CN110071924B - Terminal-based big data analysis method and system - Google Patents

Abstract

A terminal-based big data analysis method and system, search for an application, confirm whether it is malicious or not; determine whether to retry or download; download and install an application, perform security authentication; determine whether to retain or uninstall the application; run, access Manage permissions when sensitive or private data. The method and system can use big data and information security technology to perform security detection on application programs in the installation stage, and intercept applications that are harmful to the terminal, confirm and block their sources; For legal or illegal access, the private information of the terminal is encrypted. For legal access, private information is read through reasonable management and ensure that the reading does not exceed the preset permissions. For illegal access, time settings or permission blocking settings are used. And avoid unreasonable access to privacy programs by applications, and ensure the security of downloading, running and data access of applications on the terminal.

Description

Terminal-based big data analysis method and system

technical field

The present invention relates to the field of electrical data processing, and more particularly, to a terminal-based big data analysis method and system.

Background technique

With the rapid development of information technology, intelligent mobile terminals and high-speed mobile networks provide users with a variety of information and resources. While using these information technologies for work, life, entertainment, and communication, users need to download a large number of An application program (APP), whereby the resources or information required by the user can be presented, downloaded and stored in the intelligent mobile terminal via the network, thereby facilitating the user's work and life. There are a large number of applications with distinctive features and friendly user experience in the smart mobile terminal application market today, which greatly improve the user experience.

However, technology is also a double-edged sword, bringing benefits, but also causing a series of security problems. For example, the Internet has gradually become a way for malicious programs to spread. After the downloaded programs are stored or installed on the local terminal, some of them will maliciously modify the files in the local terminal, and some will cause system paralysis or slow operation. For another example, the download, installation and operation of the application bring the risk of personal privacy leakage, and the personal privacy includes the user's personal identity, the user's financial account and financial information, behavioral preferences, health status, social status, social records and other private information . Apple's user privacy leak incident reflects that the company has privately recorded the location information of users every time they use the location APP and uploaded it to the background database, resulting in a large number of user privacy leaks. Moreover, in the specific data mining of a single user, the intersection of a large number of and diverse information can finally accurately describe the user's profile, such as personal age, economic status, consumption behavior and level, social status, social circle, etc., and then give birth to Some new privacy risks and ethical security issues need to be addressed. Therefore, the installed applications need to be detected and killed. However, the detection and killing in the prior art have the following problems.

The detection and killing of malicious applications is generally to delete malicious programs after detecting malicious programs to avoid malicious programs from executing malicious behaviors. source. Moreover, the analysis of malicious applications includes static analysis and dynamic analysis. Static analysis is simple and fast, but before scanning, you need to know information about known malicious applications, such as signatures, behavior patterns, and permission applications. Dynamic analysis runs the application in a closed environment and monitors it, and analyzes the behavioral characteristics of the application, such as file permission changes, process and thread operation, system calls, and network access. However, whether it is static analysis or dynamic analysis, the analysis process requires pre-stored and recorded application information, and its analysis efficiency is not ideal, and the update and comparison and accuracy depend on the pre-stored and recorded application information; objectively Said that the analysis technology lacks the analysis of big data. In addition, malicious newly installed applications often try to access the user's private information; although some applications have the legal authority to legally access the user's private information such as incoming text messages and SMS, the existing technology lacks the Its onboard has effective file protection for user privacy, and it also lacks reasonable management of access to private information.

SUMMARY OF THE INVENTION

One of the objectives of the present invention is to provide a terminal-based big data analysis method and system, which can use big data and information security technology to perform security detection on application programs in the installation stage, and perform security detection on applications that have harmful terminals. Intercept, and confirm and block its source; and for the legal or illegal access of the user's private information in the terminal by the application program, the present invention encrypts the private information of the terminal, and conducts privacy through reasonable management for legal access. Information read and ensure that the read does not exceed the preset permissions, and for illegal access, the unreasonable access of the application to the privacy program is avoided by the time setting or the permission blocking setting. With the method and system of the present invention, the security of the system can be realized based on big data and rights management, and finally the security of downloading, running and data access of the application program on the terminal is guaranteed.

The technical solution adopted by the present invention to solve the above-mentioned technical problems is: a terminal-based big data analysis method, comprising: the terminal searches for the required application program and sends it to the determination server to confirm whether it is malicious or not; The server determines whether to retry the download of other resources or the user chooses whether to download or directly download the application according to the malicious or not obtained results of the big data: the terminal downloads and installs the application, extracts the information, and sends it to the judgment server for security authentication; the terminal Based on the security authentication of the determination server, it is determined whether to keep the application program in the terminal or uninstall the application program; and after the terminal determines to retain the application program, the subsequent application program runs and accesses sensitive or private data on the terminal. its enabled or disabled.

In one embodiment, the method further includes the following steps: step S1, the terminal searches for the required application program via the wireless network, and obtains the name and/or IP information of the resource server containing the application program; step S2, the terminal uses the resource The name and/or IP information of the server are sent to the determination server to confirm whether it is malicious or not; step S3, the terminal performs a corresponding operation according to the result of whether the determination server is malicious or not based on the big data confirmation: if it is malicious, block the connection with the resource server. Communication link and continue to try other resource servers obtained in step S1 and perform steps S2 and S3 in sequence, until the determination server confirms that it is not malicious or the number of attempts reaches the number of times preset by the user; if it is not malicious, the user chooses whether to download or download directly the application; step S4, after downloading, the terminal installs the application and extracts its information, performs signature processing on the application, and sends the extracted information to the determination server for security authentication; step S5, the terminal determines the server based on the large The security authentication result of the data determines whether to keep the application program in the terminal or uninstall the application program; when the application program is retained, the application program is given special permissions, and when the application program is uninstalled, the information of the application program is sent to the judgment The server updates the database used for big data analysis, determination and confirmation; Step S6, when the application is executed on the terminal, obtain its operating parameters and analyze it; Step S7, based on the analysis result, it is further determined to keep the application in the terminal. The application program still uninstalls the application program, and sends the information of the application program to the determination server to update the database used for big data analysis, determination and confirmation; step S8, when the application program requests to access the user privacy data on the terminal, The terminal confirms its access authority according to the authority configuration table, and performs corresponding operations; step S9, when a new instant messaging message is incoming to the terminal and the application requests access, the terminal enables or disables access to the application based on the access settings. prohibit.

In one embodiment, step S1 further includes: directly via the browser installed on the terminal, by inputting the name of the desired application, to search through a search engine; or in the current non-browser application, long press the screen with the user's finger , the option to select text appears on the screen, the user selects and highlights all or part of the name of the application, and clicks the search button that appears on the screen after selection, and one or more browsers appear by clicking the search button , select the corresponding browser icon to search; or in the current non-browser application, by selecting the search icon in the non-browser application, an input box appears on the screen, and by entering the desired After selecting the application name, the non-browser application either directly invokes the default third-party browser to search, or one or more browser selection icons appear for selection and search after selecting the corresponding browser icon; or In instant messaging apps with embedded browsers, either by long-pressing the screen with the user's finger and an option to select text appears on the screen, by selecting and highlighting all or part of the app's name and clicking on the screen when selected The embedded browser is invoked for searching by pressing the search button of the non-browser application, or an input box appears on the screen by selecting the search icon in the non-browser application, and the embedded browser is invoked for searching by entering the desired application name. After searching for the desired application program via the wireless network, the name and/or IP address for identifying the resource server containing the application program is obtained according to the result.

In one embodiment, step S2 further includes: the terminal selects any one or both of the resource server's name and/or IP information, and packages it in a to-be-transmitted packet in a fixed packet transmission format, and Set the header of the packet as a request attribute, terminate with a fixed terminator after either or both of the name and/or IP information in the packet to be transmitted, to facilitate identification by the decision server, and then pass the packet over the wireless The link is sent to the decision server for malicious or malicious confirmation.

In one embodiment, step S3 further includes: determining that the server is internally provided with a database for big data analysis, confirmation and determination, and the database stores the security attribute information of the application program for the terminal, including malicious, safe and pending, the security The attribute information is updated with the passage of time, and its update method is carried out by any one of user uploading, information center notification, etc.; it is determined that the server receives the packet transmitted by the terminal, and based on the preset packet splitting rule, extracts Either or both of the name and/or IP information of the resource server in the package and entered into a database set up internally for information matching, when there is a safe or malicious match and no match is rejected. It is confirmed that it is pending, and the result of the clear and pending security attribute information is packaged and sent to the terminal via the wireless link; the terminal receives the packet and splits the packet, extracts the security attribute information in it, and if it is malicious, blocks the connection with the terminal. The communication link of the resource server, and continue to try other resource servers obtained in step S1 and execute steps S2 and S3 in sequence, until it is determined that the server is not malicious or the number of attempts reaches the user's preset number; if it is safe, it is selected by the user Whether to download the application: if it is safe, the user chooses whether to download or directly download the application, wherein if it is safe, the application is downloaded directly, and if it is pending, the user chooses whether to download the application. Carry out the subsequent steps, if not, then determine whether to exit the method directly or continue to try other resource servers obtained in step S1 and execute steps S2 and S3 in sequence until it is determined that the server confirms that the security attributes meet the user’s expectations or the number of attempts reaches the user’s preset number of times. .

In one embodiment, step S4 further includes: after downloading, the terminal installs the application and extracts its information, performs signature processing on the application, and sends the extracted information to the determination server for security authentication, wherein In the process of installing the application program, the terminal changes the file suffix name of the application program for decompression to obtain the first file included in it after compilation and tool packaging, and obtains a transformation tool to copy the category file including the category name to The first directory location, where the category conversion command is used to generate grouped data in the application; the called function is obtained by traversing the library function of the grouped data, and its behavior attribute is determined by the behavior information of the called function , where the behavior information includes access behavior information, process creation behavior information, operation process behavior information, registry operation behavior information, behavior information for applying for calling identifiers and permissions of other applications, installation behavior information, compression and packaging behavior information, and The mobile data transmits behavior information, and the behavior attributes include malicious or not; determine the behavior execution path of the called function according to the behavior attributes, record the execution path as part of the extracted information, and upload it to the judgment server in the subsequent steps , by analyzing part or all of the execution path with the bytecode-based path big data in the judgment server, and then performing security authentication. In the process of signing the application, the terminal obtains all the files in the application based on the decompressed application; the first type of file is used to calculate the digest information with the secure hash algorithm, and the digest information is encoded, Then store the encoded value in a first file of a second type different from the first type, and generate a set of signature information from the digest information and private key information previously saved in the first file of the second type and save it in the first file. The first position in the second file of the two types is different from the first file, and the signature information and the public key are stored in the second position in the second file, wherein the first type and the second type relate to files of different directory types .

In one embodiment, in the above step S4, extracting the information further includes extracting other parts of the information, that is: renaming the file of the application program to a file with a suffix in the form of a compressed package and decompressing it, thereby obtaining the first configuration file , use the first open source software to convert the first configuration file into an operable text format; use the second open source software to decompile and decompress the binary source code file in the result; use the third open source software to restore the binary source code file to obtain the The source code of the file of the application program; based on the source code of the file of the application program, use the matching algorithm to scan the source code, count the specified keywords, obtain the number and corresponding position of each specified keyword in the class file, and use the matrix to store , calculate the similarity distance between each two keywords based on the distance algorithm; classify the keywords based on the similarity distance, use each keyword in the matrix as the root node, and aggregate the keywords with high similarity with each node Together, compare with the matrix of the stored location, remove keywords of different categories, and then classify and store them; The security features included in the features of the application program avoid increasing the amount of information processing and increasing the information processing time and power consumption and wasting the limited processing resources of the terminal; classify the stored and de-featured data as other parts of the extracted information, and Along with other information, it is sent to the decision server for security authentication.

In one embodiment, step S5 further includes: the terminal receives the big data-based security authentication result of the determination server, and further determines whether it is malicious based on the result, uninstalls the application when it is malicious, and in the terminal when it is safe Retain the application, and display the risk prompt information on the display screen to the user when it is to be scheduled so that the user can understand the security attributes and choose to uninstall or retain; when the application is retained, grant the application permission, including storage Permissions, permission to take pictures, permission to use the microphone, permission to record, permission to call terminal sensors, permission to read and send short messages, permission to make calls, permission to identify the SIM card number installed on the terminal, permission to read the address book, permission to read Permissions for user exercise data, permission to enable mobile operator communication network connection, permission to enable Wi-Fi connection, permission to read other applications, permission to read communication records of instant messaging software, granting permission includes granting enable permission or granting disable Permission; when it is determined to uninstall, the information of the application is sent to the decision server to update the database in the decision server for big data analysis, decision and confirmation.

In one embodiment, in step S6, when the application program is executed on the terminal, obtain and analyze its running parameters, which includes: executing the application program, and obtaining behavior parameters during its running process, where the behavior parameters include system APIs , changes in file permissions, process and thread running data, call data, network access request data, and sent network data, record the behavior parameters in the log file; monitor the creation of portable executable files in the application, determine its Create the main body, establish the corresponding relationship between the portable execution file and the creation main body in the terminal memory; use the simulation tool to run and simulate the operation of the terminal user to obtain log file records and network data grouping file records; run the simulation tool end, and after the network link is turned on and the data communication ends over time, the log file record and the network data packet file record are stored in the first storage location; the log file record and the network data packet file record are stored in the first storage location; Perform analysis, where feature extraction is used to quantify features of log file records and network data grouped file records, permissions, APIs, URLs, and strings are converted into numerical features, and a subset of features is selected using a feature selection algorithm based on mean and variance , predict the numerical feature based on the classification and clustering and label construction rules, and determine its running behavior attribute based on the numerical feature matching the value of the parameter in the preset configuration file, that is, whether the installed application is safe for the terminal. , and take it as the first part of the analysis result; when the result is safe or vice versa, take the correspondence between the portable executable file in the application and its creation body as the second part of the analysis result, when it is unsafe or malicious In addition, the relevant information of the created subject will be marked as the malicious identification information that the application will affect the terminal and as a supplementary part of the second part for sending to the judgment server to update the database for big data analysis judgment and confirmation , and recorded at the terminal and stored in the security information database as a malicious source, and the application program of this source can be provided and displayed to the user as an application program from a malicious source during subsequent installation, so that the user can optionally The source is thoroughly checked and killed, and the installation of the source and all applications from it, as well as any access requests from the source to the terminal; the first part of the results of the analysis and the second part of the results of the analysis are aggregated as the application. Information.

In one embodiment, in step S7, based on the analysis result, it is further determined whether to keep the application program in the terminal or uninstall the application program, and send the information of the application program to the determination server to be updated for big data analysis, determination and evaluation. The confirmed database further includes: the terminal based on the first part of the results of the analysis, retains the application when it is a safe application, and uninstalls the application when it is malicious, and will include the first part of the results of the analysis and the results of the analysis The information of the second part of the application program is sent to the judgment server to update the database for big data analysis, judgment and confirmation. When it is malicious, the second part of the analysis result also includes the relevant information to mark the created subject. as a supplementary part of the malicious identification information that identifies the application that will affect the terminal.

In one embodiment, in step S7, after the above steps are performed, the following operations are further performed: after the application program is uninstalled, the monitoring program is activated when the terminal starts network communication, so that the monitoring program intercepts in real time the data sent and received through the network. data, and feature matching between the sent data sink and/or the received data source and the previously determined malicious source, and when the matching criteria are met, the result is displayed to the user, and the location of the data to be sent is analyzed and the data is analyzed. Name and location of the called entity, and remove the name and location of the called entity at a fixed point, and then display the result of whether the removal is successful or not. until the preset requirements are met.

In one embodiment, the location of the data to be sent is analyzed and the data to be sent is also analyzed to determine whether it contains information about the user's account, contact person, verification code, and contact information, and if so, the risk is prompted to the user .

In one embodiment, in step S8, when the application program requests access to user privacy data on the terminal, the terminal confirms its access authority according to the authority configuration table, and performs corresponding operations. When the user privacy data, the application sends the access request to the processor of the terminal, and the processor sends the application identifier to the rights management module to determine the access rights of the application according to the rights configuration table in the rights management module. When having one or more access rights of a plurality of types of private data, the processor determines whether the access rights of the user's private data on the terminal that the application requests to access conform to the access rights determined by the rights configuration table, and if so, give the application to the access rights. The program allocates a corresponding interpretation engine, the processor issues a jump instruction, and after executing the jump instruction, the application program is guided to the entrance of the interpretation engine, so that the interpretation engine can perform user privacy data on the terminal requesting access by the interpretation engine. explain, and send the explained user privacy data to the app.

In one embodiment, the user privacy data is data that is converted to ensure the security of user information. When stored in the terminal, it will not be stored in plaintext, but will be acquired by malicious code, files or software attacks, thereby causing irreparable losses to the user. , where the user privacy data is first converted from the code form of the original function into a bytecode that can only be interpreted by the interpretation engine of the terminal, cannot be effectively split and cracked for third-party software, and does not seem to have obvious meaning. The fragment form is interpreted by the interpretation engine, and the fragment length is limited by the interpretation engine, while between each fragment, at the end of the previous fragment, in bytecodes recognizable by the interpretation engine, representing the interval, at a limited data length delimiter in the form; set the jump instruction for the bytecode and store it in the register, while erasing the user's private data represented by the code form of the original function; when the application requests to access the user's private data on the terminal, if The processor determines whether the access authority of the user's private data on the terminal that the application requests to access conforms to the access authority determined by the authority configuration table, then the processor calls and issues the jump instruction, and guides the application after executing the jump instruction. The entry to the interpretation engine is used for the interpretation engine to interpret the user privacy data on the terminal requesting access, and send the interpreted user privacy data to the application.

In one embodiment, in step S9, when a new instant messaging message is incoming to the terminal and the application program requests access, enabling or disabling the access of the application program by the terminal based on the access setting further includes: when the terminal has a new instant message When the incoming instant messaging message is received, the terminal receives the newly incoming instant messaging message, and the message analysis module of the terminal analyzes the confidential information contained therein, and the message analysis module of the terminal determines whether the incoming instant messaging message contains The information containing any one or more of the user password, account number, and verification code in combination with the valid time, when any one or more of them and the combination of the valid time are included, the newly incoming instant messaging message Stored in the private repository of the terminal, otherwise newly incoming instant messaging messages are stored in the regular repository of the terminal; when any one or more of the information in combination with the valid time is included, and when the installed application When attempting to access the incoming instant messaging message, the rights management module verifies whether the application has access rights to the incoming instant messaging message, (i) if not, the rights management module notifies the terminal's private repository do not send new incoming instant messaging messages to the application, and (ii) if there is access rights, the rights management module sends the application's read request for messages in the private repository to the private repository, and the rights management module Notify the message analysis module of the terminal to determine whether the current period is in the valid reading period of the newly incoming instant messaging message stored, and when it is in the valid reading period of the newly incoming instant messaging message, the private storage repository will The newly incoming instant messaging message stored therein is sent to the application, otherwise, when it is not in the valid reading period of the newly incoming instant messaging message, that is, in the prohibiting reading period of the newly incoming instant messaging message, The private repository refuses to send new incoming instant messenger messages stored in it to the application until its no-read period is lifted, at which point even if the application attempts to read the private message successfully, it has exceeded the new value over time. The valid reading period of incoming instant messaging messages, so even if the application reads the private information, it cannot attack the terminal because the valid period has passed, which greatly reduces the private information of malicious applications to the terminal. theft and disclosure; and when a new incoming instant messaging message is stored in the terminal's regular repository, and when an installed application attempts to access the incoming instant messaging message, the rights management module verifies whether the application has access rights to incoming instant messaging messages, (i) if no access rights are available, the rights management module informs the terminal's general repository not to send new incoming instant messaging messages to the application, and (ii) if With access rights, the management module sends an application's read request for messages in the conventional repository to the conventional repository, and the conventional repository sends newly incoming instant messaging messages stored therein to the application.

In one embodiment, a terminal-based big data analysis system is disclosed, including a terminal and a determination server, wherein the terminal includes: a processor, a rights management module, an interpretation engine, a message analysis module, a private repository, and a conventional repository; The determination server is internally provided with a database for big data analysis, confirmation and determination; the terminal-based big data analysis system is used to execute the aforementioned terminal-based big data analysis method.

Description of drawings

Embodiments of the invention are illustrated by way of example and not by way of limitation in the accompanying drawings, wherein like reference numerals refer to like elements, wherein:

According to an exemplary embodiment of the present invention, FIG. 1 illustrates a brief flow chart of a terminal-based big data analysis method.

According to an exemplary embodiment of the present invention, FIG. 2 illustrates a flowchart of a specific implementation of a terminal-based big data analysis method of FIG. 1 .

According to an exemplary embodiment of the present invention, FIG. 3 illustrates a terminal-based big data analysis system.

Detailed ways

Before proceeding to the following detailed description, it may be beneficial to set forth definitions of certain words and phrases used throughout this patent document: the terms "including" and "comprising" and their derivatives mean including without limitation; the terms "or " is inclusive of, means and/or; the phrases "associated with", "associated with" and derivatives thereof may mean including, being included in, interconnecting with, contains, is contained within, is connected to or is connected to, is coupled to or is coupled to, communicates with, cooperates with, interweaves, juxtaposes , is close to, is bound to or is bound to, has, has properties of, etc.; while the term "controller" means any device, system that controls at least one operation or components thereof, such a device may be implemented in hardware, firmware or software, or some combination of at least two of these. It should be noted that the functionality associated with any particular controller may be centralized or distributed, whether locally or remotely. Definitions for certain words and phrases are provided throughout this patent document, those of ordinary skill in the art should understand that in many, if not most instances, such definitions apply to existing as well as those of such defined words and phrases future use.

In the following description, reference is made to the accompanying drawings and several specific embodiments are shown by way of illustration. It is to be understood that other embodiments can be envisaged and made without departing from the scope or spirit of the present disclosure. Accordingly, the following detailed description should not be considered in a limiting sense.

According to an exemplary embodiment of the present invention, FIG. 1 illustrates a brief flow chart of a terminal-based big data analysis method. The method includes the following steps:

(A) The terminal searches for the required application and sends it to the determination server for malicious or malicious confirmation;

(B) The terminal determines whether to retry the download of other resources or the user chooses whether to download or directly download the application based on the result of whether the server is malicious or not obtained according to the big data:

(C) The terminal downloads and installs the application program, extracts the information, and sends it to the determination server for security authentication;

(D) the terminal determines whether to keep the application in the terminal or uninstall the application based on the security authentication of the decision server; and

(E) After the terminal determines to retain the application, permission management is performed to enable or disable the subsequent application running and accessing sensitive or private data on the terminal.

According to an exemplary embodiment of the present invention, FIG. 2 illustrates a flowchart of a specific implementation of a terminal-based big data analysis method of FIG. 1 . The method further includes the following steps:

Step S1, the terminal searches for the required application program via the wireless network, and obtains the name and/or IP information of the resource server containing the application program;

Step S2, the terminal sends the name and/or IP information of the resource server to the determination server to confirm whether it is malicious or not;

Step S3, the terminal performs corresponding operations according to the result of whether the determination server is malicious or not based on the big data confirmation: if it is malicious, block the communication link with the resource server and continue to try other resource servers obtained in step S1 and execute steps in sequence. S2 and S3, until the determination server confirms that it is not malicious or the number of attempts reaches the user preset number; if it is not malicious, the user chooses whether to download or directly download the application;

Step S4, after downloading, the terminal installs the application and extracts its information, performs signature processing on the application, and sends the extracted information to the determination server for security authentication;

Step S5, the terminal determines whether to keep the application program in the terminal or uninstall the application program according to the security authentication result based on the big data of the judgment server; Send the application's information to the decision server to update the database for big data analysis, decision and validation;

Step S6, when the application is executed on the terminal, obtain its operating parameters and analyze;

Step S7, based on the analysis result, further determine whether to keep the application program in the terminal or uninstall the application program, and send the information of the application program to the determination server to update the database for big data analysis, determination and confirmation;

Step S8, when the application program requests to access the user privacy data on the terminal, the terminal confirms its access authority according to the authority configuration table, and performs corresponding operations;

Step S9, when a new instant messaging message is incoming to the terminal and the application program requests access, the terminal enables or disables access to the application program based on the access setting.

According to the terminal-based big data analysis method described above, it is possible to use big data and information security technology to perform security detection on applications in the installation stage, intercept applications that are harmful to terminals, and confirm their sources. and blocking; and for the legal or illegal access of the user’s private information in the terminal by the application, read the private information through reasonable management and ensure that the reading does not exceed the preset permissions, or avoid the application’s access to the privacy program by setting. Unreasonable access, and then based on big data and rights management to achieve system security.

Preferably, step S1 further includes: directly via the browser installed on the terminal, by inputting the name of the desired application program, and searching through a search engine; The option to select text appears on the screen, the user selects and highlights all or part of the application name, and clicks the search button that appears on the screen after selection. By clicking the search button, one or more browser selection icons appear For selection, search after selecting the corresponding browser icon; or in the current non-browser application, by selecting the search icon in the non-browser application, an input box appears on the screen, and by entering the desired application After the name, the non-browser application either directly calls the default third-party browser to search, or one or more browser selection icons appear for selection and search after selecting the corresponding browser icon; or embedded In instant messaging apps with browsers, either by pressing and holding the user's finger on the screen and an option to select text appears on the screen, by selecting and highlighting all or part of the app's name and clicking the search button that appears on the screen after selection For invoking the embedded browser to search, either by selecting the search icon in the non-browser application, an input box appears on the screen, and by entering the desired application name, the embedded browser is invoked to perform the search. After searching for the desired application program via the wireless network, the name and/or IP address for identifying the resource server containing the application program is obtained according to the result.

Preferably, step S2 further includes: the terminal selects any one or both of the resource server's name and/or IP information, and packs it in a to-be-transmitted packet in a fixed packet transmission format, and packs the The header is set as a request attribute, terminated by a fixed terminator after either or both of the name and/or IP information in the packet to be transmitted, to facilitate identification by the decision server, after which the packet is sent over the wireless link to the judgment server for malicious or malicious confirmation.

Preferably, step S3 further includes: a database for big data analysis, confirmation and determination is set inside the determination server, and the database stores the security attribute information of the application program used for the terminal, including malicious, safe and pending, and the security attribute information varies with It is updated with the passage of time, and the update method is carried out by any one of user uploading, information center notification, etc.; the determination server receives the packet transmitted by the terminal, and based on the preset packet splitting rules, extracts the packets in the packet. Either or both of the resource server's name and/or IP information and enter it into a database set up internally for information matching, when there are matches that are safe or malicious and no matches are confirmed as pending When the definite and undetermined security attribute information results are packaged and sent to the terminal via the wireless link; the terminal receives the packet and splits the packet, extracts the security attribute information in it, and blocks communication with the resource server if it is malicious and continue to try other resource servers obtained in step S1 and execute steps S2 and S3 in sequence, until the determination server confirms that it is not malicious or the number of attempts reaches the user’s preset number of times; if it is safe, the user chooses whether to download the Application: if it is safe, the user chooses whether to download or directly download the application, wherein if it is safe, the application is downloaded directly, and if it is pending, the user chooses whether to download the application, and if it is downloaded, proceed to the next step , if it is not downloaded, determine whether to exit the method directly or continue to try other resource servers obtained in step S1 and execute steps S2 and S3 in sequence until it is determined that the server confirms that the security attributes meet the user's expectations or the number of attempts reaches the user's preset number.

Preferably, step S4 further includes: after downloading, the terminal installs the application program and extracts its information, performs signature processing on the application program, and sends the extracted information to the determination server for security authentication, wherein the terminal is in the steps of In the process of installing the application, change the file suffix name of the application to decompress to obtain the first file included in it after compilation and tool packaging, and obtain a transformation tool to copy the category file including the category name to the first directory. Location, at the first directory location, the grouped data in the application is generated through the category conversion command; the called function is obtained by traversing the library function of the grouped data, and its behavior attribute is determined by the behavior information of the called function, wherein the Behavior information includes access behavior information, process creation behavior information, operation process behavior information, registry operation behavior information, application for calling identifiers and permissions of other applications, installation behavior information, compression and packaging behavior information, and mobile data transmission. Behavior information, and the behavior attribute includes malicious or not; determine the behavior execution path of the called function according to the behavior attribute, record the execution path as part of the extracted information, and upload it to the judgment server in the subsequent steps. Part or all of the execution path is analyzed with the bytecode-based path big data in the determination server, and then security authentication is performed. In the process of signing the application, the terminal obtains all the files in the application based on the decompressed application; the first type of file is used to calculate the digest information with the secure hash algorithm, and the digest information is encoded, Then store the encoded value in a first file of a second type different from the first type, and generate a set of signature information from the digest information and private key information previously saved in the first file of the second type and save it in the first file. The first position in the second file of the two types is different from the first file, and the signature information and the public key are stored in the second position in the second file, wherein the first type and the second type relate to files of different directory types .

Preferably, in the above step S4, extracting the information further includes extracting other parts of the information, that is: renaming the file of the application to a file with a suffix in the form of a compressed package and decompressing it, and then obtaining the first configuration file, using the first configuration file. An open source software converts the first configuration file into an operable text format; uses the second open source software to decompile and decompress the binary source code file; uses the third open source software to restore the binary source code file to obtain the application's source code file The source code of the file; based on the source code of the application program, the source code is scanned by the matching algorithm, and the specified keywords are counted, and the number and corresponding position of each specified keyword in the class file are obtained and stored in a matrix, based on distance The algorithm calculates the similarity distance between every two keywords; the keywords are classified based on the similarity distance, and each keyword in the matrix is used as the root node, and the keywords with high similarity with each node are aggregated together. Compare with the matrix of the stored location, remove keywords of different categories, and then classify and store; compare the features of the security application stored in the feature database in the terminal with the features of the classified storage, and remove the application. The security features included in the features of the system can avoid increasing the amount of information processing and increasing the information processing time and power consumption, as well as wasting the limited processing resources of the terminal; the data that is classified and stored and features are removed as other parts of the extracted information, together with other information Sent to the decision server for security authentication.

Preferably, step S5 further includes: the terminal receives the big data-based security authentication result of the determination server, and further determines whether it is malicious based on the result, uninstalls the application when it is malicious, and retains the application in the terminal when it is safe When the application is to be reserved, the risk prompt information will be displayed to the user on the display screen for the user to understand the security attributes and choose to uninstall or retain it; when the application is retained, the application is given permissions, including storage permissions, taking pictures Permissions, permission to use the microphone, permission to record, permission to call terminal sensors, permission to read and send short messages, permission to make phone calls, permission to identify the SIM card number installed on the terminal, permission to read contacts, and read user motion data Permission to open the communication network connection permission of the mobile operator, permission to enable Wi-Fi connection, permission to read other applications, permission to read the communication records of instant messaging software, granting permission includes granting enable permission or granting disable permission; when When it is determined to uninstall, the information of the application is sent to the decision server to update the database used for big data analysis, decision and validation in the decision server.

Preferably, in step S6, when the application program is executed on the terminal, its operation parameters are obtained and analyzed, including: executing the application program, and obtaining behavior parameters during its operation process, the behavior parameters include system API, file permissions changes, process and thread running data, call data, network access request data, sent network data, and record the behavior parameters in the log file; monitor the creation of portable executable files in the application, and determine its creation subject, Establish the corresponding relationship between the portable executable file and its creation body in the terminal memory; use the simulation tool to run and simulate the operation of the terminal user to obtain log file records and network data packet file records; after the simulation tool runs, and After the network link is turned on and the data communication ends over time, the log file record and the network data packet file record are stored in the first storage location; the log file record and the network data packet file record are analyzed, Among them, feature extraction is used to quantify the features of log file records and network data grouping file records, permissions, APIs, URLs and strings are converted into numerical features, and a subset of features is selected using a feature selection algorithm based on mean and variance, combined with classification and clustering and label construction rules to predict the numerical feature, and determine its running behavior attribute based on the numerical feature matching the value of the parameter in the preset configuration file, that is, whether the installed application is safe for the terminal, and the It is used as the first part of the analysis result; when the result is safe or vice versa, the corresponding relationship between the portable executable file in the application and its creation body is used as the second part of the analysis result; when it is unsafe or malicious, in addition Mark the relevant information of the created subject as malicious identification information that identifies that the application will affect the terminal and as a supplementary part of the second part, for sending to the judgment server to update the database of big data analysis judgment and confirmation, and in the The terminal records and stores it in the security information database as a malicious source. In subsequent installations, the application program from this source can be provided and displayed to the user as an application program from a malicious source, so that the user can optionally perform operations on the source. Completely kill and cut off the installation of the source and all applications from it, and any access requests from the source to the terminal; aggregate the first part of the analysis result and the second part of the analysis result as the application information.

Preferably, in step S7, based on the analysis result, it is further determined whether to keep the application program in the terminal or uninstall the application program, and send the information of the application program to the determination server to update the database for big data analysis, determination and confirmation Further comprising: the terminal is based on the first part of the analyzed result, retains the application when it is a safe application, and uninstalls the application when it is malicious, and will include the first part of the analyzed result and the second part of the analyzed result The information of part of the application is sent to the judgment server to update the database for big data analysis, judgment and confirmation. When it is malicious, the second part of the analysis result also includes marking the relevant information of the created subject as an identification. Supplementary part of malicious identification information that the application affects the endpoint.

Preferably, in step S7, after the above steps are performed, the following operations are further performed: after uninstalling the application program, activate the monitoring program when the terminal starts network communication, so that the monitoring program intercepts the data sent and received through the network in real time, and Match the characteristics of the sent data sink and/or the received data source with the previously determined malicious source, display the result to the user when the matching criteria are met, and analyze the location of the data to be sent and the entity calling the data name and location of the calling entity, and remove the name and location of the called entity at a fixed point, and then display the result of whether the removal is successful or not. until required.

Further, while analyzing the location of the data to be sent, the data to be sent is also analyzed to determine whether there is information about the user's account, contact person, verification code, and contact information, and if there is, the risk is prompted to the user.

Preferably, in step S8, when the application program requests to access the user privacy data on the terminal, the terminal confirms its access authority according to the permission configuration table, and performs corresponding operations further including: when the application program requests to access the user privacy data on the terminal When the application program sends an access request to the processor of the terminal, the processor sends the application program identifier to the rights management module to determine the access rights of the application program according to the rights configuration table in the rights management module. When there is one or more access rights in the private data, the processor determines whether the access rights of the user's private data on the terminal that the application requests to access complies with the access rights determined by the rights configuration table, and if so, assigns a For the corresponding interpretation engine, the processor issues a jump instruction, and after executing the jump instruction, the application program is guided to the entrance of the interpretation engine, so that the interpretation engine can interpret the user privacy data on the terminal requesting access, and Send the explained user privacy data to the app.

Preferably, the user privacy data is data that is converted to ensure the security of user information. When stored in the terminal, it will not be stored in plaintext, but will be acquired by malicious code, files or software attacks, thereby causing irreparable losses to the user. User privacy data is first converted from the code form of the original function into a bytecode that can only be interpreted by the interpretation engine of the terminal, cannot be effectively split and cracked for third-party software, and does not seem to have obvious meaning. The interpretation engine interprets and the segment length is defined by the interpretation engine, while separating each segment, at the end of the previous segment, in bytecodes that are recognizable by the interpretation engine and represent the interval, in the form of bytecodes of limited data length symbol; set the jump instruction for the bytecode and store it in the register, while erasing the user's private data represented by the code form of the original function; when the application requests to access the user's private data on the terminal, if the processor determines Whether the access authority of the user's private data on the terminal that the application requests to access conforms to the access authority determined by the authority configuration table, the processor calls and issues the jump instruction, and after executing the jump instruction, the application program is guided to the interpretation engine The entry for the interpretation engine to interpret the user privacy data on the terminal requesting access, and send the interpreted user privacy data to the application.

Preferably, in step S9, when a new instant messaging message is incoming to the terminal and the application requests access, enabling or disabling the terminal's access to the application based on the access settings further includes: when the terminal has a new instant messaging When a message is incoming, the terminal receives the newly incoming instant messaging message, and the message analysis module of the terminal analyzes the confidential information contained therein, and the message analysis module of the terminal determines whether the incoming instant messaging message contains the user password , account number, verification code and any one or more of the information in combination with the valid time, when including any one or more of the information in combination with the valid time, the newly incoming instant messaging message is stored in the terminal in the private storage of the terminal, otherwise the newly incoming instant messaging message is stored in the regular storage of the terminal; when any one or more of the information in combination with the valid time is contained, and when the installed application attempts to access the Incoming instant messaging messages, the rights management module verifies whether the application has access rights to the incoming instant messaging messages, (i) if not, the rights management module notifies the terminal's private repository not to add new The incoming instant messaging message is sent to the application, and (ii) if there is access rights, the rights management module sends the application's read request for the message in the private repository to the private repository, and the rights management module notifies the terminal's The message analysis module judges whether the current period is in the valid reading period of the newly incoming instant messaging message stored, and when it is in the valid reading period of the newly incoming instant messaging message, the private storage repository will The new incoming instant messaging message is sent to the application, otherwise when it is not in the valid reading period of the newly incoming instant messaging message, that is, in the forbidden reading period of the new incoming instant messaging message, the private repository Refuse to send new incoming instant messenger messages stored in it to the app until its no-read period is lifted, at which point even if the app tries to read the private message successfully, since the new incoming instant message has been exceeded over time The valid reading period of instant messaging messages can be accessed, so even if the application reads the private information, it cannot attack the terminal because the valid period has passed, which greatly reduces the stealing of the private information of the terminal by malicious applications. disclosure; and when a newly incoming instant messaging message is stored in the terminal's regular repository, and when an installed application attempts to access the incoming instant messaging message, the rights management module verifies whether the application has access to the incoming instant messaging access rights to instant messaging messages, (i) if not having access rights, the rights management module informs the terminal's regular repository not to send newly incoming IM messages to the application, and (ii) if having access rights , the limit management module sends an application reading request for messages in the conventional repository to the conventional repository, and the conventional repository sends the newly incoming instant messaging messages stored in the conventional repository to the application.

According to an exemplary embodiment of the present invention, FIG. 3 illustrates a terminal-based big data analysis system, including a terminal and a decision server, wherein the terminal includes: a processor, a rights management module, an interpretation engine, a message analysis module, and a private repository , a conventional repository; a database for big data analysis, confirmation and judgment is set inside the judgment server.

Preferably, the terminal-based big data analysis system is used to perform the following methods and steps: the terminal searches for the required application program and sends it to the determination server to confirm whether it is malicious or not; Whether the result is malicious or not, it is determined to retry the download of other resources or the user chooses whether to download or directly download the application: the terminal downloads and installs the application, extracts the information, and sends it to the judgment server for security authentication; the terminal is based on the security of the judgment server. Authentication, to determine whether to keep the application in the terminal or to uninstall the application; and after the terminal determines to retain the application, the subsequent application runs and accesses sensitive or private data on the terminal. Permission management is performed to enable or disable it.

Preferably, the terminal-based big data analysis system further performs the following steps: step S1, the terminal searches for the required application program via the wireless network, and obtains the name and/or IP information of the resource server containing the application program; step S2, The terminal sends the name and/or IP information of the resource server to the determination server to confirm whether it is malicious or not; step S3, the terminal performs a corresponding operation according to the result of whether the determination server confirms whether it is malicious or not based on the big data: if it is malicious, block the The communication link of the resource server continues to try other resource servers obtained in step S1 and executes steps S2 and S3 in sequence, until it is determined that the server confirms that it is not malicious or the number of attempts reaches the user preset number; if it is not malicious, the user chooses whether to Download or directly download the application; step S4, after downloading, the terminal installs the application and extracts its information, performs signature processing on the application, and sends the extracted information to the determination server for security authentication; step S5, the terminal according to The determination server determines whether to keep the application in the terminal or uninstall the application based on the security authentication result of the big data; The information is sent to the judgment server to update the database for big data analysis, judgment and confirmation; step S6, when the application is executed on the terminal, obtain its operating parameters and analyze; step S7, based on the analysis result, further determine the Whether to keep the application program in the terminal or uninstall the application program, and send the information of the application program to the determination server to update the database for big data analysis, determination and confirmation; step S8, when the application program requests to access the user on the terminal When the data is private, the terminal confirms its access authority according to the authority configuration table, and performs corresponding operations; step S9, when a new instant messaging message is incoming to the terminal and the application requests access, the terminal determines the application's access authority based on the access settings. Access is enabled or disabled.

According to the terminal-based big data analysis system described above, it is possible to use big data and information security technology to perform security detection on applications in the installation stage, intercept applications that are harmful to terminals, and confirm their sources. and blocking; and for the legal or illegal access of the user’s private information in the terminal by the application, read the private information through reasonable management and ensure that the reading does not exceed the preset permissions, or avoid the application’s access to the privacy program by setting. Unreasonable access, and then based on big data and rights management to achieve system security.

Preferably, the terminal-based big data analysis system further performs the following steps: directly via the browser installed on the terminal, by entering the name of the desired application program, and searching through a search engine; or in the current non-browser application, By long pressing the screen with the user's finger, the option to select text appears on the screen. The user selects and highlights all or part of the name of the application, and clicks the search button that appears on the screen after selection. Select icons of one or more browsers for selection, and perform a search after selecting the corresponding browser icon; or in the current non-browser application, by selecting the search icon in the non-browser application, it will appear on the screen Input box, after entering the desired application name, the non-browser application will either directly call the default third-party browser to search, or one or more browser selection icons will appear for selection and the corresponding browser will be selected. search after the icon; or in instant messaging applications with embedded browsers, or by long-pressing the screen with the user's finger and an option to select text appears on the screen, by selecting and highlighting all or part of the application name and selecting Then click the search button that appears on the screen to invoke the embedded browser to search, or select the search icon in the non-browser application and an input box appears on the screen, and invoke the embedded browser by entering the desired application name to search. After searching for the desired application program via the wireless network, the name and/or IP address for identifying the resource server containing the application program is obtained according to the result.

Preferably, the terminal-based big data analysis system further performs the following steps: the terminal selects any one or both of the resource server's name and/or IP information, and packages it in a fixed packet transmission format in the waiting list In the transmitted packet, and set the header of the packet as the request attribute, terminated by a fixed terminator after either or both of the name and/or IP information in the packet to be transmitted, so as to facilitate identification by the decision server, The packet is then sent to the decision server through the wireless link for malicious or malicious confirmation.

Preferably, the terminal-based big data analysis system further performs the following step S3: the determination server is internally provided with a database for big data analysis, confirmation and determination, and the database stores the security attribute information of the application program for the terminal, including malicious , security and pending, the security attribute information is updated with the passage of time, and its update method is carried out by any one of user uploading, information center notification, etc.; it is determined that the server receives the packet transmitted by the terminal, and based on the preset The split package rule extracts either or both of the resource server's name and/or IP information in the package and enters it into an internally set database for information matching, when there is a safe or malicious The matching item and the unmatched item are confirmed as pending, the result of the clear and pending security attribute information is packaged, and sent to the terminal via the wireless link; the terminal receives the packet and splits the packet, extracts the security attribute information in it, If it is malicious, block the communication link with the resource server, and continue to try other resource servers obtained in step S1 and execute steps S2 and S3 in sequence, until the determination server confirms that it is not malicious or the number of attempts reaches the user preset number; If it is safe, the user chooses whether to download the application: if it is safe, the user chooses whether to download or directly download the application, wherein if it is safe, the application is downloaded directly, and if it is pending, the user chooses whether to download or not. If the application is downloaded, proceed to the next steps; if not, determine whether to directly exit the method executed by the terminal-based big data analysis system or continue to try other resource servers obtained in step S1 and execute steps S2 and S3 in sequence until It is determined that the server confirms that the security attributes meet the user's expectations or that the number of attempts reaches the user's preset number of times;

Preferably, the terminal-based big data analysis system further performs the following step S4: after downloading, the terminal installs the application and extracts its information, performs signature processing on the application, and sends the extracted information to the determination server for security In the step of sexual authentication, in the process of installing the application, the terminal changes the file suffix name of the application to decompress it to obtain the first file included in it after compilation and tool packaging, and obtains a transformation tool to convert the included The category file of the category name is copied to the first directory location, and the grouped data in the application program is generated by the category conversion command at the first directory location; the called function is obtained by traversing the library function of the grouped data, and the called function is obtained by traversing the library function of the grouped data. The behavior information determines its behavior attributes, where the behavior information includes access behavior information, process creation behavior information, operation process behavior information, registry operation behavior information, application for calling identifiers and permissions of other applications, and installation behavior. information, compression and packaging behavior information and mobile data transmission behavior information, and behavior attributes include malicious or not; determine the behavior execution path of the called function according to the behavior attributes, record the execution path as part of the extracted information, In the subsequent steps, it is uploaded to the determination server, and security authentication is performed by analyzing part or all of the execution path with the bytecode-based path big data in the determination server. In the process of signing the application, the terminal obtains all the files in the application based on the decompressed application; the first type of file is used to calculate the digest information with the secure hash algorithm, and the digest information is encoded, Then store the encoded value in a first file of a second type different from the first type, and generate a set of signature information from the digest information and private key information previously saved in the first file of the second type and save it in the first file. The first position in the second file of the two types is different from the first file, and the signature information and the public key are stored in the second position in the second file, wherein the first type and the second type relate to files of different directory types .

Preferably, the terminal-based big data analysis system further performs the following step S4, and extracting information further includes extracting other parts of the information, namely: renaming the file of the application program to a file with a suffix named as a compressed package and decompressing it, Then obtain the first configuration file, use the first open source software to convert the first configuration file into an operable text format; use the second open source software to decompile and decompress the binary source code file in the result; use the third open source software to restore the binary Based on the source code of the application file, use the matching algorithm to scan the source code, and count the specified keywords to obtain the number and amount of each specified keyword in the class file. Corresponding positions and using matrix storage, calculate the similarity distance between each two keywords based on distance algorithm; classify keywords based on similarity distance, and use each keyword in the matrix as the root node, and compare the similarity with each node. The keywords with high degree are aggregated together, compared with the matrix of the stored location, and the keywords of different categories are removed, and then classified and stored; the characteristics and classification of the security application stored in the feature database in the terminal are stored. Compare the features of the application, remove the security features contained in the features of the application to avoid increasing the amount of information processing, increasing the information processing time and power consumption, and wasting the limited processing resources of the terminal; classify and store and remove the feature data as extracted data The rest of the information, along with other information, is sent to the decision server for security authentication.

Preferably, the terminal-based big data analysis system further performs the following step S5: the terminal receives the big data-based security authentication result of the determination server, and further determines whether it is malicious based on the result, and uninstalls the application when it is malicious, When it is safe, keep the application in the terminal, and display the risk prompt information on the display screen to the user when it is to be scheduled, so that the user can understand the security attribute and choose to uninstall or keep it; when the application is reserved, the application Grant permissions, which include storage permissions, photographing permissions, microphone usage permissions, recording permissions, calling terminal sensors, reading and sending short messages, making phone calls, identifying the SIM card number installed on the terminal, reading Permissions for address book, permission to read user motion data, permission to enable mobile operator communication network connection, permission to enable Wi-Fi connection, permission to read other applications, permission to read communication records of instant messaging software, grant permission Including granting the enable permission or granting the disable permission; when it is determined to uninstall, the information of the application is sent to the decision server to update the database in the decision server for big data analysis, decision and confirmation.

Preferably, the terminal-based big data analysis system further executes the following step S6, when the application is executed on the terminal, obtains its running parameters and analyzes it, including: executing the application and obtaining its behavior during the running process Parameters, the behavior parameters include system API, changes in file permissions, process and thread running data, call data, network access request data, sent network data, and record the behavior parameters in the log file; monitor the portable Execute the file creation operation, determine its creation subject, and establish the corresponding relationship between the portable executable file and its creation subject in the terminal memory; use the simulation tool to run and simulate the terminal user's operation operation to obtain log file records and network data Packet file records; store log file records and network data packet file records in a first storage location after the simulation tool run ends, and after network links are turned on and data communications over time have ended; File records and network data group file records are analyzed, where feature extraction is used to quantify features of log file records and network data group file records, permissions, APIs, URLs, and strings are converted into numerical features, using mean- and variance-based The feature selection algorithm selects a subset of features, predicts numerical features based on classification and clustering and label construction rules, and determines its operational behavior attributes based on the numerical value matching of the numerical features with the parameters in the preset configuration file. Whether the application is safe for the terminal is taken as the first part of the analysis result; when the result is safe or vice versa, the correspondence between the portable executable file in the application and its creation body is taken as the second part of the analysis result. If it is unsafe or malicious, the relevant information of the created subject will be marked as the malicious identification information that the application will affect the terminal, and as a supplementary part of the second part, it will be sent to the judgment server for update. The database of big data analysis, judgment and confirmation, and recorded at the terminal and stored in the security information database as a malicious source, the application from this source can be provided and displayed as an application from a malicious source during subsequent installations. User, for the user to optionally completely kill the source and cut off the installation of the source and all applications from it, as well as any access requests from the source to the terminal; the first part of the results of the aggregate analysis and the end of the analysis results. The second part serves as the information for the application.

Preferably, the terminal-based big data analysis system further executes the following step S7, further determines whether to keep the application program in the terminal or uninstall the application program based on the analysis result, and sends the information of the application program to the determination server for updating The database for big data analysis, determination and confirmation further includes: the first part of the result of the terminal based on the analysis, retains the application when it is a safe application, and uninstalls the application when it is malicious, and will include the analyzed The application information of the first part of the result and the second part of the analysis result is sent to the judgment server to update the database for big data analysis, judgment and confirmation, and when it is malicious, the second part of the analysis result also includes: The relevant information of the creation body is marked as a supplementary part of the malicious identification information that identifies the application that will affect the terminal.

Preferably, the terminal-based big data analysis system further performs the following step S7, and after performing the above steps, further performs the following operations: after uninstalling the application program, activate the monitoring program when the terminal starts network communication, thereby enabling the monitoring program The program intercepts the data sent and received over the network in real time, and matches the sent data sink and/or received data source with the previously determined malicious source. When the matching criteria are met, the result is displayed to the user and the location of the data to be sent is analyzed. location and the name and location of the entity calling the data, and remove the name and location of the calling entity at a fixed point, and then display the result of the removal success or not, if unsuccessful, repeat the above removal operation and Show the user the removal process until the preset requirements are met.

Further, while analyzing the location of the data to be sent, the data to be sent is also analyzed to determine whether there is information about the user's account, contact person, verification code, and contact information, and if there is, the risk is prompted to the user.

Preferably, the terminal-based big data analysis system further executes the following step S8, when the application program requests to access user privacy data on the terminal, the terminal confirms its access authority according to the authority configuration table, and performs corresponding operations further comprising: when When the application program requests to access the user's private data on the terminal, the application program sends the access request to the processor of the terminal, and the processor sends the application program identifier to the rights management module to determine the application according to the rights configuration table in the rights management module The access rights of the program, when the application program has one or more access rights of multiple types of private data, the processor determines whether the access rights of the user's private data on the terminal that the application program requests to access conform to the access rights determined by the rights configuration table Access rights, if it matches, assign a corresponding interpretation engine to the application program, the processor issues a jump instruction, and after executing the jump instruction, the application program is guided to the entry of the interpretation engine for the interpretation engine to access the request The user privacy data on the terminal is interpreted, and the interpreted user privacy data is sent to the application.

Preferably, the user privacy data is data that is converted to ensure the security of user information. When stored in the terminal, it will not be stored in plaintext, but will be acquired by malicious code, files or software attacks, thereby causing irreparable losses to the user. User privacy data is first converted from the code form of the original function into a bytecode that can only be interpreted by the interpretation engine of the terminal, cannot be effectively split and cracked for third-party software, and does not seem to have obvious meaning. The interpretation engine interprets and the segment length is defined by the interpretation engine, while separating each segment, at the end of the previous segment, in bytecodes that are recognizable by the interpretation engine and represent the interval, in the form of bytecodes of limited data length symbol; set the jump instruction for the bytecode and store it in the register, while erasing the user's private data represented by the code form of the original function; when the application requests to access the user's private data on the terminal, if the processor determines Whether the access authority of the user's private data on the terminal that the application requests to access conforms to the access authority determined by the authority configuration table, the processor calls and issues the jump instruction, and after executing the jump instruction, the application program is guided to the interpretation engine The entry for the interpretation engine to interpret the user privacy data on the terminal requesting access, and send the interpreted user privacy data to the application.

Preferably, the terminal-based big data analysis system further executes the following step S9, when a new instant messaging message is incoming to the terminal and the application requests access, the terminal enables or enables access to the application based on the access settings. The prohibition further includes: when a new instant messaging message is incoming to the terminal, the terminal receives the newly incoming instant messaging message, and the message analysis module of the terminal analyzes the confidential information contained therein, and the message analysis module of the terminal determines Whether the incoming instant messaging message contains information about any one or more of the user password, account number, and verification code in combination with the valid time, when it contains any one or more of the information in combination with the valid time, the The newly incoming instant messaging message is stored in the private storage repository of the terminal, otherwise the newly incoming instant messaging message is stored in the regular storage storage of the terminal; information, and when an installed application attempts to access the incoming IM message, the rights management module verifies whether the application has access rights to the incoming IM messages, (i) if not, the rights The management module informs the private repository of the terminal not to send new incoming instant messaging messages to the application, and (ii) if there is access rights, the rights management module sends the private repository the application's information on the messages in the private repository. Read the request, and the authority management module notifies the message analysis module of the terminal to determine whether the current period is in the valid reading period of the newly incoming instant messaging message stored, and when it is in the valid reading period of the newly incoming instant messaging message when the new incoming instant messaging message stored in the private repository is sent to the application, otherwise when it is not in the valid reading period of the newly incoming instant messaging message, that is, it is in the newly incoming instant messaging message During the forbidden reading period, the private repository refuses to send new incoming instant messaging messages stored in it to the application until its forbidden reading period is lifted, at which point even if the application attempts to read the private information successfully, due to the With the passage of time, the accessible effective reading period of newly incoming instant messaging messages is exceeded, so even if the application reads the private information, it cannot attack the terminal because the effective period has passed, which greatly reduces the Theft and disclosure of private information of the terminal by malicious applications; and when a newly incoming instant messaging message is stored in the terminal's regular repository, and when an installed application attempts to access the incoming instant messaging message, permissions The management module verifies whether the application has access rights to incoming instant messaging messages, (i) if not, the rights management module informs the terminal's regular repository not to send new incoming instant messaging messages to the The application, and (ii) if it has access rights, the limited management module sends the application's read request for messages in the regular repository to the regular repository, and the regular repository will store new incoming instant messenger messages in it sent to the application.

The above-mentioned various technical terms are conventional technical terms with ordinary meanings in the art, and are not further explained herein in order not to obscure the focus of the present invention.

To sum up, in the technical solution of the present invention, by adopting a terminal-based big data analysis method and system, it can use big data and information security technology to perform security detection on the application program in the installation stage, and perform security detection on the terminal. The harmful application program is intercepted, and its source is confirmed and blocked; and for the legal or illegal access of the application program to the user's private information in the terminal, the present invention encrypts the terminal's private information, and for legal access, Read privacy information through reasonable management and ensure that the reading does not exceed the preset permissions, and for illegal access, use time settings or permission blocking settings to avoid unreasonable access to privacy programs by applications. With the method and system of the present invention, the security of the system can be realized based on big data and rights management, and finally the security of downloading, running and data access of the application program on the terminal is guaranteed.

It will be appreciated that the examples and embodiments of the present invention may be implemented in hardware, software or a combination of hardware and software. As mentioned above, any body performing this method may be stored, in the form of volatile or non-volatile storage, such as a storage device, like a ROM, whether erasable or rewritable or not, or in the form of a memory such as For example RAM, memory chips, devices or integrated circuits or on optically or magnetically readable media such as eg CD, DVD, magnetic disk or magnetic tape. It will be appreciated that storage devices and storage media are examples of machine-readable storage suitable for storing one or more programs that, when executed, implement examples of the present invention. Examples of the present invention may be communicated electronically via any medium, such as a communication signal carried by a wired or wireless coupling, and examples suitably incorporate the same.

It should be noted that: because the present invention solves the problem of using big data and information security technology to perform security detection on the application program in the installation stage, and intercepting the application program that is harmful to the terminal, and confirming and blocking its source; And in view of the legal or illegal access of the application to the user's private information in the terminal, the present invention encrypts the private information of the terminal, and for legal access, reads the private information through reasonable management and ensures that the reading does not exceed the preset authority. , and for illegal access, use the time setting or permission blocking setting to avoid the unreasonable access of the application to the privacy program. Through the method and system of the present invention, the security of the system can be realized based on big data and rights management, and the technical problem of finally ensuring the security of downloading, running and data access of the application program on the terminal adopts the technical problems of those skilled in the art. After reading this specification, the technical means that can be understood according to the teachings thereof have obtained beneficial technical effects, so the solutions claimed in the appended claims belong to the technical solutions in the sense of the patent law. In addition, the technical solutions claimed in the appended claims are practical because they can be manufactured or used in industry.

The above description is only a preferred embodiment of the present invention, but the protection scope of the present invention is not limited to this. Any person skilled in the art can easily think of changes within the technical scope disclosed by the present invention. Or replacement should be included within the protection scope of the present invention. Unless expressly stated otherwise, each feature disclosed is only one example of a generic series of equivalent or similar features. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (10)

1. A terminal-based big data analysis method, comprising: Step S1, the terminal searches for the required application program via the wireless network, and obtains the name and/or IP information of the resource server containing the application program; Step S2, the terminal sends the name and/or IP information of the resource server to the determination server to confirm whether it is malicious or not; Step S3, the terminal performs corresponding operations according to the result of whether the determination server is malicious or not based on the big data confirmation: if it is malicious, block the communication link with the resource server and continue to try other resource servers obtained in step S1 and execute steps in sequence. S2 and S3, until the determination server confirms that it is not malicious or the number of attempts reaches the user preset number; if it is not malicious, the user chooses whether to download or directly download the application; Step S4, after downloading, the terminal installs the application and extracts its information, performs signature processing on the application, and sends the extracted information to the determination server for security authentication; Step S5, the terminal determines whether to keep the application program in the terminal or uninstall the application program according to the security authentication result based on the big data of the judgment server; Send the application's information to the decision server to update the database for big data analysis, decision and validation; Step S6, when the application is executed on the terminal, obtain its operating parameters and analyze; Step S7, based on the analysis result, further determine whether to keep the application program in the terminal or uninstall the application program, and send the information of the application program to the determination server to update the database for big data analysis, determination and confirmation; Wherein step S4 further includes: after downloading, the terminal installs the application and extracts its information, performs signature processing on the application, and sends the extracted information to the determination server for security authentication, wherein the terminal is installing the application. In the process of applying the program, change the file suffix name of the application program to decompress to obtain the first file included in it after compilation and tool packaging, and obtain a transformation tool to copy the category file including the category name to the first directory location, At the first directory location, the group data in the application program is generated through the category conversion command; the called function is obtained by traversing the library functions of the group data, and the behavior attribute of the called function is determined by the behavior information of the called function, wherein the behavior information Including access behavior information, process creation behavior information, operation process behavior information, registry operation behavior information, application for calling identifiers and permissions of other applications, installation behavior information, compression and packaging behavior information, and mobile data transmission behavior information , and the behavior attribute includes whether it is malicious or not; determine the behavior execution path of the called function according to the behavior attribute, record the execution path as part of the extracted information, and upload it to the judgment server in the subsequent steps. Part or all of the path is analyzed with the bytecode-based path big data in the judgment server, and then security authentication is performed; in the process of signing the application, the terminal obtains the application based on the decompressed application. All files in the file; use the secure hash algorithm to calculate the digest information for the first type of file, and encode the digest information, and then store the encoded value in the first file of the second type different from the first type, and the The digest information and private key information previously saved in the first file of the second type generate a set of signature information and save it in the first position in the second file of the second type that is different from the first file. the key is stored in a second location in a second file, wherein the first type and the second type relate to files of different directory types; Step S5 further includes: the terminal receives the big data-based security authentication result of the determination server, and further determines whether it is malicious based on the result, uninstalls the application when it is malicious, retains the application in the terminal when it is safe, and When the risk prompt information is to be displayed to the user on the display screen, the user can understand the security attributes and choose to uninstall or keep it; when the application is retained, the application is given permissions, including storage permission, camera permission, microphone permission Permission to use, permission to record, permission to call terminal sensors, permission to read and send short messages, permission to make phone calls, permission to identify the SIM card number installed on the terminal, permission to read contacts, permission to read user motion data, Permission to enable mobile operator communication network connection, permission to enable Wi-Fi connection, permission to read other applications, permission to read communication records of instant messaging software, granting permission includes granting enable permission or granting disable permission; when it is determined to uninstall , send the application's information to the decision server to update the database in the decision server for big data analysis, decision and validation; In step S6, when the application program is executed on the terminal, its operation parameters are obtained and analyzed, including: executing the application program, and obtaining behavior parameters during its operation process, the behavior parameters include system API, changes in file permissions, Process and thread running data and call data, network access request data, and sent network data, record the behavior parameters in the log file; monitor the creation of portable executable files in the application program, determine its creation subject, and store it in the terminal memory. Establish the corresponding relationship between the portable executable file and its creation body; use the simulation tool to run and simulate the operation of the end user to obtain log file records and network data packet file records; after the simulation tool runs, and in the network chain After the road is turned on and the data communication ends, the log file records and the network data packet file records are stored in the first storage location; the log file records and the network data packet file records are analyzed, wherein the log file records and the network data packet file records are analyzed using feature extraction. Feature quantification of network data grouping file records, converting permissions, APIs, URLs, and strings into numerical features, using mean- and variance-based feature selection algorithms to select subsets of features, combining classification and clustering and label building rules for numerical features Make a prediction, determine whether the installed application is safe for the terminal based on the value matching of the numerical feature and the parameter in the preset configuration file, and use it as the first part of the analysis result; when the result is safe or malicious, The corresponding relationship between the portable executable file in the application and its creation subject is used as the second part of the analysis result. When it is malicious, the relevant information of the creation subject is also marked as a malicious sign that the application will affect the terminal. The identification information is used as a supplementary part of the second part to be sent to the judgment server to update the database for big data analysis, judgment and confirmation, and is recorded at the terminal and stored in the security information database as the source of maliciousness. During installation, the application from the source can be provided and displayed to the user as an application from a malicious source, so that the user can optionally completely kill the source and cut off the installation of the source and all applications from it and the installation of the source. Any access request from the source to the terminal; the first part of the analysis result and the second part of the analysis result are aggregated as the information of the application. 2. The terminal-based big data analysis method according to claim 1, wherein in the above-mentioned step S4, extracting information further comprises extracting other parts of the information, specifically renaming the file of the application program into a suffix named compressed package form and decompress the file, and then obtain the first configuration file, use the first open source software to convert the first configuration file into an operable text format; use the second open source software to decompile and decompress the binary source code file in the result; use The third open source software restores the binary source code file to obtain the source code of the file of the application program; based on the source code of the file of the application program, the source code is scanned by the matching algorithm, and the specified keywords are counted, and each specified keyword is obtained in The number and corresponding position in the class file are stored in a matrix, and the similarity distance between each two keywords is calculated based on the distance algorithm; the keywords are classified based on the similarity distance, and each keyword in the matrix is used as the root node. The keywords with high similarity between each node are aggregated, compared with the matrix of the stored location, and the keywords of different categories are removed, and then classified and stored; the security application stored in the feature database in the terminal is stored. Compare the features of the application program with the features of classification and storage, and remove the security features contained in the features of the application program to avoid increasing the amount of information processing, increasing the information processing time and power consumption, and wasting the limited processing resources of the terminal; The data of the feature is sent to the decision server for security authentication along with other information as other parts of the extracted information. 3. The terminal-based big data analysis method according to claim 2, wherein the method further comprises: Step S8, when the application program requests to access the user's private data on the terminal, the terminal confirms its access authority according to the authority configuration table, and performs corresponding operations. 4. The terminal-based big data analysis method according to claim 3, wherein the method further comprises: Step S9, when a new instant messaging message is incoming to the terminal and the application program requests access, the terminal enables or disables access to the application program based on the access setting. 5. The terminal-based big data analysis method according to claim 4, wherein step S1 further comprises: directly via the browser installed on the terminal, by inputting the name of the desired application, searching through a search engine; In non-browser applications, the user's finger presses the screen for a long time, and the option to select text appears on the screen. The user selects and highlights all or part of the name of the application, and clicks the search button that appears on the screen after selection. Click the search button to display one or more browser selection icons for selection, and perform a search after selecting the corresponding browser icon. 6. The terminal-based big data analysis method according to claim 4, wherein step S1 further comprises: in an instant messaging application with a built-in browser, long press the screen by the user's finger and an option to select text appears on the screen , invoking the embedded browser to search by selecting and highlighting all or part of the application's name and clicking the search button that appears on the screen after selection, or by selecting the search icon in a non-browser application Input box to invoke the embedded browser to search by entering the desired application name. 7. The terminal-based big data analysis method according to any one of claims 5-6, wherein: after searching for a required application program via a wireless network, a data for identifying a resource server containing the application program is obtained according to the result. name and/or IP address. 8. The terminal-based big data analysis method according to claim 1, wherein step S2 further comprises: the terminal selects any one or both of the name and/or IP information of the resource server, and assigns it to a fixed number. The packet transmission format is packaged in the packet to be transmitted, and the header of the packet is set as a request attribute, terminated by a fixed terminator after either or both of the name and/or IP information in the packet to be transmitted, In order to facilitate the identification of the determination server, the packet is then sent to the determination server through the wireless link for confirmation of maliciousness or not. 9. The terminal-based big data analysis method according to claim 1, wherein step S3 further comprises: determining that the server is internally provided with a database for big data analysis, confirmation and determination, and the database stores the security of the application program for the terminal Attribute information, including malicious, safe, and pending, the security attribute information is updated based on time, and its update method is carried out through any one of user uploading and information center notification methods; the determination server receives the packet transmitted by the terminal, and based on the preset The split package rule extracts either or both of the resource server's name and/or IP information in the package and enters it into an internally set database for information matching, when there is a safe or malicious The matching item and the unmatched item are confirmed to be pending, and the result of the above-mentioned security, malicious or pending security attribute information is packaged and sent to the terminal via the wireless link; the terminal receives the packet and splits the packet to extract the security attribute. information, if it is malicious, block the communication link with the resource server, and continue to try other resource servers obtained in step S1 and execute steps S2 and S3 in sequence, until the determination server confirms that it is not malicious or the number of attempts reaches the user preset. The number of times; if it is safe, the user directly downloads the application, and if it is pending, the user chooses whether to download the application, if it is downloaded, proceed to the next step, if not, decide to exit the method directly or continue to try step S1 Obtain other resource servers and perform steps S2 and S3 in sequence until it is determined that the server confirms that the security attributes meet the user's expectations or the number of attempts reaches the user's preset number of times. 10. A terminal-based big data analysis system, comprising a terminal and a determination server, wherein the terminal comprises: a processor, a rights management module, an interpretation engine, a message analysis module, a private repository, and a conventional repository; A database for big data analysis, confirmation and determination; the terminal-based big data analysis system is used to execute the terminal-based big data analysis method of claim 9 .

Images