内,统计当前应用访问网站的次数,形成序列G。Sequence G is a sequence of website accesses. Within one minute, the number of times the current application accesses the website is counted to form sequence G.

11、序列G':在单位周期内访问网站的次数偏差序列11. Sequence G': The sequence of deviations in the number of website visits within a unit period.

序列G'为访问网站的次数偏差序列,体现的是当前应用访问网站与正常应用访问网站之间在次数上的差异。Sequence G' is the deviation sequence of the number of times the website is accessed, which reflects the difference in the number of times the current application accesses the website compared to the number of times a normal application accesses the website.

对于市面上的一些典型的安全应用,尤其是不同类别的超级应用,比如,地图类别下知名度较高的应用和聊天类别下知名度较高的应用,这些应用的行为较为规范,可以作为参考。针对k个(其中,k为大于1的整数)知名度较高的应用按照第10点分别统计G,得到k组G,然后对这K组G取平均值,得到Gavg,将G减去Gavg,并取绝对值,得到G'。For some typical security applications on the market, especially super apps of different categories, such as well-known apps in the map category and well-known apps in the chat category, the behavior of these apps is relatively standardized and can be used as a reference. For k well-known apps (where k is an integer greater than 1), we calculate G according to point 10, and get k groups of G. Then we take the average of these k groups of G to get G_avg . We subtract G_avg from G and take the absolute value to get G'.

12、序列H:在单位周期内访问网站的数据量序列12. Sequence H: The sequence of data accessed to the website within a unit period.

序列H为访问网站的数据量序列,在1分钟时间内,统计当前应用访问网站的数据包的大小,形成序列H。Sequence H is the data volume sequence of the website access. Within 1 minute, the size of the data packets accessed by the current application to the website is counted to form sequence H.

在本申请实施例中,得到的上面这12种序列可以选取其中的至少一种作为目标序列。针对各种不同的应用,均可以通过上面的方式得到这12种序列中的至少一种。例如,可以针对安全应用和恶意应用分别采集这12种序列作为样本,训练模型(例如LightGBM),使得模型实现二分类。In this embodiment, at least one of the 12 sequences obtained above can be selected as the target sequence. For various applications, at least one of these 12 sequences can be obtained using the above method. For example, these 12 sequences can be collected as samples for security applications and malicious applications respectively, and a model (e.g., LightGBM) can be trained to achieve binary classification.

在通过训练得到模型之后,在应用中即可使用训练的模型确定应用的安全性。具体地,在沙盒中监控目标应用时,按照规范对目标应用采集行为特征(即上述12种序列中的至少一种),将行为的特征输入模型中,模型输出目标应用为恶意应用的概率值。例如,若概率值大于或等于0.5,则确定目标应用为恶意应用。若概率值小于0.5,则确定目标应用为安全应用。After training the model, it can be used to determine the application's security. Specifically, when monitoring a target application in a sandbox, behavioral characteristics (at least one of the 12 sequences mentioned above) are collected from the target application according to specifications. These behavioral characteristics are then input into the model, which outputs a probability value indicating whether the target application is malicious. For example, if the probability value is greater than or equal to 0.5, the target application is determined to be malicious. If the probability value is less than 0.5, the target application is determined to be safe.

虽然从多个行为的特征解析应用的行为,可以保障检测的精确度在较高的程度上,但是,应用的行为是具有一定偶然性的,单独凭借一次检测判断应用是恶意应用或是安全应用,仍然具有一定的误判率,因此,本申请实施例可滑动的方式,对检测应用的结果进行平滑,以降低误判率。Although analyzing the behavior of an application from multiple behavioral features can ensure a high level of detection accuracy, the behavior of an application is somewhat random. Judging whether an application is malicious or safe based on a single detection still has a certain false positive rate. Therefore, the embodiments of this application use a sliding method to smooth the results of application detection in order to reduce the false positive rate.

在本申请实施例中,滑动的方式分为自滑动与互滑动。In the embodiments of this application, the sliding method is divided into self-sliding and mutual sliding.

在本申请实施例中可以采用自滑动的方式确定目标应用的安全性。下面进行具体介绍。In this embodiment, a self-sliding method can be used to determine the security of the target application. This will be described in detail below.

自滑动,是在应用属于孤本时使用,该应用可能是用户自己编译/修改的应用,并没有给其他用户使用,此时,对于指定的MD5,沙盒实时仅运行一个应用。举例而言,在监控应用的时间轴上,将1天的时间作为滑动的窗口,按照1小时作为步长进行移动,每移动一次,使用窗口中的序列按照上述过程计算得到一个概率值,移动24次之后,得到24个概率值。Self-sliding is used when the application is a unique copy, such as one compiled/modified by the user and not shared with other users. In this case, for a given MD5 hash, the sandbox only runs one application in real time. For example, on the timeline of the monitored application, a one-day period is used as the sliding window, moving in one-hour increments. Each time it moves, a probability value is calculated using the sequence in the window according to the above process. After 24 moves, 24 probability values are obtained.

在一些情况下,用户对应用的操作、应用自身的操作符合正态分布,对24个概率值计算平均值μ与标准差σ,平均值μ决定了分布的中心位置,标准差σ决定了分布的高度与宽度。在本申请实施例中,可取μ±σ为特征的筛选范围(第一概率范围),概率值分布在μ±σ内的概率为0.6826,考虑到用户主动登录云手机并对应用操作是短时间的操作,因此,在μ±σ的概率值通常是对应用自身的操作计算得到的概率值。In some cases, user actions on the application and the application's own actions follow a normal distribution. The mean μ and standard deviation σ are calculated for 24 probability values. The mean μ determines the center of the distribution, and the standard deviation σ determines the height and width of the distribution. In this embodiment, μ±σ can be taken as the filtering range of features (the first probability range). The probability of a probability value falling within μ±σ is 0.6826. Considering that a user's active login to the cloud phone and application actions are short-lived, the probability value within μ±σ is usually calculated from the application's own actions.

在很多情形下,用户的操作对应用的恶意行为具有一定的激活性质,比如,拦截用户输入的密码之后发送出去、过度使用用户授权的权限,等等,对此,筛选出位于μ±σ之上的概率值,为第一集合(即第二概率范围),筛选出位于μ±σ之下的概率值,为第二集合(即第三概率范围),第一集合与第二集合更多的是对用户在操作应用时计算得到的概率值用户操作应用的概率值,在安全/恶意检测时,更能体现应用的恶意性质。In many situations, user actions can activate malicious behavior in applications. For example, intercepting and sending user-entered passwords, or overusing user-authorized permissions. To address this, we filter out probability values above μ±σ, forming the first set (i.e., the second probability range), and filter out probability values below μ±σ, forming the second set (i.e., the third probability range). The first and second sets are primarily probability values calculated based on user actions during application operation. These probability values are more effective in reflecting the malicious nature of applications during security/maliciousness detection.

考虑到应用的行为的偶然性,本申请实施例可以以投票机制决定使用第一集合或是第二集合。具体地,可统计第一集合中概率值的数量(即第一概率值的数量)和第二集合中概率值的数量(即第二概率值的数量),并将两者进行比较。Considering the randomness of the application's behavior, embodiments of this application can use a voting mechanism to decide whether to use the first set or the second set. Specifically, the number of probability values in the first set (i.e., the number of first probability values) and the number of probability values in the second set (i.e., the number of second probability values) can be counted and compared.

如果第一集合中概率值的数量大于第二集合中概率值的数量,则以第一集合为主,计算第一集合中的概率值的平均值。如果第一集合中概率值的数量小于第二集合中概率值的数量,则以第二集合为主,计算第二集合中的概率值的平均值。若平均值大于或等于0.5,则确定应用为恶意应用。若平均值小于0.5,则确定应用为安全应用。If the number of probability values in the first set is greater than the number of probability values in the second set, then the first set is considered the primary set, and the average of the probability values in the first set is calculated. If the number of probability values in the first set is less than the number of probability values in the second set, then the second set is considered the primary set, and the average of the probability values in the second set is calculated. If the average is greater than or equal to 0.5, the application is determined to be malicious. If the average is less than 0.5, the application is determined to be secure.

在本申请实施例中也可以采用互滑动的方式确定目标应用的安全性。下面进行具体介绍。In this embodiment, a sliding method can also be used to determine the security of the target application. This will be described in detail below.

互滑动,是在应用属于非孤本时使用,该应用可能是某些破解应用、新发布的非法应用等,此时,对于指定的MD5,沙盒同时运行多个应用。Inter-sliding is used when the application is not an isolated copy. This application may be a cracked application, a newly released illegal application, etc. In this case, for a specified MD5, the sandbox runs multiple applications simultaneously.

将多个应用的目标序列(即上面这12个序列中的至少一个序列)各自取平均值,得到平均序列,将平均序列输入模型(例如,LightGBM)中,模型(例如,LightGBM)输出恶意的概率值。The average sequence is obtained by averaging the target sequences of multiple applications (i.e., at least one of the 12 sequences above). The average sequence is then input into a model (e.g., LightGBM), which outputs the probability value of maliciousness.

在本申请实施例中可按照下面的公式计算总的概率值:In the embodiments of this application, the total probability value can be calculated according to the following formula:

S=αS1+βS2 S = αS₁ + βS₂

其中,S为总的概率值,S1为应用自身序列计算得到的概率值(即第四概率值),S2为多个应用的平均序列计算得到的概率值(即第三概率值),α为第二权重,β为第一权重。Where S is the total probability value, S1 is the probability value calculated by applying its own sequence (i.e., the fourth probability value), S2 is the probability value calculated by averaging the sequences of multiple applications (i.e., the third probability value), α is the second weight, and β is the first weight.

在本申请实施例中,若总的概率值大于或等于0.5,则确定应用为恶意应用。若总的概率值小于0.5,则确定应用为安全应用。同时,若任一应用被评价为恶意应用,则最终确定该应用为恶意应用。若所有应用被评价为安全应用,则最终确定该应用为安全应用。In this embodiment, if the total probability value is greater than or equal to 0.5, the application is determined to be a malicious application. If the total probability value is less than 0.5, the application is determined to be a safe application. Furthermore, if any application is evaluated as a malicious application, then that application is ultimately determined to be a malicious application. If all applications are evaluated as safe applications, then that application is ultimately determined to be a safe application.

对于安全应用,将其正式安装至用户的云手机中,让安全应用得到正常的服务支持,让用户得到正常的服务体验。对于恶意应用,提示用户移除该应用,禁止安装至云手机。For security applications, officially install them on the user's cloud phone to ensure normal service support and a normal user experience. For malicious applications, prompt the user to remove the application and prohibit its installation on the cloud phone.

由上可知,本申请实施例提供的确定云手机安全性的方法,对于风险未明确的应用,先在沙盒环境中运行,在确认应用安全的情况下,再转移至云手机,确保用户有良好运行体验的同时确保云手机的安全,有效防止木马程序直接影响云手机数据。而且,本申请实施例可从多个维度构造特征序列,全面描述应用的行为,后期提供滑动的方式处理检测结果,实现可靠安全策略对沙盒的应用进行安全检测,确保应用的安全性,保护云手机的安全性。As can be seen from the above, the method for determining the security of cloud phones provided in this application embodiment first runs applications with unclear risks in a sandbox environment. Only after confirming the application's security is it transferred to the cloud phone. This ensures a good user experience while also guaranteeing the security of the cloud phone, effectively preventing Trojan programs from directly affecting cloud phone data. Furthermore, this application embodiment can construct feature sequences from multiple dimensions to comprehensively describe the application's behavior. A sliding method is provided to process the detection results, enabling a reliable security strategy to perform security detection on sandboxed applications, ensuring application security and protecting the security of the cloud phone.

图5是本申请实施例提供的一种确定应用安全性的装置的结构框图。参照图5,本申请实施例提供的一种确定应用安全性的装置500可包括:获取模块510和处理模块520。其中:Figure 5 is a structural block diagram of an apparatus for determining application security according to an embodiment of this application. Referring to Figure 5, an apparatus 500 for determining application security according to an embodiment of this application may include: an acquisition module 510 and a processing module 520. Wherein:

获取模块510,用于获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征,所述目标应用为用于安装在云手机上的应用;The acquisition module 510 is used to acquire target information of a target application deployed in a sandbox environment. The target information is used to reflect the behavioral characteristics of the target application, and the target application is an application for installation on a cloud phone.

处理模块520,用于将所述目标信息输入目标机器学习模型中;基于所述目标机器学习模型,确定所述目标应用的安全性。The processing module 520 is used to input the target information into the target machine learning model; and to determine the security of the target application based on the target machine learning model.

在本申请实施例提供的确定应用安全性的装置中,获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征,所述目标应用为用于安装在云手机上的应用;将所述目标信息输入目标机器学习模型中;基于所述目标机器学习模型,确定所述目标应用的安全性。如此,在将目标应用部署在云手机之前,通过先通过沙盒环境获取目标应用的目标信息,并基于目标机器学习模型和目标信息确定目标应用的安全性,可以在云手机上部署目标应用之前先获取目标应用的安全性,只有确定为安全的目标应用才会部署在云手机上,解决相关技术待部署在云手机上的应用存在安全风险的问题。In the apparatus for determining application security provided in this application embodiment, target information of a target application deployed in a sandbox environment is obtained. This target information reflects the behavioral characteristics of the target application, which is an application intended for installation on a cloud phone. The target information is input into a target machine learning model. Based on the target machine learning model, the security of the target application is determined. Thus, by obtaining the target information of the target application through a sandbox environment before deploying it on the cloud phone, and determining the security of the target application based on the target machine learning model and the target information, the security of the target application can be determined before deployment on the cloud phone. Only target applications determined to be secure will be deployed on the cloud phone, thus solving the problem of security risks associated with applications to be deployed on cloud phones in related technologies.

本申请实施例提供的确定应用安全性的装置能够实现上述方法实施例实现的各个过程。各个模块实现的具体内容可参照前文方法部分的描述,为避免重复,这里不再赘述。The apparatus for determining application security provided in this application embodiment can implement all the processes implemented in the above method embodiments. The specific implementation details of each module can be found in the preceding method section description; to avoid repetition, they will not be repeated here.

如图6所示,本申请实施例还提供一种电子设备600。所述电子设备600包括:处理器610和存储器620,存储器620上存储程序或指令,所述程序或指令被所述处理器610执行时实现上文所描述的任一种方法(例如确定应用安全性的方法)的步骤。举例而言,所述程序被所述处理器610执行时实现如下过程:获取部署在沙盒环境中的目标应用的目标信息,所述目标信息用于反映所述目标应用的行为特征,所述目标应用为用于安装在云手机上的应用;将所述目标信息输入目标机器学习模型中;基于所述目标机器学习模型,确定所述目标应用的安全性。如此,在将目标应用部署在云手机之前,通过先通过沙盒环境获取目标应用的目标信息,并基于目标机器学习模型和目标信息确定目标应用的安全性,可以在云手机上部署目标应用之前先获取目标应用的安全性,只有确定为安全的目标应用才会部署在云手机上,解决相关技术待部署在云手机上的应用存在安全风险的问题。As shown in Figure 6, this application embodiment also provides an electronic device 600. The electronic device 600 includes a processor 610 and a memory 620. The memory 620 stores programs or instructions, which, when executed by the processor 610, implement the steps of any of the methods described above (e.g., the method for determining application security). For example, when the program is executed by the processor 610, it implements the following process: obtaining target information of a target application deployed in a sandbox environment, the target information reflecting the behavioral characteristics of the target application, the target application being an application intended for installation on a cloud phone; inputting the target information into a target machine learning model; and determining the security of the target application based on the target machine learning model. Thus, by obtaining the target information of the target application through a sandbox environment before deploying the target application on the cloud phone, and determining the security of the target application based on the target machine learning model and the target information, the security of the target application can be obtained before deployment on the cloud phone. Only target applications determined to be secure will be deployed on the cloud phone, solving the problem of security risks associated with applications to be deployed on cloud phones in related technologies.

本申请实施例还提供一种可读存储介质,所述可读存储介质上存储有程序或指令,该程序或指令被处理器执行时实现确定应用安全性的方法的各个实施例的步骤,且能达到相同的技术效果,为避免重复,这里不再赘述。This application also provides a readable storage medium storing a program or instructions that, when executed by a processor, implement the steps of various embodiments of the method for determining application security and achieve the same technical effect. To avoid repetition, these steps will not be repeated here.

其中,所述处理器为上述实施例中所述的电子设备中的处理器。所述可读存储介质,包括计算机可读存储介质,如计算机只读存储器ROM、随机存取存储器RAM、磁碟或者光盘等。The processor is the processor in the electronic device described in the above embodiments. The readable storage medium includes computer-readable storage media, such as computer read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk.

本申请实施例另提供了一种芯片,所述芯片包括处理器和通信接口,所述通信接口和所述处理器耦合,所述处理器用于运行程序或指令,实现上述方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。This application embodiment also provides a chip, which includes a processor and a communication interface. The communication interface is coupled to the processor. The processor is used to run programs or instructions to implement the various processes of the above method embodiments and achieve the same technical effect. To avoid repetition, it will not be described again here.

本申请实施例提供一种计算机程序产品,该程序产品被存储在存储介质中,该程序产品被至少一个处理器执行以实现如上述方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。This application provides a computer program product, which is stored in a storage medium and executed by at least one processor to implement the various processes of the above method embodiments and achieve the same technical effects. To avoid repetition, it will not be described again here.

需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。此外,需要指出的是,本申请实施方式中的方法和装置的范围不限按示出或讨论的顺序来执行功能,还可包括根据所涉及的功能按基本同时的方式或按相反的顺序来执行功能,例如,可以按不同于所描述的次序来执行所描述的方法,并且还可以添加、省去、或组合各种步骤。另外,参照某些示例所描述的特征可在其他示例中被组合。It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element. Furthermore, it should be noted that the scope of the methods and apparatuses in the embodiments of this application is not limited to performing functions in the order shown or discussed, but may also include performing functions substantially simultaneously or in the reverse order, depending on the functions involved. For example, the described methods may be performed in a different order than described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以计算机软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, can be embodied in the form of a computer software product. This computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes several instructions to cause a terminal (which may be a mobile phone, computer, server, or network device, etc.) to execute the methods described in the various embodiments of this application.

上面结合附图对本申请的实施例进行了描述,但是本申请并不局限于上述的具体实施方式,上述的具体实施方式仅仅是示意性的,而不是限制性的,本领域的普通技术人员在本申请的启示下,在不脱离本申请宗旨和权利要求所保护的范围情况下,还可做出很多形式,均属于本申请的保护之内。The embodiments of this application have been described above with reference to the accompanying drawings. However, this application is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other forms under the guidance of this application without departing from the spirit and scope of the claims, and all of these forms are within the protection scope of this application.

Claims (11)

1. A method of determining application security, comprising:
Acquiring target information of a target application deployed in a sandbox environment, wherein the target information is used for reflecting behavior characteristics of the target application, and the target application is an application for being installed on a cloud mobile phone;
inputting the target information into a target machine learning model;
Determining security of the target application based on the target machine learning model;
The target information comprises a plurality of target sequences obtained based on a plurality of unit time, wherein one unit time corresponds to one target sequence, the target sequence comprises at least one of a sequence associated with a target user logging in a cloud mobile phone, a sequence associated with application authority of the target application, a sequence associated with calling other applications except the target application in the cloud mobile phone and a sequence associated with a visiting website, and the security of the target application is determined based on the target machine learning model, and the method comprises the following steps:
determining a plurality of probability values corresponding to the plurality of target sequences based on the target machine learning model;
Determining a first probability range based on the plurality of probability values, the first probability range indicating a probability range for normal operation of the target application itself;
Determining a second probability range and a third probability range based on the first probability range, wherein the minimum value of the second probability range is larger than or equal to the maximum value of the first probability range, and the maximum value of the third probability range is smaller than or equal to the minimum value of the first probability range;
acquiring at least one first probability value and at least one second probability value, wherein the at least one first probability value is all probability values in the second probability range in the plurality of probability values, and the at least one second probability value is all probability values in the third probability range in the plurality of probability values;
Determining at least one target probability value, the at least one target probability value being the greater of the at least one first probability value and the at least one second probability value;
calculating an average value of the at least one target probability value;
based on an average of the at least one target probability value, security of the target application is determined.
2. The method according to claim 1, wherein the method further comprises:
Under the condition that the target application is determined to be a security application, the target application is installed in the cloud mobile phone;
and prompting to remove the target application under the condition that the target application is determined to be a malicious application.
3. The method of claim 1, wherein prior to obtaining target information for a target application deployed in a sandbox environment, the method further comprises:
Receiving a target application uploaded by a target user;
And deploying the target application into a sandbox environment under the condition that the information abstraction algorithm of the installation package of the target application meets the target condition.
4. The method of claim 1, wherein the determining a first range of probabilities based on the plurality of probability values comprises:
Determining an average value and a standard deviation of the plurality of probability values based on the plurality of probability values;
determining a first probability range based on the mean and the standard deviation;
the minimum value of the first probability range is the difference value between the average value and the standard deviation, and the maximum value of the first probability range is the sum value of the average value and the standard deviation.
5. The method of claim 1, wherein the determining the security of the target application based on the average of the at least one target probability value comprises:
Determining that the target application is a malicious application under the condition that the average value of the at least one target probability value is greater than or equal to a threshold value;
and determining that the target application is a security application in the case that the average value of the at least one target probability value is smaller than the threshold value.
6. The method of claim 1, wherein the target application is a plurality of applications running simultaneously in a sandbox environment, wherein the target information comprises an average sequence, wherein the average sequence is based on an average of the target sequences of the plurality of applications, wherein the target sequences of the plurality of applications are based on the same unit time;
the determining, based on the target machine learning model, security of the target application includes:
determining a third probability value corresponding to the average value sequence based on the target machine learning model;
Determining, for each of the plurality of applications, a fourth probability value corresponding to the application based on the target machine learning model;
Determining a total probability value based on the third probability value and the fourth probability value;
determining security of the application based on the total probability value;
Based on the security of each of the plurality of applications, the security of the target application is determined.
7. The method of claim 6, wherein the determining a total probability value based on the third probability value and the fourth probability value comprises:
Determining a product of the third probability value and the first weight as a first result;
determining a product of the fourth probability value and the second weight as a second result;
determining a sum of the first result and the second result as a total probability value;
wherein the first weight is less than the second weight.
8. The method of claim 6, wherein the determining the security of the target application based on the security of each of the plurality of applications comprises:
Determining that the target application is a secure application if each of the plurality of applications is a secure application;
And determining that the target application is a malicious application under the condition that at least one malicious application exists in the plurality of applications.
9. An electronic device comprising a processor and a memory storing a program or instructions that, when executed by the processor, implement the steps of the method of any of claims 1-8.
10. A computer readable storage medium, characterized in that the medium has stored thereon a program or instructions which, when executed, implement the steps of the method according to any of claims 1-8.
11. A computer program product comprising a computer program which, when executed, implements the method of any of claims 1-8.
CN202411631763.6A 2024-11-15 2024-11-15 Method for determining application security, electronic device, and computer-readable storage medium Active CN119691732B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411631763.6A CN119691732B (en) 2024-11-15 2024-11-15 Method for determining application security, electronic device, and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411631763.6A CN119691732B (en) 2024-11-15 2024-11-15 Method for determining application security, electronic device, and computer-readable storage medium

Publications (2)

Publication Number Publication Date
CN119691732A CN119691732A (en) 2025-03-25
CN119691732B true CN119691732B (en) 2026-01-23

Family

ID=95030323

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411631763.6A Active CN119691732B (en) 2024-11-15 2024-11-15 Method for determining application security, electronic device, and computer-readable storage medium

Country Status (1)

Country Link
CN (1) CN119691732B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107563189A (en) * 2017-08-24 2018-01-09 东软集团股份有限公司 One kind applies detection method and terminal
CN108595953A (en) * 2018-04-04 2018-09-28 厦门雷德蒙软件开发有限公司 Method for carrying out risk assessment on mobile phone application

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105160251A (en) * 2015-07-06 2015-12-16 国家计算机网络与信息安全管理中心 Analysis method and device of APK (Android Packet) application software behavior
CN113162888B (en) * 2020-01-22 2023-06-09 华为技术有限公司 Security threat event processing method and device and computer storage medium
CN113781079B (en) * 2020-10-13 2025-01-10 北京沃东天骏信息技术有限公司 Method and apparatus for training a model
CN112632541B (en) * 2020-12-29 2024-10-15 奇安信网神信息技术(北京)股份有限公司 Method, device, computer equipment and storage medium for determining malicious degree of behavior
US12166785B2 (en) * 2021-12-28 2024-12-10 SecureX.AI, Inc. Systems and methods for predictive analysis of potential attack patterns based on contextual security information
CN115221514A (en) * 2022-05-26 2022-10-21 国网江西省电力有限公司电力科学研究院 Android malicious software detection method based on two-layer machine learning
US20240095740A1 (en) * 2022-09-15 2024-03-21 Capital One Services, Llc Multi-factor authentication using location data
CN116611861A (en) * 2023-03-31 2023-08-18 华为技术有限公司 Consumption prediction method and related equipment thereof
CN118036013A (en) * 2024-02-01 2024-05-14 中国移动通信集团江苏有限公司 Open source software vulnerability detection method, device, equipment, medium and program product
CN118195688A (en) * 2024-03-26 2024-06-14 中移互联网有限公司 Risk identification method, device, electronic device and storage medium
CN118690354A (en) * 2024-06-11 2024-09-24 北京邮电大学 Federated learning attacker identification method, device, electronic device and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107563189A (en) * 2017-08-24 2018-01-09 东软集团股份有限公司 One kind applies detection method and terminal
CN108595953A (en) * 2018-04-04 2018-09-28 厦门雷德蒙软件开发有限公司 Method for carrying out risk assessment on mobile phone application

Also Published As

Publication number Publication date
CN119691732A (en) 2025-03-25

Similar Documents

Publication Publication Date Title
US11816222B2 (en) Detecting vulnerabilities in managed client devices
US11343280B2 (en) System and method for identifying and controlling polymorphic malware
AU2016258533B2 (en) Determining source of side-loaded software
US10419222B2 (en) Monitoring for fraudulent or harmful behavior in applications being installed on user devices
US20190364062A1 (en) Automated malware family signature generation
US10565378B1 (en) Exploit of privilege detection framework
US8776196B1 (en) Systems and methods for automatically detecting and preventing phishing attacks
US10320833B2 (en) System and method for detecting creation of malicious new user accounts by an attacker
US20130097659A1 (en) System and method for whitelisting applications in a mobile network environment
US20130097660A1 (en) System and method for whitelisting applications in a mobile network environment
US10320810B1 (en) Mitigating communication and control attempts
CN114866296B (en) Intrusion detection method, intrusion detection device, intrusion detection equipment and readable storage medium
US10970392B2 (en) Grouping application components for classification and malware detection
Kandukuru et al. Android malicious application detection using permission vector and network traffic analysis
US20230214533A1 (en) Computer-implemented systems and methods for application identification and authentication
CN119691732B (en) Method for determining application security, electronic device, and computer-readable storage medium
US20250175473A1 (en) Active verification of security infrastructure
US20200329056A1 (en) Trusted advisor for improved security
CN119276609B (en) Network security pre-detection analysis method and system based on big data
Bezobrazov et al. Artificial immune system for Android OS
CN121037065A (en) Authorization methods, systems, devices, storage media, and program products that adaptively select security policies based on client risk types.
CN117499071A (en) Data processing method, device, equipment and storage medium
JP2023078441A (en) Execution control system, execution control method, and program
CN117640159A (en) Abnormal access detection method, device, equipment, medium and program product
CN120781341A (en) Running processing method and related device of application process

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant