[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2023236884A1 - Fraudulent behavior detection method and apparatus, electronic device, and readable storage medium - Google Patents

Fraudulent behavior detection method and apparatus, electronic device, and readable storage medium Download PDF

Info

Publication number
WO2023236884A1
WO2023236884A1 PCT/CN2023/098223 CN2023098223W WO2023236884A1 WO 2023236884 A1 WO2023236884 A1 WO 2023236884A1 CN 2023098223 W CN2023098223 W CN 2023098223W WO 2023236884 A1 WO2023236884 A1 WO 2023236884A1
Authority
WO
WIPO (PCT)
Prior art keywords
fraud
application
information
detection
data set
Prior art date
Application number
PCT/CN2023/098223
Other languages
French (fr)
Chinese (zh)
Inventor
翟东岩
史领航
姚平
胡志远
Original Assignee
维沃移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 维沃移动通信有限公司 filed Critical 维沃移动通信有限公司
Publication of WO2023236884A1 publication Critical patent/WO2023236884A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/127Trusted platform modules [TPM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the purpose of the embodiments of this application is to provide a fraud detection method, device, electronic device and readable storage medium, which can improve the accuracy of fraud detection.
  • the first determination module is used to compare the characteristic information with the fraud characteristic data in the fraud characteristic data set to determine the fraud detection result when the terminal successfully performs authorization verification on the target application on the TEE side. .
  • embodiments of the present application provide a readable storage medium.
  • Programs or instructions are stored on the readable storage medium.
  • the steps of the method described in the first aspect are implemented. .
  • Figure 4 is a schematic module diagram of a fraud detection device provided by an embodiment of the present application.
  • FIG. 6 is a schematic diagram of the hardware structure of an electronic device provided by an embodiment of the present application.
  • first, second, etc. in the description and claims of this application are used to distinguish similar objects and are not used to describe a specific order or sequence. It is to be understood that the figures so used are interchangeable under appropriate circumstances so that the embodiments of the present application can be practiced in orders other than those illustrated or described herein, and that "first,” “second,” etc. are distinguished Objects are usually of one type, and the number of objects is not limited. For example, the first object can be one or multiple.
  • “and/or” in the description and claims indicates at least one of the connected objects, and the character “/" generally indicates that the related objects are in an "or” relationship.
  • this application provides an embodiment of a fraud detection method, which can be Terminal execution, this method includes:
  • Step 101 When the terminal receives the detection request sent by the target application on the rich execution environment REE side, it obtains the characteristic information associated with the target application and sends the characteristic information to the trusted execution environment TEE side of the terminal;
  • the detection request is used to request fraud detection
  • Step 102 If the terminal successfully authenticates the target application on the TEE side, compares the characteristic information with the fraud characteristic data in the fraud characteristic data set to determine the fraud detection result.
  • the terminal can include a rich execution environment (Rich Execution Environment, REE) side and a trusted execution environment (TrustedExecution Environment, TEE) side.
  • the TEE provides a secure operating environment for the terminal, and is often used for digital rights management, for example. , mobile payment and data protection, etc.
  • REE provides a common environment for terminals, such as running common operating systems and applications.
  • the REE side of the terminal When the REE side of the terminal receives the detection request, it can obtain the characteristic information associated with the target application and send it to the TEE side of the terminal.
  • the TEE side of the terminal can perform authorization verification on the target application.
  • the TEE side of the terminal can compare the above feature information with the fraud feature data in the fraud feature data set to determine the fraud detection results and implement fraud detection. That is, the REE side receives the detection request and obtains the feature information associated with the target application, the TEE side receives the feature information associated with the target application sent by the REE side, and the TEE side compares the feature information associated with the target application with the fraud feature data set Compare fraud characteristic data to detect fraud
  • the REE side and TEE side of the terminal work together to detect fraud.
  • the fraud characteristic data set on the TEE side can be obtained from the cloud in advance and stored on the TEE side.
  • the TEE side can provide a safer environment, thereby reducing interference to fraud detection.
  • the TEE side of the terminal performs comparison to implement fraud detection, and obtains fraud detection results, which can improve the accuracy of fraud.
  • the TEE side realizes fraud detection by comparing the characteristic information associated with the target application and the fraud characteristic data in the fraud characteristic data set, and obtains the fraud detection results to improve fraud. Accuracy of behavior detection.
  • the REE side of the terminal receives the detection request and obtains the feature information associated with the target application.
  • the TEE side of the terminal compares the feature information with the fraud feature data in the fraud feature data set to obtain the fraud detection results.
  • the process of fraud detection is shared among different execution environments, thereby reducing the execution pressure on the execution environment of one side caused by the terminal performing the entire detection process in that side of the execution environment.
  • the characteristic information includes at least one of the following:
  • Application link information is used to represent the calling sequence information for calling multiple applications including the target application;
  • the package name information of the application in the application link information
  • the target application is called according to the application calling order in the application link information, that is, the target application is the last application to be called and run among multiple applications, and among the multiple applications, the calling order is adjacent to the application.
  • the previous application calls the next application to run, and the latter application is called to run by the previous application.
  • a malicious application also called a fraudulent application, etc.
  • an intermediate application for example, a browser, etc.
  • the application link information can be obtained and compared with the fraud characteristic data to implement fraud detection.
  • the feature information associated with the target application may include application link information, application package name information in the application link information, application signature information and application information in the application link information. At least one of the behavioral features applied in the link information is compared with the fraud feature data to complete fraud detection, which can improve the accuracy of fraud detection.
  • the target comparison strategy is obtained by the terminal from the cloud in advance
  • the fraud characteristic data set is obtained by the terminal from the cloud in advance.
  • the target comparison strategy can be determined based on the usage feedback of multiple users, that is, the illegal calling methods, called applications, etc. feedback from multiple users are collected and integrated to form a fraud feature data set.
  • the target comparison strategy can be configured according to the needs and stored in the cloud.
  • the terminal obtains the pre-configured target comparison strategy from the cloud, compares the feature information with the fraud feature data in the fraud feature data set, and determines the fraud behavior detection The result is to improve fraud detection accuracy.
  • the feature information is compared with the fraud feature data in the fraud feature data set according to the target comparison strategy to determine the fraud behavior detection results, including:
  • the application link information in the characteristic information successfully matches the application calling sequence of multiple applications in the fraud characteristic data set, it can be further detected that at least one of the package name information, signature information and behavioral characteristics in the characteristic information is in the fraud characteristic data set. Whether the matching can be successful in the fraud feature data set. If at least one of the package name information, signature information and behavioral characteristics in the feature information is matched in the fraud feature data set, it can mean that the information of the malicious application is hit, and the existence of fraud is determined. , the fraud detection results indicating the existence of fraud can be obtained, which can further improve the accuracy of fraud detection.
  • the terminal sends the authorization token to the TEE side on the REE side;
  • the authentication request includes at least one of the package name information and signature information of the target application.
  • the authentication request is used to request authentication of the target application;
  • the target application needs to be updated and verified.
  • the update verification of the target application can be understood as the identity verification of the target application. Only when the verification is passed can the update data in the data update request be sent to the TEE. On the TEE side, the updated data is used to detect fraud characteristics.
  • the update of the data set on the one hand, ensures the security of data updates, and on the other hand, it can improve the timeliness of the fraud feature data in the fraud feature data set.
  • the fraud detection method in the embodiment of this application is an anti-fraud detection method that integrates terminal-side hardware, framework, application layer capabilities and cloud service capabilities, and includes the following aspects:
  • Black and gray product characteristic data sets can be collected through attack and defense confrontation analysis, black and gray product intelligence and other channels, including but not limited to malicious application package names, malicious application signatures, malicious behavior characteristics, malicious application code characteristics (such as runtime memory usage, specific categories name, etc.), malicious application permission characteristics, etc.
  • the cloud management service can deliver the collected black and gray product characteristic data sets to the terminal side through the trusted data transmission channel.
  • the black and gray product characteristic data sets can be stored in the TEE side of the terminal side and can be updated, etc. .
  • the data is roughly calibrated and the application link information within the policy scope is organized and transmitted to the TEE side for "anti-fraud security detection";
  • Anti-Fraud Detection which contains The behavior identifier of "anti-fraud behavior detection", the authorization token of the management service and the security status information on the REE side are used to detect whether the access request is valid according to the response policy, for example:
  • Configure fraud feature policy content such as detecting the calling sequence information of the pulled application, etc.
  • the authorization token is sent to the TEE side through the trusted data transmission channel.
  • the TEE side performs signature verification through the preset key to unlock the authorization token and its validity period;
  • Import authorization configuration Generate and configure tokens and access rights that can import fraud data on the endpoint side.
  • the caller (target application) initiates a detection request (including authorization token) to the "anti-fraud detection" on the REE side;
  • the "anti-fraud detection" on the REE side of the terminal authenticates the visitor (target application).
  • the REE side communicates with the cloud.
  • the cloud implements the identity verification of the target application and sends the identity verification results to the REE side.
  • the "framework security capability" side collects characteristic information associated with the target application according to the policy, such as application link information, package name information, signature information, behavioral characteristics, etc., and transfers the characteristic information to the "anti-fraud security capability" on the TEE side. .
  • the "anti-fraud security capability" on the terminal TEE side verifies the authorization token. If the verification fails, That is, the operation is terminated and the error message is returned to the "Anti-Fraud Detection" on the REE side.
  • the "Anti-Fraud Detection” records the error information through the access control mechanism and returns it to the caller. At the same time, frequent access and frequent authentication failures occur within the application unit time. Under certain circumstances (such as 1,000 consecutive failures within 1 minute), "anti-fraud detection” can appropriately limit the frequency and number of calls made by the caller (for example, prohibiting requests for 30 minutes);
  • the TEE side compares the feature information transmitted by the REE side with the features in the fraud feature data set according to the comparison strategy.
  • the execution subject may be a fraud detection device.
  • a fraud detection device performing a fraud detection method is used as an example to illustrate the fraud detection device provided in the embodiments of this application.
  • the device 400 includes:
  • the first sending module 402 is used to send the characteristic information to the trusted execution environment TEE side of the terminal, and the detection request is used to request fraud detection;
  • the first determination module 403 is used to compare the characteristic information with the fraud characteristic data in the fraud characteristic data set to determine the fraud detection result when the terminal successfully authenticates the target application on the TEE side.
  • the characteristic information includes at least one of the following:
  • Application link information is used to represent the calling sequence information for calling multiple applications including the target application;
  • the package name information of the application in the application link information
  • the first determination module 403 is specifically configured to compare the feature information with the fraud feature data in the fraud feature data set according to the target comparison strategy, and determine the fraud behavior detection result;
  • the target comparison strategy is obtained by the terminal from the cloud in advance
  • the fraud characteristic data set is obtained by the terminal from the cloud in advance.
  • the first determination module 403 is also specifically used to:
  • the application link information of multiple applications in the feature information matches the application calling sequence of multiple applications in the fraud feature data set, and the fraud feature data set matches at least one of the package name information, signature information and behavioral features in the feature information. In the case of one item, it is determined that the fraud detection result is that fraud exists.
  • the detection request includes an authorization token
  • the device further includes:
  • the second sending module is used to send the authorization token from the REE side to the TEE side;
  • the second determination module is used to determine on the TEE side that the authorization verification of the target application is successful when the authorization token is successfully verified.
  • the detection request includes at least one of package name information and signature information of the target application
  • Get modules including:
  • the third sending module is used to send an identity verification request to the cloud.
  • the identity verification request includes at least one of the package name information and signature information of the target application.
  • the identity verification request is used to request identity verification for the target application;
  • the first receiving module is used to receive the identity verification result sent by the cloud in response to the identity verification request;
  • the fraud detection device in the embodiment of the present application may be an electronic device or a component in the electronic device, such as an integrated circuit or a chip.
  • the electronic device can be a terminal or other devices other than the terminal.
  • the electronic device can be a mobile phone, a tablet computer, a notebook computer, a handheld computer, a vehicle-mounted electronic device, a Mobile Internet Device (MID), or an augmented reality device.
  • augmented reality, AR /virtual reality (VR) equipment, robots, wearable devices, ultra-mobile personal computers (ultra-mobile personal computers, UMPC), netbooks or personal digital assistants (personal digital assistant, PDA), etc.
  • NAS Network Attached Storage
  • PC personal computer
  • TV television
  • teller machine a self-service machine
  • the fraud detection device in the embodiment of the present application may be a device with an operating system.
  • the operating system can be an Android operating system, an ios operating system, or other possible operating systems, which are not specifically limited in the embodiments of this application.
  • the fraud detection device provided by the embodiment of the present application can implement each process implemented by the above-mentioned fraud detection method embodiment. For example, it can implement each process implemented by the method embodiment of Figures 1 to 3. To avoid duplication, no details will be described here. .
  • this embodiment of the present application also provides an electronic device 500, including a processor 501 and a memory 502.
  • the memory 502 stores programs or instructions that can be run on the processor 501.
  • the program or instructions are When executed, the processor 501 implements each step of the above embodiment of the fraud detection method and can achieve the same technical effect. To avoid duplication, the details will not be described here.
  • the electronic devices in the embodiments of the present application include the above-mentioned mobile electronic devices and non-mobile electronic devices.
  • FIG. 6 is a schematic diagram of the hardware structure of an electronic device implementing an embodiment of the present application.
  • the electronic device 600 includes but is not limited to: radio frequency unit 601, network module 602, audio output unit 603, input unit 604, sensor 605, display unit 606, user input unit 607, Interface unit 608, memory 609, processor 610 and other components.
  • the electronic device 600 may also include a power supply (such as a battery) that supplies power to various components.
  • the power supply may be logically connected to the processor 610 through a power management system, thereby managing charging, discharging, and function through the power management system. Consumption management and other functions.
  • the structure of the electronic device shown in Figure 6 does not constitute a limitation on the electronic device.
  • the electronic device may include more or less components than shown in the figure, or combine certain components, or arrange different components, which will not be described again here. .
  • processor 610 is used for:
  • the rich execution environment REE side When the rich execution environment REE side receives the detection request sent by the target application, it obtains the characteristic information associated with the target application;
  • the characteristic information is compared with the fraud characteristic data in the fraud characteristic data set to determine the fraud detection result.
  • the characteristic information includes at least one of the following:
  • Application link information is used to represent the calling sequence information for calling multiple applications including the target application;
  • the package name information of the application in the application link information
  • the processor 610 is configured to compare the feature information with the fraud feature data in the fraud feature data set according to the target comparison strategy, and determine the fraud behavior detection result;
  • the target comparison strategy is obtained by the terminal from the cloud in advance
  • the fraud characteristic data set is obtained by the terminal from the cloud in advance.
  • the processor 610 is further specifically configured to determine that the fraud behavior detection result is when the application link information of multiple applications in the feature information matches the application calling sequence of multiple applications in the fraud feature data set. There has been fraud; or
  • Application link information of multiple applications in the feature information and multiple applications in the fraud feature data set The application call sequence matches, and when at least one of the package name information, signature information and behavioral characteristics in the characteristic information is matched in the fraud characteristic data set, it is determined that the fraud detection result is that fraud exists.
  • the detection request includes an authorization token
  • Radio frequency unit 601 used to send the authorization token on the REE side to the TEE side;
  • the processor 610 is configured to determine that the target application authorization verification is successful when the authorization token is successfully verified on the TEE side.
  • the detection request includes at least one of package name information and signature information of the target application
  • the radio frequency unit 601 is used to send an identity verification request to the cloud.
  • the identity verification request includes at least one of the package name information and signature information of the target application.
  • the identity verification request is used to request identity verification of the target application;
  • the radio frequency unit 601 is used to receive the identity verification result sent by the cloud in response to the identity verification request;
  • the processor 610 is configured to obtain characteristic information when the identity verification result indicates that the identity verification is passed.
  • the input unit 604 may include a graphics processor (Graphics Processing Unit, GPU) 6041 and a microphone 6042.
  • the graphics processor 6041 is responsible for the image capture device (GPU) in the video capture mode or the image capture mode. Process the image data of still pictures or videos obtained by cameras (such as cameras).
  • the display unit 606 may include a display panel 6061, which may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like.
  • the user input unit 607 includes a touch panel 6071 and at least one of other input devices 6072 .
  • Touch panel 6071 also called touch screen.
  • the touch panel 6071 may include two parts: a touch detection device and a touch controller.
  • Other input devices 6072 may include but are not limited to physical keyboards, function keys (such as volume control keys, switch keys, etc.), trackballs, mice, and joysticks, which will not be described again here.
  • the memory 609 can be used to store software programs and various data.
  • the memory 609 can mainly include a first storage area for storing programs or instructions and a second storage area for storing data.
  • the first storage area can store an operating system and at least one function. required applications or commands (such as sound playback function, Image playback function, etc.) etc.
  • memory 609 may include volatile memory or non-volatile memory, or memory x09 may include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (Read-Only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electrically removable memory.
  • Volatile memory can be random access memory (Random Access Memory, RAM), static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDRSDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (Synch link DRAM) , SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DRRAM).
  • RAM Random Access Memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • synchronous dynamic random access memory Synchronous DRAM, SDRAM
  • Double data rate synchronous dynamic random access memory Double Data Rate SDRAM, DDRSDRAM
  • Enhanced SDRAM, ESDRAM synchronous link dynamic random access memory
  • Synch link DRAM synchronous link dynamic random access memory
  • SLDRAM direct memory bus random access memory
  • Processor 610 may include one or more processing units; optionally including, but not limited to, application programs and operating systems.
  • the processor 610 can integrate an application processor and a modem processor, where the application processor mainly processes the operating system, user interface, application programs, etc., and the modem processor mainly processes wireless communications. It can be understood that the above modem processor may not be integrated into the processor 610.
  • Embodiments of the present application also provide a readable storage medium.
  • Programs or instructions are stored on the readable storage medium.
  • the program or instructions are executed by a processor, each process of the above embodiments of the fraud detection method can be implemented and the same can be achieved. To avoid repetition, the technical effects will not be repeated here.
  • Readable storage media includes computer-readable storage media, such as computer read-only memory ROM, random access memory RAM, magnetic disks or optical disks.
  • An embodiment of the present application also provides a chip, which includes a processor and a communication interface.
  • the communication interface is coupled to the processor.
  • the communication interface is used to transmit image data.
  • the processor is used to run programs or instructions to implement the above embodiment of the fraud detection method. Each process, and can achieve the same technical effect, is To avoid repetition, we will not go into details here.
  • chips mentioned in the embodiments of this application may also be called system-on-chip, system-on-a-chip, system-on-a-chip or system-on-chip, etc.
  • Embodiments of the present application provide a computer program product.
  • the program product is stored in a storage medium.
  • the program product is executed by at least one processor to implement each process of the above-mentioned fraud behavior detection method embodiment, and can achieve the same technology. The effect will not be described here to avoid repetition.
  • the methods of the above embodiments can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is better. implementation.
  • the technical solution of the present application can be embodied in the form of a computer software product that is essentially or contributes to related technologies.
  • the computer software product is stored in a storage medium (such as ROM/RAM, disk, CD), including several instructions to cause a terminal (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the methods described in various embodiments of this application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present application relates to the technical field of data processing, and discloses a fraudulent behavior detection method and apparatus, an electronic device, and a readable storage medium. The method comprises: when a rich execution environment (REE) side of a terminal receives a detection request sent by a target application, obtaining feature information associated with the target application, and sending the feature information to a trusted execution environment (TEE) side of the terminal, the detection request being used for requesting to perform fraudulent behavior detection; and when authorization verification of the target application by the TEE side of the terminal succeeds, comparing the feature information with fraud feature data in a fraud feature dataset to determine a fraudulent behavior detection result.

Description

欺诈行为检测方法、装置、电子设备及可读存储介质Fraud detection methods, devices, electronic equipment and readable storage media
相关申请的交叉引用Cross-references to related applications
本申请主张在2022年06月10日在中国提交的中国专利申请No.202210656948.7的优先权,其全部内容通过引用包含于此。This application claims priority to Chinese Patent Application No. 202210656948.7 filed in China on June 10, 2022, the entire content of which is incorporated herein by reference.
技术领域Technical field
本申请属于数据处理技术领域,具体涉及一种欺诈行为检测方法、装置、电子设备及可读存储介质。This application belongs to the field of data processing technology, and specifically relates to a fraud detection method, device, electronic equipment and readable storage medium.
背景技术Background technique
随着支付技术的发展,移动线上支付越来越普及,随之而来的欺诈行为也越来越频繁,例如,欺诈团队通过通信、社交等平台发布恶意/虚假连接,或发布恶意应用,诱导用户进行资金支付,欺诈团队将资金转移,这种支付欺诈行为给人们带来财产损失。With the development of payment technology, mobile online payments are becoming more and more popular, and fraudulent behaviors are becoming more and more frequent. For example, fraud teams publish malicious/fake connections through communication, social networking and other platforms, or publish malicious applications. Users are induced to make fund payments, and the fraud team transfers the funds. This kind of payment fraud causes property losses to people.
为对抗欺诈行为,对欺诈行为的识别检测越来越重要,目前,常用的欺诈行为的检测方式主要在应用层面实现,比如,应用通过黑名单来检测是否有欺诈。然而,应用容易受到攻击或修改等,从而容易导致检测逻辑容易被绕过,检测准确性较低。In order to combat fraud, the identification and detection of fraud is becoming more and more important. Currently, commonly used fraud detection methods are mainly implemented at the application level. For example, applications use blacklists to detect fraud. However, applications are vulnerable to attacks or modifications, which can easily lead to the detection logic being easily bypassed and the detection accuracy being low.
发明内容Contents of the invention
本申请实施例的目的是提供一种欺诈行为检测方法、装置、电子设备及可读存储介质,能够提高欺诈行为检测的准确性。The purpose of the embodiments of this application is to provide a fraud detection method, device, electronic device and readable storage medium, which can improve the accuracy of fraud detection.
第一方面,本申请实施例提供了一种欺诈行为检测方法,所述方法包括:In the first aspect, embodiments of the present application provide a method for detecting fraud, which method includes:
终端在富执行环境REE侧在接收到目标应用发送的检测请求的情况下,获取所述目标应用关联的特征信息,并将所述特征信息发送至所述终端的可信执行环境TEE侧,所述检测请求用于请求进行欺诈行为检测; When the terminal receives the detection request sent by the target application on the rich execution environment REE side, it obtains the characteristic information associated with the target application and sends the characteristic information to the trusted execution environment TEE side of the terminal. The above detection request is used to request fraud detection;
所述终端在所述TEE侧对所述目标应用进行授权验证成功的情况下,将所述特征信息与欺诈特征数据集中的欺诈特征数据进行对比,确定欺诈行为检测结果。If the terminal successfully performs authorization verification on the target application on the TEE side, the terminal compares the characteristic information with the fraud characteristic data in the fraud characteristic data set to determine the fraud detection result.
第二方面,本申请实施例提供了一种欺诈行为检测装置,包括:In the second aspect, embodiments of the present application provide a fraud detection device, including:
获取模块,用于在富执行环境REE侧在接收到目标应用发送的检测请求的情况下,获取所述目标应用关联的特征信息;An acquisition module configured to acquire, on the Rich Execution Environment REE side, the characteristic information associated with the target application upon receiving a detection request sent by the target application;
第一发送模块,用于将所述特征信息发送至终端的可信执行环境TEE侧,所述检测请求用于请求进行欺诈行为检测;The first sending module is used to send the characteristic information to the trusted execution environment TEE side of the terminal, and the detection request is used to request fraud detection;
第一确定模块,用于所述终端在所述TEE侧对所述目标应用进行授权验证成功的情况下,将所述特征信息与欺诈特征数据集中的欺诈特征数据进行对比,确定欺诈行为检测结果。The first determination module is used to compare the characteristic information with the fraud characteristic data in the fraud characteristic data set to determine the fraud detection result when the terminal successfully performs authorization verification on the target application on the TEE side. .
第三方面,本申请实施例提供了一种电子设备,该电子设备包括处理器和存储器,所述存储器存储可在所述处理器上运行的程序或指令,所述程序或指令被所述处理器执行时实现如第一方面所述的方法的步骤。In a third aspect, embodiments of the present application provide an electronic device. The electronic device includes a processor and a memory. The memory stores programs or instructions that can be run on the processor. The programs or instructions are processed by the processor. When the processor is executed, the steps of the method described in the first aspect are implemented.
第四方面,本申请实施例提供了一种可读存储介质,所述可读存储介质上存储程序或指令,所述程序或指令被处理器执行时实现如第一方面所述的方法的步骤。In a fourth aspect, embodiments of the present application provide a readable storage medium. Programs or instructions are stored on the readable storage medium. When the programs or instructions are executed by a processor, the steps of the method described in the first aspect are implemented. .
第五方面,本申请实施例提供了一种芯片,所述芯片包括处理器和通信接口,所述通信接口和所述处理器耦合,所述通信接口用于传输图像数据,所述处理器用于运行程序或指令,实现如第一方面所述的方法。In a fifth aspect, embodiments of the present application provide a chip. The chip includes a processor and a communication interface. The communication interface is coupled to the processor. The communication interface is used to transmit image data. The processor is used to transmit image data. Run a program or instruction to implement the method described in the first aspect.
第六方面,本申请实施例提供一种计算机程序产品,该程序产品被存储在存储介质中,该程序产品被至少一个处理器执行以实现如第一方面所述的方法。In a sixth aspect, embodiments of the present application provide a computer program product, the program product is stored in a storage medium, and the program product is executed by at least one processor to implement the method as described in the first aspect.
在本实施例中,TEE侧可提供较安全的环境,可降低对欺诈行为检测的干扰,由终端的TEE侧进行对比实现欺诈行为检测,得到欺诈行为检测结果,可提高欺诈行为的准确性,而且TEE侧是在对目标应用进行授权验证成功的情况下,通过对目标应用关联的特征信息与欺诈特征数据集中的欺诈特征数 据的对比,实现欺诈行为检测,得到欺诈行为检测结果,以提高欺诈行为检测的准确性。In this embodiment, the TEE side can provide a safer environment and can reduce interference with fraud detection. The TEE side of the terminal performs comparison to achieve fraud detection and obtains fraud detection results, which can improve the accuracy of fraud. Moreover, on the TEE side, when the authorization verification of the target application is successful, the feature information associated with the target application and the number of fraud features in the fraud feature data set are Compare the data to achieve fraud detection and obtain fraud detection results to improve the accuracy of fraud detection.
附图说明Description of the drawings
图1是本申请实施例提供的欺诈行为检测方法的流程图之一;Figure 1 is one of the flow charts of the fraud detection method provided by the embodiment of the present application;
图2是本申请实施例提供的实现欺诈行为检测方法的欺诈行为检测系统的结构图;Figure 2 is a structural diagram of a fraud detection system that implements a fraud detection method provided by an embodiment of the present application;
图3是本申请实施例提供的欺诈行为检测方法的原理图;Figure 3 is a schematic diagram of the fraud detection method provided by the embodiment of the present application;
图4是本申请实施例提供的欺诈行为检测装置的模块示意图;Figure 4 is a schematic module diagram of a fraud detection device provided by an embodiment of the present application;
图5是本申请实施例提供的电子设备的结构示意图;Figure 5 is a schematic structural diagram of an electronic device provided by an embodiment of the present application;
图6是本申请实施例提供的电子设备的硬件结构示意图。FIG. 6 is a schematic diagram of the hardware structure of an electronic device provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly described below with reference to the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art fall within the scope of protection of this application.
本申请的说明书和权利要求书中的术语“第一”、“第二”等是用于区别类似的对象,而不用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施,且“第一”、“第二”等所区分的对象通常为一类,并不限定对象的个数,例如第一对象可以是一个,也可以是多个。此外,说明书以及权利要求中“和/或”表示所连接对象的至少其中之一,字符“/”,一般表示前后关联对象是一种“或”的关系。The terms "first", "second", etc. in the description and claims of this application are used to distinguish similar objects and are not used to describe a specific order or sequence. It is to be understood that the figures so used are interchangeable under appropriate circumstances so that the embodiments of the present application can be practiced in orders other than those illustrated or described herein, and that "first," "second," etc. are distinguished Objects are usually of one type, and the number of objects is not limited. For example, the first object can be one or multiple. In addition, "and/or" in the description and claims indicates at least one of the connected objects, and the character "/" generally indicates that the related objects are in an "or" relationship.
下面结合附图,通过具体的实施例及其应用场景对本申请实施例提供的欺诈行为检测方法进行详细地说明。The fraud detection method provided by the embodiments of the present application will be described in detail below with reference to the accompanying drawings through specific embodiments and application scenarios.
如图1所示,本申请提供一种实施例的欺诈行为检测方法,该方法可由 终端执行,该方法包括:As shown in Figure 1, this application provides an embodiment of a fraud detection method, which can be Terminal execution, this method includes:
步骤101:终端在富执行环境REE侧在接收到目标应用发送的检测请求的情况下,获取目标应用关联的特征信息,并将特征信息发送至终端的可信执行环境TEE侧;Step 101: When the terminal receives the detection request sent by the target application on the rich execution environment REE side, it obtains the characteristic information associated with the target application and sends the characteristic information to the trusted execution environment TEE side of the terminal;
其中,检测请求用于请求进行欺诈行为检测;Among them, the detection request is used to request fraud detection;
步骤102:终端在TEE侧对目标应用进行授权验证成功的情况下,将特征信息与欺诈特征数据集中的欺诈特征数据进行对比,确定欺诈行为检测结果。Step 102: If the terminal successfully authenticates the target application on the TEE side, compares the characteristic information with the fraud characteristic data in the fraud characteristic data set to determine the fraud detection result.
可以理解的是,终端可包括富执行环境(Rich Execution Environment,REE)侧和可信执行环境(TrustedExecution Environment,TEE)侧,TEE为终端提供一个安全的运行环境,例如,常用来进行数字版权管理、移动支付以及数据保护等,REE为终端提供通用的环境,例如,运行通用的操作系统以及应用等。It can be understood that the terminal can include a rich execution environment (Rich Execution Environment, REE) side and a trusted execution environment (TrustedExecution Environment, TEE) side. The TEE provides a secure operating environment for the terminal, and is often used for digital rights management, for example. , mobile payment and data protection, etc., REE provides a common environment for terminals, such as running common operating systems and applications.
目标应用可以包括但不限于金融应用等,需要说明的是,金融应用可以包括具备支付功能的应用等,例如,可以是支付应用。在目标应用被调用或被触发的情况下,可触发本实施例的欺诈行为检测过程,例如,目标应用被调用进行支付,具体可以是目标应用的支付功能被调用,可触发欺诈行为检测。在检测过程中,首先,目标应用可向终端的REE侧发送检测请求,可以理解,检测请求可以是目标应用被触发支付功能的情况下向REE侧发送的,用以触发欺诈行为检测。Target applications may include but are not limited to financial applications. It should be noted that financial applications may include applications with payment functions, etc., for example, they may be payment applications. When the target application is called or triggered, the fraud detection process in this embodiment can be triggered. For example, the target application is called to make a payment. Specifically, the payment function of the target application can be called, which can trigger the fraud detection. During the detection process, first, the target application can send a detection request to the REE side of the terminal. It can be understood that the detection request can be sent to the REE side when the payment function is triggered by the target application to trigger fraud detection.
终端的REE侧接收到检测请求的情况下,可获取目标应用关联的特征信息,并将其发送至终端的TEE侧,终端的TEE侧可对目标应用进行授权验证。在授权验证通过的情况下,终端的TEE侧可将上述特征信息与欺诈特征数据集中的欺诈特征数据进行对比,以确定欺诈行为检测结果,实现欺诈行为检测。也即是,由REE侧接收检测请求,并获取目标应用关联的特征信息,TEE侧接收REE侧发送的目标应用关联的特征信息,由TEE侧对目标应用关联的特征信息与欺诈特征数据集中的欺诈特征数据进行对比,实现欺诈行为检 测,通过终端的REE侧和TEE侧协同合作完成欺诈行为的检测。另外,需要说明的是,TEE侧的欺诈特征数据集可预先从云端获取,存储于TEE侧。When the REE side of the terminal receives the detection request, it can obtain the characteristic information associated with the target application and send it to the TEE side of the terminal. The TEE side of the terminal can perform authorization verification on the target application. When the authorization verification is passed, the TEE side of the terminal can compare the above feature information with the fraud feature data in the fraud feature data set to determine the fraud detection results and implement fraud detection. That is, the REE side receives the detection request and obtains the feature information associated with the target application, the TEE side receives the feature information associated with the target application sent by the REE side, and the TEE side compares the feature information associated with the target application with the fraud feature data set Compare fraud characteristic data to detect fraud The REE side and TEE side of the terminal work together to detect fraud. In addition, it should be noted that the fraud characteristic data set on the TEE side can be obtained from the cloud in advance and stored on the TEE side.
在本实施例中,TEE侧可提供较安全的环境,从而降低对欺诈行为检测的干扰,由终端的TEE侧进行对比实现欺诈行为检测,得到欺诈行为检测结果,可提高欺诈行为的准确性,而且TEE侧是在对目标应用进行授权验证成功的情况下,通过对目标应用关联的特征信息与欺诈特征数据集中的欺诈特征数据的对比,实现欺诈行为检测,得到欺诈行为检测结果,以提高欺诈行为检测的准确性。与此同时,由终端的REE侧接收检测请求,并获取目标应用关联的特征信息,由终端的TEE侧对特征信息与欺诈特征数据集中的欺诈特征数据进行对比,得到欺诈行为检测结果,即可将欺诈行为检测的过程分担在不同的执行环境侧,减低终端在一侧执行环境下进行整个检测过程导致的在该侧执行环境下的执行压力。In this embodiment, the TEE side can provide a safer environment, thereby reducing interference to fraud detection. The TEE side of the terminal performs comparison to implement fraud detection, and obtains fraud detection results, which can improve the accuracy of fraud. Moreover, when the authorization verification of the target application is successful, the TEE side realizes fraud detection by comparing the characteristic information associated with the target application and the fraud characteristic data in the fraud characteristic data set, and obtains the fraud detection results to improve fraud. Accuracy of behavior detection. At the same time, the REE side of the terminal receives the detection request and obtains the feature information associated with the target application. The TEE side of the terminal compares the feature information with the fraud feature data in the fraud feature data set to obtain the fraud detection results. The process of fraud detection is shared among different execution environments, thereby reducing the execution pressure on the execution environment of one side caused by the terminal performing the entire detection process in that side of the execution environment.
在一个实施例中,特征信息包括以下至少一项:In one embodiment, the characteristic information includes at least one of the following:
应用链路信息,应用链路信息用于表示调用包括目标应用在内的多个应用的调用顺序信息;Application link information. Application link information is used to represent the calling sequence information for calling multiple applications including the target application;
应用链路信息中应用的包名信息;The package name information of the application in the application link information;
应用链路信息中应用的签名信息;The signature information of the application in the application link information;
应用链路信息中应用的行为特征。Behavioral characteristics of the application in the application link information.
可以理解的是,目标应用是按照应用链路信息中的应用调用顺序实现被调用的,即目标应用是多个应用中最后被调用运行的应用,且多个应用中调用顺序相邻的应用中,前一个应用调用后一个应用运行,后一个应用被前一个应用调用运行。由于在调用目标应用过程中,若存在欺诈行为,则实现目标应用调用的应用调用顺序存在一定的规律,例如,恶意应用(也可称为欺诈应用等)通过调用中间应用(例如,浏览器等),再通过中间应用调用目标应用,即调用顺序依次为:恶意应用、中间应用、目标应用。从而,在本实施例中,可获取应用链路信息,将其与欺诈特征数据进行对比,实现欺诈行为检测。 It can be understood that the target application is called according to the application calling order in the application link information, that is, the target application is the last application to be called and run among multiple applications, and among the multiple applications, the calling order is adjacent to the application. , the previous application calls the next application to run, and the latter application is called to run by the previous application. Because during the process of calling the target application, if there is fraud, there are certain rules in the order of application calls to achieve the target application. For example, a malicious application (also called a fraudulent application, etc.) can call an intermediate application (for example, a browser, etc.) ), and then calls the target application through the intermediate application, that is, the calling sequence is: malicious application, intermediate application, and target application. Therefore, in this embodiment, the application link information can be obtained and compared with the fraud characteristic data to implement fraud detection.
在本实施例中,在进行对比过程中,采用的是目标应用关联的特征信息可以包括应用链路信息、应用链路信息中应用的包名信息、应用链路信息中应用的签名信息和应用链路信息中应用的行为特征中的至少一项,将其与欺诈特征数据进行对比,以完成欺诈行为检测,这样,可提高欺诈行为检测的准确性。In this embodiment, during the comparison process, the feature information associated with the target application may include application link information, application package name information in the application link information, application signature information and application information in the application link information. At least one of the behavioral features applied in the link information is compared with the fraud feature data to complete fraud detection, which can improve the accuracy of fraud detection.
在一个实施例中,将特征信息与欺诈特征数据集中的欺诈特征数据进行对比,确定欺诈行为检测结果,包括:In one embodiment, the characteristic information is compared with the fraud characteristic data in the fraud characteristic data set to determine the fraud behavior detection results, including:
按照目标比对策略将特征信息与欺诈特征数据集中的欺诈特征数据进行比对,确定欺诈行为检测结果;Compare the feature information with the fraud feature data in the fraud feature data set according to the target comparison strategy to determine the fraud detection results;
其中,目标比对策略为终端预先从云端获取的,欺诈特征数据集为终端预先从云端获取的。Among them, the target comparison strategy is obtained by the terminal from the cloud in advance, and the fraud characteristic data set is obtained by the terminal from the cloud in advance.
需要说明的是,可预先在云端配置目标比对策略,REE侧可预先从云端获取目标比对策略,并传递给TEE侧,TEE侧将特征信息与欺诈特征数据库,按照目标比对策略进行比对,确定欺诈行为检测结果。It should be noted that the target comparison strategy can be configured in the cloud in advance. The REE side can obtain the target comparison strategy from the cloud in advance and pass it to the TEE side. The TEE side will compare the feature information with the fraud feature database according to the target comparison strategy. Yes, confirm the fraud detection results.
可以理解的,目标比对策略可以根据多个用户的使用反馈进行确定,即,将多个用户反馈的违规调用方式、调用的应用等进行收集整合,以形成欺诈特征数据集。It is understandable that the target comparison strategy can be determined based on the usage feedback of multiple users, that is, the illegal calling methods, called applications, etc. feedback from multiple users are collected and integrated to form a fraud feature data set.
即在本实施例中,可根据需求配置目标比对策略存于云端,终端从云端获取预先配置的目标比对策略将特征信息与欺诈特征数据集中的欺诈特征数据进行比对,确定欺诈行为检测结果,以提高欺诈行为检测准确性。That is, in this embodiment, the target comparison strategy can be configured according to the needs and stored in the cloud. The terminal obtains the pre-configured target comparison strategy from the cloud, compares the feature information with the fraud feature data in the fraud feature data set, and determines the fraud behavior detection The result is to improve fraud detection accuracy.
在一个实施例中,按照目标比对策略将特征信息与欺诈特征数据集中的欺诈特征数据进行比对,确定欺诈行为检测结果,包括:In one embodiment, the feature information is compared with the fraud feature data in the fraud feature data set according to the target comparison strategy to determine the fraud behavior detection results, including:
在特征信息中的多个应用的应用链路信息与欺诈特征数据集中多个应用的应用调用顺序匹配的情况下,确定欺诈行为检测结果为存在欺诈行为;或者When the application link information of multiple applications in the feature information matches the application calling sequence of multiple applications in the fraud feature data set, it is determined that the fraud detection result is that fraud exists; or
在特征信息中的应用链路信息与欺诈特征数据集中多个应用的应用调用顺序匹配,以及在欺诈特征数据集中匹配到特征信息中包名信息、签名信息 和行为特征中的至少一项的情况下,确定欺诈行为检测结果为存在欺诈行为。The application link information in the feature information matches the application calling sequence of multiple applications in the fraud feature data set, and the package name information and signature information in the feature information in the fraud feature data set match and at least one of the behavioral characteristics, it is determined that the detection result of the fraudulent behavior is that there is a fraudulent behavior.
在欺诈特征数据集中,可包括多条预定的应用调用顺序,还可包括多个预设恶意应用的包名信息、签名信息、行为特征、代码特征、权限特征等,应用链路信息中关联多个用户,在本实施例中,目标对比策略可以是应用调用顺序匹配的策略,可将特征信息中的应用链路信息与欺诈特征数据集中这多个应用的应用调用顺序进行匹配,在特征信息中的应用链路信息与欺诈特征数据集中多个应用的应用调用顺序匹配成功的情况下,表示目标应用是按照欺诈特征数据集中预定的顺序被调用了,可确定存在欺诈行为,即可得到表示存在欺诈行为的欺诈行为检测结果,可提高欺诈行为检测的准确性。或者,可在特征信息中的应用链路信息与欺诈特征数据集中多个应用的应用调用顺序匹配成功的情况下,进一步检测特征信息中包名信息、签名信息和行为特征中的至少一项在欺诈特征数据集中是否能匹配成功,若在欺诈特征数据集中匹配到特征信息中包名信息、签名信息和行为特征中的至少一项的情况下,可表示命中恶意应用的信息,确定存在欺诈行为,即可得到表示存在欺诈行为的欺诈行为检测结果,这样可进一步提到欺诈行为检测的准确性。The fraud feature data set may include multiple predetermined application calling sequences, as well as package name information, signature information, behavioral characteristics, code characteristics, permission characteristics, etc. of multiple preset malicious applications. The application link information is associated with multiple users. In this embodiment, the target comparison strategy can be a strategy of matching the application call order. The application link information in the feature information can be matched with the application call order of the multiple applications in the fraud feature data set. In the feature information If the application link information in the fraud feature data set successfully matches the application calling sequence of multiple applications in the fraud feature data set, it means that the target application was called in the predetermined order in the fraud feature data set, and it can be determined that there is fraud, and the representation can be obtained Fraud detection results showing the existence of fraud can improve the accuracy of fraud detection. Alternatively, when the application link information in the characteristic information successfully matches the application calling sequence of multiple applications in the fraud characteristic data set, it can be further detected that at least one of the package name information, signature information and behavioral characteristics in the characteristic information is in the fraud characteristic data set. Whether the matching can be successful in the fraud feature data set. If at least one of the package name information, signature information and behavioral characteristics in the feature information is matched in the fraud feature data set, it can mean that the information of the malicious application is hit, and the existence of fraud is determined. , the fraud detection results indicating the existence of fraud can be obtained, which can further improve the accuracy of fraud detection.
在一个实施例中,检测请求中包括授权令牌,方法还包括:In one embodiment, the detection request includes an authorization token, and the method further includes:
终端在REE侧将授权令牌发送至TEE侧;The terminal sends the authorization token to the TEE side on the REE side;
终端在TEE侧在对授权令牌进行验证成功的情况下,确定对目标应用授权验证成功。When the terminal successfully verifies the authorization token on the TEE side, it determines that the target application authorization verification is successful.
REE侧在收到检测请求后,可将其中的授权令牌传递至TEE侧,TEE侧对授权令牌进行有效性验证,能够理解,只有在对授权令牌验证成功的情况下(即表示授权令牌有效),才可确定对目标应用授权验证成功,这种情况下,进一步进行数据对比,将特征信息与欺诈特征数据集中的欺诈特征数据进行对比,以确定欺诈行为检测结果,这样可提高数据对比的有效性,从而提高得到的欺诈行为检测结果的有效性。After receiving the detection request, the REE side can pass the authorization token to the TEE side, and the TEE side will verify the validity of the authorization token. It can be understood that only when the authorization token verification is successful (that is, authorization Token is valid), it can be determined that the authorization verification of the target application is successful. In this case, further data comparison is performed to compare the feature information with the fraud feature data in the fraud feature data set to determine the fraud detection results, which can improve The effectiveness of data comparison, thereby improving the effectiveness of the fraud detection results obtained.
在一个实施例中,终端在TEE在对授权令牌进行验证成功的情况下,确定对目标应用授权验证成功,包括: In one embodiment, when the TEE successfully verifies the authorization token, the terminal determines that the target application authorization verification is successful, including:
终端在TEE在对授权令牌解密成功且解密后的授权令牌未过期的情况下,确定对目标应用授权验证成功。The terminal determines that the target application authorization verification is successful when the TEE successfully decrypts the authorization token and the decrypted authorization token has not expired.
需要说明的是,若授权令牌有效,该授权令牌应当被终端解密成功且有效期未过期,而终端能对授权令牌解密成功,可表示该授权令牌是云端的管理服务下发的。作为一个示例,在对授权令牌进行验证的过程中,可验证授权令牌是否来自云端的管理服务和/或有效期限是否过期,在授权令牌来自云端的管理服务和/或有效期限未过期(表示有效)的情况下,确定对授权令牌验证成功,否则,确定对授权令牌验证失败,可向REE侧返回错误提示信息,REE侧可将错误提示信息返回至目标应用。It should be noted that if the authorization token is valid, the authorization token should be successfully decrypted by the terminal and the validity period has not expired. If the terminal can successfully decrypt the authorization token, it means that the authorization token is issued by the cloud management service. As an example, in the process of verifying the authorization token, it can be verified whether the authorization token comes from the management service in the cloud and/or whether the validity period has expired. (indicating valid), it is determined that the authorization token verification is successful; otherwise, it is determined that the authorization token verification fails, and an error prompt information can be returned to the REE side, and the REE side can return the error prompt information to the target application.
在一个实施例中,检测请求中包括目标应用的包名信息和签名信息中的至少一种;In one embodiment, the detection request includes at least one of package name information and signature information of the target application;
获取目标应用关联的特征信息,包括:Obtain feature information associated with the target application, including:
向云端发送身份验证请求,身份验证请求中包括目标应用的包名信息和签名信息中的至少一种,身份验证请求用于请求对目标应用进行身份验证;Send an authentication request to the cloud. The authentication request includes at least one of the package name information and signature information of the target application. The authentication request is used to request authentication of the target application;
接收云端响应于身份验证请求发送的身份验证结果;Receive the authentication result sent by the cloud in response to the authentication request;
在身份验证结果表示身份验证通过的情况下,获取特征信息。When the identity verification result indicates that the identity verification is passed, the characteristic information is obtained.
即在获取目标应用关联的特征信息的过程中,还需对目标应用进行身份验证,REE侧向云端发送对目标应用的身份验证请求,云端接收到身份验证请求后,可利用目标应用的包名信息和签名信息中的至少一项进行身份验证,得到身份验证结果,并发送给REE侧,REE侧在身份验证结果表示身份验证通过的情况下,获取目标应用关联的特征信息,以确保特征信息获取安全性。That is, in the process of obtaining the characteristic information associated with the target application, the target application also needs to be authenticated. REE sends an authentication request for the target application to the cloud. After the cloud receives the authentication request, it can use the package name of the target application. At least one of the information and signature information is authenticated, and the authentication result is obtained and sent to the REE side. When the authentication result indicates that the authentication is passed, the REE side obtains the characteristic information associated with the target application to ensure that the characteristic information Get security.
在一个实施例中,终端在REE侧接收到目标应用发送的数据更新请求;若对目标应用进行更新验证成功,将数据更新请求中的更新数据发送至TEE侧,TEE侧利用更新数据对欺诈特征数据集进行更新。In one embodiment, the terminal receives the data update request sent by the target application on the REE side; if the update verification of the target application is successful, the update data in the data update request is sent to the TEE side, and the TEE side uses the update data to verify the fraud characteristics. The data set is updated.
即在数据更新过程中,需对目标应用进行更新验证,对目标应用进行更新验证可以理解是对目标应用的身份验证,只有验证说是通过,方可将数据更新请求中的更新数据发送至TEE侧,TEE侧利用更新数据实现对欺诈特征 数据集的更新,一方面确保数据更新安全,另一方面可提高欺诈特征数据集中欺诈特征数据的时效性。That is to say, during the data update process, the target application needs to be updated and verified. The update verification of the target application can be understood as the identity verification of the target application. Only when the verification is passed can the update data in the data update request be sent to the TEE. On the TEE side, the updated data is used to detect fraud characteristics. The update of the data set, on the one hand, ensures the security of data updates, and on the other hand, it can improve the timeliness of the fraud feature data in the fraud feature data set.
下面以一个具体实施例对上述欺诈行为检测方法的过程加以具体说明。The process of the above-mentioned fraud detection method will be described in detail below with a specific embodiment.
本申请实施例的欺诈行为检测方法是一种融合终端侧硬件、框架、应用层能力以及云端的服务能力的反欺诈检测方法,包括以下几个方面:The fraud detection method in the embodiment of this application is an anti-fraud detection method that integrates terminal-side hardware, framework, application layer capabilities and cloud service capabilities, and includes the following aspects:
基于TEE侧的黑灰产特征数据集(欺诈特征数据集)保护方案:Protection scheme for black and gray feature data sets (fraud feature data sets) based on the TEE side:
黑灰产特征数据集可以通过攻防对抗分析、黑灰产情报等渠道收集,包含但不限于恶意应用包名、恶意应用签名、恶意行为特征、恶意应用代码特征(如运行时内存占用、特定类名等)、恶意应用权限特征等。云端的管理服务可将收集的黑灰产特征数据集通过可信数据传输通道下发至终端侧,另外,黑灰产特征数据集可存储在终端侧的TEE侧中,可对其进行更新等。Black and gray product characteristic data sets can be collected through attack and defense confrontation analysis, black and gray product intelligence and other channels, including but not limited to malicious application package names, malicious application signatures, malicious behavior characteristics, malicious application code characteristics (such as runtime memory usage, specific categories name, etc.), malicious application permission characteristics, etc. The cloud management service can deliver the collected black and gray product characteristic data sets to the terminal side through the trusted data transmission channel. In addition, the black and gray product characteristic data sets can be stored in the TEE side of the terminal side and can be updated, etc. .
基于TEE侧的黑灰产特征数据集更新方案:Black and gray production characteristic data set update scheme based on TEE side:
黑灰产特征数据集由终端对应云端进行下发/预置,且终端可预留特征数据更新接口,该更新接口通过对终端侧应用的身份认证与签名认证、特征识别来进行权限校验,校验通过者可将更新接口接收的更新数据更新至TEE侧的黑灰产特征数据集中,单个应用可单独补充至性黑灰产特征数据集并指定仅供自己使用,数据在非授权情况下不用于其他进程匹配,达到数据可定制的效果。The feature data set of black and gray products is delivered/preset by the corresponding cloud of the terminal, and the terminal can reserve a feature data update interface. The update interface performs permission verification through identity authentication, signature authentication, and feature recognition of terminal-side applications. Those who pass the verification can update the update data received by the update interface to the black and gray production characteristic data set on the TEE side. A single application can independently supplement the black and gray production characteristic data set and specify it for its own use only. The data will be used without authorization. It is not used for other process matching to achieve the effect of data customization.
框架层调用链检测:Framework layer call chain detection:
完整的应用调用链路检测,其逻辑分为两个维度:The complete application call link detection, its logic is divided into two dimensions:
首先是通用逻辑,即从应用安装=>使用=>卸载的生命周期,在应用安装的过程中,系统通过扫描应用安装包,提取其安装包特征、代码特征,与上述黑灰产特征数据集中进行比对完成风险识别,使用过程中通过提取应用使用运行状态,识别其恶意行为特征(如隐藏式拉起支付应用、界面中诱导支付、赌博等),进行特征对比等。The first is the general logic, that is, the life cycle from application installation => use => uninstallation. During the application installation process, the system scans the application installation package, extracts its installation package characteristics and code characteristics, and integrates them with the above black and gray product characteristic data Comparison is carried out to complete risk identification. During the use process, the application running status is extracted to identify its malicious behavior characteristics (such as hidden payment applications, induced payment in the interface, gambling, etc.), and comparison of characteristics is performed.
其次是在使用逻辑中,将用户使用过程中的应用运行行为信息,如应用启动先后顺序(即应用调用顺序或应用调用链路,假设欺诈应用的支付过程 为:欺诈应用=>照片浏览器=>浏览器=>支付应用),在应用调用链路中,匹配到此过程并通过上述通用逻辑中的特征识别匹配欺诈应用,即可完成对此次链路上存在的欺诈行为识别,即可在用户支付前给出风险提示,实现方式中也可以针对链路特征进行提取,如计算关键环节字段哈希值(hash)比对等方式来实现数据比对等。Secondly, in the usage logic, the application running behavior information during the user's use, such as the application startup sequence (i.e., application call sequence or application call link), assumes the payment process of the fraudulent application. For: Fraudulent application => Photo browser => Browser => Payment application), in the application call link, match this process and identify and match the fraudulent application through the characteristics in the above general logic, you can complete the link The identification of fraudulent behaviors on the road can provide risk warnings before users pay. In the implementation method, link characteristics can also be extracted, such as calculating the hash value (hash) comparison of key link fields to achieve data comparison. equal.
如图2所示,为实现欺诈行为检测方法的欺诈行为检测系统的结构图。As shown in Figure 2, it is a structural diagram of a fraud detection system that implements the fraud detection method.
对于REE侧:For REE side:
(1)反欺诈检测(1) Anti-fraud detection
接收来自终端“反欺诈安全检测”的安全能力评估请求,该请求中包含“反欺诈行为检测”的行为标识、管理服务的授权令牌;Receive a security capability assessment request from the terminal's "Anti-Fraud Security Detection", which contains the behavioral identifier of the "Anti-Fraud Behavior Detection" and the authorization token of the management service;
利用REE侧通信代理与TEE侧通信代理将欺诈特征数据集传递至TEE侧“反欺诈安全检测”;Use the REE side communication agent and the TEE side communication agent to transfer the fraud characteristic data set to the TEE side for "anti-fraud security detection";
将TEE侧“反欺诈安全检测”的欺诈行为检测结果返回至调用方(目标应用)。Return the fraud detection results of the "anti-fraud security detection" on the TEE side to the caller (target application).
(2)框架安全能力(2)Framework security capabilities
接受“反欺诈检测”的调用请求,通过通信代理获取TEE侧中反欺诈数据与策略对应检测采集需求(包含应用链路信息、行为特征、签名信息、包名信息等);Accept the call request for "anti-fraud detection" and obtain the anti-fraud data and policy corresponding detection collection requirements on the TEE side through the communication agent (including application link information, behavioral characteristics, signature information, package name information, etc.);
依托策略进行数据粗校并将策略范围内的应用链路信息整理并传递至TEE侧“反欺诈安全检测”;Relying on the policy, the data is roughly calibrated and the application link information within the policy scope is organized and transmitted to the TEE side for "anti-fraud security detection";
(3)反欺诈数据支持应用程序接口(API)(3) Anti-fraud data support application programming interface (API)
接受调用方的数据写入请求,并通过通信代理与“反欺诈数据管理服务”通信,反欺诈数据管理服务为云端的管理服务,校验调用方身份与数据是否合法,通过可信任的端与端更新TEE侧中的“欺诈特征数据集”。Accept the caller's data writing request and communicate with the "anti-fraud data management service" through the communication agent. The anti-fraud data management service is a cloud management service that verifies whether the caller's identity and data are legal. Through a trusted client and The end updates the "Fraud Feature Data Set" in the TEE side.
对于TEE侧:For TEE side:
(1)反欺诈安全检测(1) Anti-fraud security detection
接受来自REE侧“反欺诈检测”的反欺诈查询能力请求,该请求中包含 “反欺诈行为检测”的行为标识、管理服务的授权令牌及REE侧的安全状态信息,根据响应的策略,检测该访问请求是否有效,例如:Accept the anti-fraud query capability request from the REE side "Anti-Fraud Detection", which contains The behavior identifier of "anti-fraud behavior detection", the authorization token of the management service and the security status information on the REE side are used to detect whether the access request is valid according to the response policy, for example:
根据终端“反欺诈检测”的标识,检查目标应用是否有调用“反欺诈检测”的权限;According to the terminal's "anti-fraud detection" identification, check whether the target application has the permission to call "anti-fraud detection";
验证授权令牌的有效性(如令牌是否来自本移动设备的管理服务、令牌是否过期等),并检查该管理服务否有调用“反欺诈检测”的权限。Verify the validity of the authorization token (such as whether the token comes from the management service of this mobile device, whether the token has expired, etc.), and check whether the management service has the authority to call "anti-fraud detection".
通过本终端的私钥对欺诈行为检测结果进行数字签名;Digitally sign the fraud detection results using the terminal’s private key;
通过“框架安全能力”获取在调用方前的特定策略范围应用堆栈信息,与TEE中预置(下发)的欺诈特征数据集中的欺诈特征数据进行比对,并将欺诈行为检测结果、数字签名返回直接REE侧“反欺诈检测”;Obtain the specific policy scope application stack information in front of the caller through the "framework security capability", compare it with the fraud characteristic data in the fraud characteristic data set preset (delivered) in the TEE, and combine the fraud detection results and digital signatures Return to the direct REE side "anti-fraud detection";
接受来自“反欺诈数据管理服务”中的“欺诈特征数据集”和“反欺诈数据支持应用程序接口”的更新数据,可对TEE策的数据集进行更新(更新优先级以时间为先)。Accept updated data from the "Fraud Characteristic Data Set" and "Anti-Fraud Data Support Application Program Interface" in the "Anti-Fraud Data Management Service" to update the TEE policy data set (the update priority is based on time first).
对于反欺诈数据管理服务:For anti-fraud data management services:
其中,基础数据可包括:Among them, basic data can include:
(1)欺诈特征数据集(1) Fraud feature data set
可通过接入国家反诈中心、系统防护黑产数据埋点、实际攻防对抗、黑灰产情报等来源,建立综合欺诈特征数据集,包含但不限于:包名、签名、应用链路信息、行为特征等;A comprehensive fraud characteristic data set can be established by accessing the National Anti-Fraud Center, system protection black product data buried points, actual offensive and defensive confrontations, black and gray product intelligence and other sources, including but not limited to: package name, signature, application link information, Behavioral characteristics, etc.;
(2)反欺诈策略(对比策略)(2) Anti-fraud strategy (comparison strategy)
反欺诈检测能力配置,如调用链范围策略设定,即目标应用前存在特定数字的调用过程,其过程中存在如何的计算特征配置等。Anti-fraud detection capability configuration, such as call chain scope policy setting, that is, the call process with specific numbers before the target application, what kind of calculation feature configuration exists in the process, etc.
其中,基础服务与接口:Among them, basic services and interfaces:
(1)授权管理(1) Authorization management
接收“反欺诈检测”的反欺诈安全检测能力(反欺诈端侧数据传入)的授权请求;Receive the authorization request for the anti-fraud security detection capability of "anti-fraud detection" (anti-fraud end-side data incoming);
认证“反欺诈检测”; Certified "anti-fraud detection";
为“反欺诈检测”生成一个授权令牌;Generate an authorization token for "anti-fraud detection";
将该授权令牌返回给“反欺诈检测”;Return the authorization token to Anti-Fraud Detection;
(2)反欺诈数据支持数据认证接口(2) Anti-fraud data supports data authentication interface
端与端更新时,验证数据是否已通过合规审核,保证端至端数据更新时的数据可控性。When updating end-to-end data, verify whether the data has passed the compliance review to ensure data controllability when updating end-to-end data.
如图3所示,本申请实施例的方法的具体流程如下:As shown in Figure 3, the specific process of the method in the embodiment of this application is as follows:
1、准备阶段:1. Preparation stage:
配置反欺诈能力信息:Configure anti-fraud capability information:
收集多元欺诈特征数据,根据策略生成综合欺诈特征数据集;Collect multi-dimensional fraud feature data and generate a comprehensive fraud feature data set based on the strategy;
配置欺诈特征策略内容,如检测被拉起应用的调用顺序信息等;Configure fraud feature policy content, such as detecting the calling sequence information of the pulled application, etc.;
应用授权配置:Apply authorization configuration:
生成并配置授权应用的授权令牌与访问权限;Generate and configure authorization tokens and access rights for authorized applications;
云端中“授权管理”模块中配置访问权限白名单,签名保护后通过可信数据传输通路将授权令牌下发至TEE侧,TEE侧通过预置密钥进行签名验证,解出授权令牌及其有效期;Configure an access rights whitelist in the "Authorization Management" module in the cloud. After signature protection, the authorization token is sent to the TEE side through the trusted data transmission channel. The TEE side performs signature verification through the preset key to unlock the authorization token and its validity period;
端侧数据模型导入后台配置:Import the client-side data model into the background configuration:
数据配置:将终端侧可允许更新的模型进行云端审核后保存特征值;Data configuration: The model that can be updated on the terminal side is reviewed in the cloud and the characteristic values are saved;
导入授权配置:生成并配置可终端侧导入欺诈数据的令牌和访问权限。Import authorization configuration: Generate and configure tokens and access rights that can import fraud data on the endpoint side.
2、查询阶段(检测阶段)2. Query stage (detection stage)
调用方(目标应用)对REE侧“反欺诈检测”发起检测请求(包含授权令牌);The caller (target application) initiates a detection request (including authorization token) to the "anti-fraud detection" on the REE side;
终端REE侧“反欺诈检测”对来访者(目标应用)进行身份验证,在验证过程中,REE侧与云端通信,云端实现对目标应用的身份验证,将身份验证结果下发至REE侧,身份验证通过后“框架安全能力”侧依照策略收集目标应用关联的特征信息,如应用链路信息、包名信息、签名信息、行为特征等,将特征信息传递至TEE侧“反欺诈安全能力”中。The "anti-fraud detection" on the REE side of the terminal authenticates the visitor (target application). During the verification process, the REE side communicates with the cloud. The cloud implements the identity verification of the target application and sends the identity verification results to the REE side. After passing the verification, the "framework security capability" side collects characteristic information associated with the target application according to the policy, such as application link information, package name information, signature information, behavioral characteristics, etc., and transfers the characteristic information to the "anti-fraud security capability" on the TEE side. .
终端TEE侧“反欺诈安全能力”对授权令牌进行验证,若验证失败则立 即终止操作并返回错误提示信息至REE侧的“反欺诈检测”,“反欺诈检测”通过访问控制机制记录错误信息,并返回至调用方,同时在应用单位时间频繁访问且鉴权频繁失败的情况(如1min内连续失败1000次)下,“反欺诈检测”可适当限制调用方调用频率及次数(例如,禁止30min请求);The "anti-fraud security capability" on the terminal TEE side verifies the authorization token. If the verification fails, That is, the operation is terminated and the error message is returned to the "Anti-Fraud Detection" on the REE side. The "Anti-Fraud Detection" records the error information through the access control mechanism and returns it to the caller. At the same time, frequent access and frequent authentication failures occur within the application unit time. Under certain circumstances (such as 1,000 consecutive failures within 1 minute), "anti-fraud detection" can appropriately limit the frequency and number of calls made by the caller (for example, prohibiting requests for 30 minutes);
TEE侧将REE侧传递的特征信息与欺诈特征数据集中特征依照对比策略进行比对,比如对比策略规定当调用顺序为恶意应用=>特定应用=》支付应用的规则,则TEE侧通过规则进行匹配,若命中应用调用顺序与恶意应用的信息,则返回风险提示信息至“反欺诈检测”,通过反欺诈检测将风险提示信息告知调用方,若未命中,则返回暂未发现问题的信息;The TEE side compares the feature information transmitted by the REE side with the features in the fraud feature data set according to the comparison strategy. For example, the comparison strategy stipulates that when the calling sequence is malicious application => specific application => payment application rule, the TEE side will match based on the rules. , if the information about the application calling sequence and malicious application is hit, the risk prompt information will be returned to "anti-fraud detection", and the risk prompt information will be informed to the caller through anti-fraud detection. If it is not hit, the information that no problem has been found yet will be returned;
(3)终端侧数据同步阶段:(3) Terminal side data synchronization stage:
授权方式参照查询阶段逻辑,若权限通过,则将更新数据通过REE传入TEE侧,TEE侧中的“反欺诈安全能力”完成对数据的更新。The authorization method refers to the logic of the query phase. If the permission is passed, the updated data will be transmitted to the TEE side through REE, and the "anti-fraud security capability" in the TEE side will complete the update of the data.
本申请实施例提供的欺诈行为检测方法,执行主体可以为欺诈行为检测装置。本申请实施例中以欺诈行为检测装置执行欺诈行为检测方法为例,说明本申请实施例提供的欺诈行为检测装置。For the fraud detection method provided by the embodiments of this application, the execution subject may be a fraud detection device. In the embodiments of this application, a fraud detection device performing a fraud detection method is used as an example to illustrate the fraud detection device provided in the embodiments of this application.
如图4所示,提供一种实施例的欺诈行为检测装置400,可用于电子设备,装置400包括:As shown in Figure 4, an embodiment of a fraud detection device 400 is provided, which can be used in electronic devices. The device 400 includes:
获取模块401,用于在富执行环境REE侧在接收到目标应用发送的检测请求的情况下,获取目标应用关联的特征信息;The acquisition module 401 is configured to obtain the characteristic information associated with the target application when the rich execution environment REE side receives a detection request sent by the target application;
第一发送模块402,用于将特征信息发送至终端的可信执行环境TEE侧,检测请求用于请求进行欺诈行为检测;The first sending module 402 is used to send the characteristic information to the trusted execution environment TEE side of the terminal, and the detection request is used to request fraud detection;
第一确定模块403,用于终端在TEE侧对目标应用进行授权验证成功的情况下,将特征信息与欺诈特征数据集中的欺诈特征数据进行对比,确定欺诈行为检测结果。The first determination module 403 is used to compare the characteristic information with the fraud characteristic data in the fraud characteristic data set to determine the fraud detection result when the terminal successfully authenticates the target application on the TEE side.
在一个实施例中,特征信息包括以下至少一项:In one embodiment, the characteristic information includes at least one of the following:
应用链路信息,应用链路信息用于表示调用包括目标应用在内的多个应用的调用顺序信息; Application link information. Application link information is used to represent the calling sequence information for calling multiple applications including the target application;
应用链路信息中应用的包名信息;The package name information of the application in the application link information;
应用链路信息中应用的签名信息;The signature information of the application in the application link information;
应用链路信息中应用的行为特征。Behavioral characteristics of the application in the application link information.
在一个实施例中,第一确定模块403,具体用于按照目标比对策略将特征信息与欺诈特征数据集中的欺诈特征数据进行比对,确定欺诈行为检测结果;In one embodiment, the first determination module 403 is specifically configured to compare the feature information with the fraud feature data in the fraud feature data set according to the target comparison strategy, and determine the fraud behavior detection result;
其中,目标比对策略为终端预先从云端获取的,欺诈特征数据集为终端预先从云端获取的。Among them, the target comparison strategy is obtained by the terminal from the cloud in advance, and the fraud characteristic data set is obtained by the terminal from the cloud in advance.
在一个实施例中,第一确定模块403,还具体用于:In one embodiment, the first determination module 403 is also specifically used to:
在特征信息中的多个应用的应用链路信息与欺诈特征数据集中多个应用的应用调用顺序匹配的情况下,确定欺诈行为检测结果为存在欺诈行为;或者When the application link information of multiple applications in the feature information matches the application calling sequence of multiple applications in the fraud feature data set, it is determined that the fraud detection result is that fraud exists; or
在特征信息中的多个应用的应用链路信息与欺诈特征数据集中多个应用的应用调用顺序匹配,以及在欺诈特征数据集中匹配到特征信息中包名信息、签名信息和行为特征中的至少一项的情况下,确定欺诈行为检测结果为存在欺诈行为。The application link information of multiple applications in the feature information matches the application calling sequence of multiple applications in the fraud feature data set, and the fraud feature data set matches at least one of the package name information, signature information and behavioral features in the feature information. In the case of one item, it is determined that the fraud detection result is that fraud exists.
在一个实施例中,检测请求中包括授权令牌,装置还包括:In one embodiment, the detection request includes an authorization token, and the device further includes:
第二发送模块,用于在REE侧将授权令牌发送至TEE侧;The second sending module is used to send the authorization token from the REE side to the TEE side;
第二确定模块,用于在TEE侧在对授权令牌进行验证成功的情况下,确定对目标应用授权验证成功。The second determination module is used to determine on the TEE side that the authorization verification of the target application is successful when the authorization token is successfully verified.
在一个实施例中,检测请求中包括目标应用的包名信息和签名信息中的至少一种;In one embodiment, the detection request includes at least one of package name information and signature information of the target application;
获取模块,包括:Get modules including:
第三发送模块,用于向云端发送身份验证请求,身份验证请求中包括目标应用的包名信息和签名信息中的至少一种,身份验证请求用于请求对目标应用进行身份验证;The third sending module is used to send an identity verification request to the cloud. The identity verification request includes at least one of the package name information and signature information of the target application. The identity verification request is used to request identity verification for the target application;
第一接收模块,用于接收云端响应于身份验证请求发送的身份验证结果; The first receiving module is used to receive the identity verification result sent by the cloud in response to the identity verification request;
特征信息获取模块,用于在身份验证结果表示身份验证通过的情况下,获取特征信息。The characteristic information acquisition module is used to obtain characteristic information when the identity verification result indicates that the identity verification is passed.
本申请实施例中的欺诈行为检测装置可以是电子设备,也可以是电子设备中的部件,例如,集成电路或芯片。该电子设备可以是终端,也可以是除终端之外的其他设备,电子设备可以为手机、平板电脑、笔记本电脑、掌上电脑、车载电子设备、移动上网装置(Mobile Internet Device,MID)、增强现实(augmented reality,AR)/虚拟现实(virtual reality,VR)设备、机器人、可穿戴设备、超级移动个人计算机(ultra-mobile personal computer,UMPC)、上网本或者个人数字助理(personal digital assistant,PDA)等,还可以为网络附属存储器(Network Attached Storage,NAS)、个人计算机(personal computer,PC)、电视机(television,TV)、柜员机或者自助机等,本申请实施例不作具体限定。The fraud detection device in the embodiment of the present application may be an electronic device or a component in the electronic device, such as an integrated circuit or a chip. The electronic device can be a terminal or other devices other than the terminal. The electronic device can be a mobile phone, a tablet computer, a notebook computer, a handheld computer, a vehicle-mounted electronic device, a Mobile Internet Device (MID), or an augmented reality device. (augmented reality, AR)/virtual reality (VR) equipment, robots, wearable devices, ultra-mobile personal computers (ultra-mobile personal computers, UMPC), netbooks or personal digital assistants (personal digital assistant, PDA), etc. , it can also be a network attached storage (Network Attached Storage, NAS), a personal computer (personal computer, PC), a television (television, TV), a teller machine or a self-service machine, etc., which are not specifically limited in the embodiments of this application.
本申请实施例中的欺诈行为检测装置可以为具有操作系统的装置。该操作系统可以为安卓(Android)操作系统,可以为ios操作系统,还可以为其他可能的操作系统,本申请实施例不作具体限定。The fraud detection device in the embodiment of the present application may be a device with an operating system. The operating system can be an Android operating system, an ios operating system, or other possible operating systems, which are not specifically limited in the embodiments of this application.
本申请实施例提供的欺诈行为检测装置能够实现上述欺诈行为检测方法实施例实现的各个过程,例如,能够实现图1至图3的方法实施例实现的各个过程,为避免重复,这里不再赘述。The fraud detection device provided by the embodiment of the present application can implement each process implemented by the above-mentioned fraud detection method embodiment. For example, it can implement each process implemented by the method embodiment of Figures 1 to 3. To avoid duplication, no details will be described here. .
可选地,如图5所示,本申请实施例还提供一种电子设备500,包括处理器501和存储器502,存储器502存储可在处理器501上运行的程序或指令,该程序或指令被处理器501执行时实现上述欺诈行为检测方法实施例的各个步骤,且能达到相同的技术效果,为避免重复,这里不再赘述。Optionally, as shown in Figure 5, this embodiment of the present application also provides an electronic device 500, including a processor 501 and a memory 502. The memory 502 stores programs or instructions that can be run on the processor 501. The program or instructions are When executed, the processor 501 implements each step of the above embodiment of the fraud detection method and can achieve the same technical effect. To avoid duplication, the details will not be described here.
需要说明的是,本申请实施例中的电子设备包括上述的移动电子设备和非移动电子设备。It should be noted that the electronic devices in the embodiments of the present application include the above-mentioned mobile electronic devices and non-mobile electronic devices.
图6为实现本申请实施例的一种电子设备的硬件结构示意图。FIG. 6 is a schematic diagram of the hardware structure of an electronic device implementing an embodiment of the present application.
该电子设备600包括但不限于:射频单元601、网络模块602、音频输出单元603、输入单元604、传感器605、显示单元606、用户输入单元607、 接口单元608、存储器609、以及处理器610等部件。The electronic device 600 includes but is not limited to: radio frequency unit 601, network module 602, audio output unit 603, input unit 604, sensor 605, display unit 606, user input unit 607, Interface unit 608, memory 609, processor 610 and other components.
本领域技术人员可以理解,电子设备600还可以包括给各个部件供电的电源(比如电池),电源可以通过电源管理系统与处理器610逻辑相连,从而通过电源管理系统实现管理充电、放电、以及功耗管理等功能。图6中示出的电子设备结构并不构成对电子设备的限定,电子设备可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置,在此不再赘述。Those skilled in the art can understand that the electronic device 600 may also include a power supply (such as a battery) that supplies power to various components. The power supply may be logically connected to the processor 610 through a power management system, thereby managing charging, discharging, and function through the power management system. Consumption management and other functions. The structure of the electronic device shown in Figure 6 does not constitute a limitation on the electronic device. The electronic device may include more or less components than shown in the figure, or combine certain components, or arrange different components, which will not be described again here. .
其中,处理器610,用于:Among them, processor 610 is used for:
在富执行环境REE侧在接收到目标应用发送的检测请求的情况下,获取目标应用关联的特征信息;When the rich execution environment REE side receives the detection request sent by the target application, it obtains the characteristic information associated with the target application;
将特征信息发送至终端的可信执行环境TEE侧,检测请求用于请求进行欺诈行为检测;Send the characteristic information to the trusted execution environment TEE side of the terminal, and the detection request is used to request fraud detection;
在TEE侧对目标应用进行授权验证成功的情况下,将特征信息与欺诈特征数据集中的欺诈特征数据进行对比,确定欺诈行为检测结果。When the authorization verification of the target application on the TEE side is successful, the characteristic information is compared with the fraud characteristic data in the fraud characteristic data set to determine the fraud detection result.
在一个实施例中,特征信息包括以下至少一项:In one embodiment, the characteristic information includes at least one of the following:
应用链路信息,应用链路信息用于表示调用包括目标应用在内的多个应用的调用顺序信息;Application link information. Application link information is used to represent the calling sequence information for calling multiple applications including the target application;
应用链路信息中应用的包名信息;The package name information of the application in the application link information;
应用链路信息中应用的签名信息;The signature information of the application in the application link information;
应用链路信息中应用的行为特征。Behavioral characteristics of the application in the application link information.
在一个实施例中,处理器610,用于按照目标比对策略将特征信息与欺诈特征数据集中的欺诈特征数据进行比对,确定欺诈行为检测结果;In one embodiment, the processor 610 is configured to compare the feature information with the fraud feature data in the fraud feature data set according to the target comparison strategy, and determine the fraud behavior detection result;
其中,目标比对策略为终端预先从云端获取的,欺诈特征数据集为终端预先从云端获取的。Among them, the target comparison strategy is obtained by the terminal from the cloud in advance, and the fraud characteristic data set is obtained by the terminal from the cloud in advance.
在一个实施例中,处理器610,还具体用于在特征信息中的多个应用的应用链路信息与欺诈特征数据集中多个应用的应用调用顺序匹配的情况下,确定欺诈行为检测结果为存在欺诈行为;或者In one embodiment, the processor 610 is further specifically configured to determine that the fraud behavior detection result is when the application link information of multiple applications in the feature information matches the application calling sequence of multiple applications in the fraud feature data set. There has been fraud; or
在特征信息中的多个应用的应用链路信息与欺诈特征数据集中多个应用 的应用调用顺序匹配,以及在欺诈特征数据集中匹配到特征信息中包名信息、签名信息和行为特征中的至少一项的情况下,确定欺诈行为检测结果为存在欺诈行为。Application link information of multiple applications in the feature information and multiple applications in the fraud feature data set The application call sequence matches, and when at least one of the package name information, signature information and behavioral characteristics in the characteristic information is matched in the fraud characteristic data set, it is determined that the fraud detection result is that fraud exists.
在一个实施例中,检测请求中包括授权令牌;In one embodiment, the detection request includes an authorization token;
射频单元601,用于在REE侧将授权令牌发送至TEE侧;Radio frequency unit 601, used to send the authorization token on the REE side to the TEE side;
处理器610,用于在TEE侧在对授权令牌进行验证成功的情况下,确定对目标应用授权验证成功。The processor 610 is configured to determine that the target application authorization verification is successful when the authorization token is successfully verified on the TEE side.
在一个实施例中,检测请求中包括目标应用的包名信息和签名信息中的至少一种;In one embodiment, the detection request includes at least one of package name information and signature information of the target application;
射频单元601,用于向云端发送身份验证请求,身份验证请求中包括目标应用的包名信息和签名信息中的至少一种,身份验证请求用于请求对目标应用进行身份验证;The radio frequency unit 601 is used to send an identity verification request to the cloud. The identity verification request includes at least one of the package name information and signature information of the target application. The identity verification request is used to request identity verification of the target application;
射频单元601,用于接收云端响应于身份验证请求发送的身份验证结果;The radio frequency unit 601 is used to receive the identity verification result sent by the cloud in response to the identity verification request;
处理器610,用于在身份验证结果表示身份验证通过的情况下,获取特征信息。The processor 610 is configured to obtain characteristic information when the identity verification result indicates that the identity verification is passed.
应理解的是,本申请实施例中,输入单元604可以包括图形处理器(Graphics Processing Unit,GPU)6041和麦克风6042,图形处理器6041对在视频捕获模式或图像捕获模式中由图像捕获装置(如摄像头)获得的静态图片或视频的图像数据进行处理。显示单元606可包括显示面板6061,可以采用液晶显示器、有机发光二极管等形式来配置显示面板6061。用户输入单元607包括触控面板6071以及其他输入设备6072中的至少一种。触控面板6071,也称为触摸屏。触控面板6071可包括触摸检测装置和触摸控制器两个部分。其他输入设备6072可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆,在此不再赘述。It should be understood that in the embodiment of the present application, the input unit 604 may include a graphics processor (Graphics Processing Unit, GPU) 6041 and a microphone 6042. The graphics processor 6041 is responsible for the image capture device (GPU) in the video capture mode or the image capture mode. Process the image data of still pictures or videos obtained by cameras (such as cameras). The display unit 606 may include a display panel 6061, which may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The user input unit 607 includes a touch panel 6071 and at least one of other input devices 6072 . Touch panel 6071, also called touch screen. The touch panel 6071 may include two parts: a touch detection device and a touch controller. Other input devices 6072 may include but are not limited to physical keyboards, function keys (such as volume control keys, switch keys, etc.), trackballs, mice, and joysticks, which will not be described again here.
存储器609可用于存储软件程序以及各种数据,存储器609可主要包括存储程序或指令的第一存储区和存储数据的第二存储区,其中,第一存储区可存储操作系统、至少一个功能所需的应用程序或指令(比如声音播放功能、 图像播放功能等)等。此外,存储器609可以包括易失性存储器或非易失性存储器,或者,存储器x09可以包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(Read-Only Memory,ROM)、可编程只读存储器(Programmable ROM,PROM)、可擦除可编程只读存储器(Erasable PROM,EPROM)、电可擦除可编程只读存储器(Electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(Random Access Memory,RAM),静态随机存取存储器(Static RAM,SRAM)、动态随机存取存储器(Dynamic RAM,DRAM)、同步动态随机存取存储器(Synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(Double Data Rate SDRAM,DDRSDRAM)、增强型同步动态随机存取存储器(Enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(Synch link DRAM,SLDRAM)和直接内存总线随机存取存储器(Direct Rambus RAM,DRRAM)。本申请实施例中的存储器609包括但不限于这些和任意其它适合类型的存储器。The memory 609 can be used to store software programs and various data. The memory 609 can mainly include a first storage area for storing programs or instructions and a second storage area for storing data. The first storage area can store an operating system and at least one function. required applications or commands (such as sound playback function, Image playback function, etc.) etc. Additionally, memory 609 may include volatile memory or non-volatile memory, or memory x09 may include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (Read-Only Memory, ROM), programmable read-only memory (Programmable ROM, PROM), erasable programmable read-only memory (Erasable PROM, EPROM), electrically removable memory. Erase programmable read-only memory (Electrically EPROM, EEPROM) or flash memory. Volatile memory can be random access memory (Random Access Memory, RAM), static random access memory (Static RAM, SRAM), dynamic random access memory (Dynamic RAM, DRAM), synchronous dynamic random access memory (Synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (Double Data Rate SDRAM, DDRSDRAM), enhanced synchronous dynamic random access memory (Enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (Synch link DRAM) , SLDRAM) and direct memory bus random access memory (Direct Rambus RAM, DRRAM). Memory 609 in embodiments of the present application includes, but is not limited to, these and any other suitable types of memory.
处理器610可包括一个或多个处理单元;可选地,包括但不限于应用程序和操作系统。处理器610可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器610中。Processor 610 may include one or more processing units; optionally including, but not limited to, application programs and operating systems. The processor 610 can integrate an application processor and a modem processor, where the application processor mainly processes the operating system, user interface, application programs, etc., and the modem processor mainly processes wireless communications. It can be understood that the above modem processor may not be integrated into the processor 610.
本申请实施例还提供一种可读存储介质,可读存储介质上存储有程序或指令,该程序或指令被处理器执行时实现上述欺诈行为检测方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。Embodiments of the present application also provide a readable storage medium. Programs or instructions are stored on the readable storage medium. When the program or instructions are executed by a processor, each process of the above embodiments of the fraud detection method can be implemented and the same can be achieved. To avoid repetition, the technical effects will not be repeated here.
其中,处理器为上述实施例中的电子设备中的处理器。可读存储介质,包括计算机可读存储介质,如计算机只读存储器ROM、随机存取存储器RAM、磁碟或者光盘等。Wherein, the processor is the processor in the electronic device in the above embodiment. Readable storage media includes computer-readable storage media, such as computer read-only memory ROM, random access memory RAM, magnetic disks or optical disks.
本申请实施例另提供了一种芯片,包括处理器和通信接口,通信接口和处理器耦合,通信接口用于传输图像数据,处理器用于运行程序或指令,实现上述欺诈行为检测方法实施例的各个过程,且能达到相同的技术效果,为 避免重复,这里不再赘述。An embodiment of the present application also provides a chip, which includes a processor and a communication interface. The communication interface is coupled to the processor. The communication interface is used to transmit image data. The processor is used to run programs or instructions to implement the above embodiment of the fraud detection method. Each process, and can achieve the same technical effect, is To avoid repetition, we will not go into details here.
应理解,本申请实施例提到的芯片还可以称为系统级芯片、系统芯片、芯片系统或片上系统芯片等。It should be understood that the chips mentioned in the embodiments of this application may also be called system-on-chip, system-on-a-chip, system-on-a-chip or system-on-chip, etc.
本申请实施例提供一种计算机程序产品,该程序产品被存储在存储介质中,该程序产品被至少一个处理器执行以实现如上述欺诈行为检测方法实施例的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。Embodiments of the present application provide a computer program product. The program product is stored in a storage medium. The program product is executed by at least one processor to implement each process of the above-mentioned fraud behavior detection method embodiment, and can achieve the same technology. The effect will not be described here to avoid repetition.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。此外,需要指出的是,本申请实施方式中的方法和装置的范围不限按示出或讨论的顺序来执行功能,还可包括根据所涉及的功能按基本同时的方式或按相反的顺序来执行功能,例如,可以按不同于所描述的次序来执行所描述的方法,并且还可以添加、省去、或组合各种步骤。另外,参照某些示例所描述的特征可在其他示例中被组合。It should be noted that, in this document, the terms "comprising", "comprises" or any other variations thereof are intended to cover a non-exclusive inclusion, such that a process, method, article or device that includes a series of elements not only includes those elements, It also includes other elements not expressly listed or inherent in the process, method, article or apparatus. Without further limitation, an element defined by the statement "comprises a..." does not exclude the presence of additional identical elements in a process, method, article or apparatus that includes that element. In addition, it should be pointed out that the scope of the methods and devices in the embodiments of the present application is not limited to performing functions in the order shown or discussed, but may also include performing functions in a substantially simultaneous manner or in reverse order according to the functions involved. Functions may be performed, for example, the methods described may be performed in an order different from that described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对相关技术做出贡献的部分可以以计算机软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端(可以是手机,计算机,服务器,或者网络设备等)执行本申请各个实施例所述的方法。Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is better. implementation. Based on this understanding, the technical solution of the present application can be embodied in the form of a computer software product that is essentially or contributes to related technologies. The computer software product is stored in a storage medium (such as ROM/RAM, disk, CD), including several instructions to cause a terminal (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the methods described in various embodiments of this application.
上面结合附图对本申请的实施例进行了描述,但是本申请并不局限于上述的具体实施方式,上述的具体实施方式仅仅是示意性的,而不是限制性的,本领域的普通技术人员在本申请的启示下,在不脱离本申请宗旨和权利要求 所保护的范围情况下,还可做出很多形式,均属于本申请的保护之内。 The embodiments of the present application have been described above in conjunction with the accompanying drawings. However, the present application is not limited to the above-mentioned specific implementations. The above-mentioned specific implementations are only illustrative and not restrictive. Those of ordinary skill in the art will Inspired by this application, without departing from the purpose and claims of this application Within the scope of protection, many forms can be made, all of which fall within the protection of this application.

Claims (16)

  1. 一种欺诈行为检测方法,所述方法包括:A fraud detection method, the method includes:
    终端在富执行环境REE侧在接收到目标应用发送的检测请求的情况下,获取所述目标应用关联的特征信息,并将所述特征信息发送至所述终端的可信执行环境TEE侧,所述检测请求用于请求进行欺诈行为检测;When the terminal receives the detection request sent by the target application on the rich execution environment REE side, it obtains the characteristic information associated with the target application and sends the characteristic information to the trusted execution environment TEE side of the terminal. The above detection request is used to request fraud detection;
    所述终端在所述TEE侧对所述目标应用进行授权验证成功的情况下,将所述特征信息与欺诈特征数据集中的欺诈特征数据进行对比,确定欺诈行为检测结果。If the terminal successfully performs authorization verification on the target application on the TEE side, the terminal compares the characteristic information with the fraud characteristic data in the fraud characteristic data set to determine the fraud detection result.
  2. 根据权利要求1所述的方法,其中,所述特征信息包括以下至少一项:The method according to claim 1, wherein the characteristic information includes at least one of the following:
    应用链路信息,所述应用链路信息用于表示调用包括所述目标应用在内的多个应用的调用顺序信息;Application link information, the application link information is used to represent the calling sequence information for calling multiple applications including the target application;
    应用链路信息中应用的包名信息;The package name information of the application in the application link information;
    应用链路信息中应用的签名信息;The signature information of the application in the application link information;
    应用链路信息中应用的行为特征。Behavioral characteristics of the application in the application link information.
  3. 根据权利要求1或2所述的方法,其中,所述将所述特征信息与欺诈特征数据集中的欺诈特征数据进行对比,确定欺诈行为检测结果,包括:The method according to claim 1 or 2, wherein comparing the characteristic information with the fraud characteristic data in the fraud characteristic data set to determine the fraud detection result includes:
    按照目标比对策略将所述特征信息与所述欺诈特征数据集中的欺诈特征数据进行比对,确定所述欺诈行为检测结果;Compare the feature information with the fraud feature data in the fraud feature data set according to the target comparison strategy to determine the fraud behavior detection result;
    其中,所述目标比对策略为所述终端预先从云端获取的,所述欺诈特征数据集为所述终端预先从所述云端获取的。Wherein, the target comparison strategy is obtained by the terminal from the cloud in advance, and the fraud characteristic data set is obtained by the terminal from the cloud in advance.
  4. 根据权利要求3所述的方法,其中,所述按照目标比对策略将所述特征信息与所述欺诈特征数据集中的欺诈特征数据进行比对,确定所述欺诈行为检测结果,包括:The method according to claim 3, wherein comparing the feature information with the fraud feature data in the fraud feature data set according to a target comparison strategy to determine the fraud detection result includes:
    在所述特征信息中的应用链路信息与所述欺诈特征数据集中多个应用的应用调用顺序匹配的情况下,确定所述欺诈行为检测结果为存在欺诈行为;或者 In the case where the application link information in the feature information matches the application calling sequence of multiple applications in the fraud feature data set, it is determined that the fraud detection result is that fraud exists; or
    在所述特征信息中的多个应用的应用链路信息与所述欺诈特征数据集中多个应用的应用调用顺序匹配,以及在所述欺诈特征数据集中匹配到所述特征信息中包名信息、签名信息和行为特征中的至少一项的情况下,确定所述欺诈行为检测结果为存在欺诈行为。The application link information of multiple applications in the feature information matches the application calling sequence of multiple applications in the fraud feature data set, and the package name information in the feature information in the fraud feature data set matches, In the case where at least one of the signature information and the behavioral characteristics is used, it is determined that the fraudulent behavior detection result indicates that there is a fraudulent behavior.
  5. 根据权利要求1所述的方法,其中,所述检测请求中包括授权令牌,所述方法还包括:The method of claim 1, wherein the detection request includes an authorization token, the method further comprising:
    所述终端在所述REE侧将所述授权令牌发送至所述TEE侧;The terminal sends the authorization token to the TEE side on the REE side;
    所述终端在所述TEE侧在对所述授权令牌进行验证成功的情况下,确定对所述目标应用授权验证成功。When the TEE side successfully verifies the authorization token, the terminal determines that the authorization verification for the target application is successful.
  6. 根据权利要求1所述的方法,其中,所述检测请求中包括所述目标应用的包名信息和签名信息中的至少一种;The method according to claim 1, wherein the detection request includes at least one of package name information and signature information of the target application;
    所述获取所述目标应用关联的特征信息,包括:The obtaining of characteristic information associated with the target application includes:
    向云端发送身份验证请求,所述身份验证请求中包括所述目标应用的包名信息和签名信息中的至少一种,所述身份验证请求用于请求对所述目标应用进行身份验证;Send an identity verification request to the cloud, where the identity verification request includes at least one of package name information and signature information of the target application, where the identity verification request is used to request identity verification for the target application;
    接收所述云端响应于所述身份验证请求发送的身份验证结果;Receive an identity verification result sent by the cloud in response to the identity verification request;
    在所述身份验证结果表示身份验证通过的情况下,获取所述特征信息。When the identity verification result indicates that the identity verification is passed, the characteristic information is obtained.
  7. 一种欺诈行为检测装置,所述装置包括:A fraud detection device, the device includes:
    获取模块,用于在富执行环境REE侧在接收到目标应用发送的检测请求的情况下,获取所述目标应用关联的特征信息;An acquisition module configured to acquire, on the Rich Execution Environment REE side, the characteristic information associated with the target application upon receiving a detection request sent by the target application;
    第一发送模块,用于将所述特征信息发送至终端的可信执行环境TEE侧,所述检测请求用于请求进行欺诈行为检测;The first sending module is used to send the characteristic information to the trusted execution environment TEE side of the terminal, and the detection request is used to request fraud detection;
    第一确定模块,用于在所述TEE侧对所述目标应用进行授权验证成功的情况下,将所述特征信息与欺诈特征数据集中的欺诈特征数据进行对比,确定欺诈行为检测结果。The first determination module is configured to compare the feature information with the fraud feature data in the fraud feature data set to determine the fraud behavior detection result when the TEE side successfully performs authorization verification on the target application.
  8. 根据权利要求7所述的装置,其中,所述特征信息包括以下至少一项:The device according to claim 7, wherein the characteristic information includes at least one of the following:
    应用链路信息,所述应用链路信息用于表示调用包括所述目标应用在内 的多个应用的调用顺序信息;Application link information, the application link information is used to indicate that the call includes the target application Call sequence information of multiple applications;
    应用链路信息中应用的包名信息;The package name information of the application in the application link information;
    应用链路信息中应用的签名信息;The signature information of the application in the application link information;
    应用链路信息中应用的行为特征。Behavioral characteristics of the application in the application link information.
  9. 根据权利要求7或8所述的装置,其中,所述第一确定模块,用于按照目标比对策略将所述特征信息与所述欺诈特征数据集中的欺诈特征数据进行比对,确定所述欺诈行为检测结果;The device according to claim 7 or 8, wherein the first determination module is configured to compare the feature information with the fraud feature data in the fraud feature data set according to a target comparison strategy, and determine the Fraud detection results;
    其中,所述目标比对策略为所述终端预先从云端获取的,所述欺诈特征数据集为所述终端预先从所述云端获取的。Wherein, the target comparison strategy is obtained by the terminal from the cloud in advance, and the fraud characteristic data set is obtained by the terminal from the cloud in advance.
  10. 根据权利要求9所述的装置,其中,所述按照目标比对策略将所述特征信息与所述欺诈特征数据集中的欺诈特征数据进行比对,确定所述欺诈行为检测结果,包括:The device according to claim 9, wherein comparing the feature information with the fraud feature data in the fraud feature data set according to a target comparison strategy to determine the fraud behavior detection result includes:
    在所述特征信息中的多个应用的应用链路信息与所述欺诈特征数据集中多个应用的应用调用顺序匹配的情况下,确定所述欺诈行为检测结果为存在欺诈行为;或者In the case where the application link information of multiple applications in the feature information matches the application calling sequence of multiple applications in the fraud feature data set, it is determined that the fraudulent behavior detection result is that there is a fraudulent behavior; or
    在所述特征信息中的多个应用的应用链路信息与所述欺诈特征数据集中多个应用的应用调用顺序匹配,以及在所述欺诈特征数据集中匹配到所述特征信息中包名信息、签名信息和行为特征中的至少一项的情况下,确定所述欺诈行为检测结果为存在欺诈行为。The application link information of multiple applications in the feature information matches the application calling sequence of multiple applications in the fraud feature data set, and the package name information in the feature information in the fraud feature data set matches, In the case where at least one of the signature information and the behavioral characteristics is used, it is determined that the fraudulent behavior detection result indicates that there is a fraudulent behavior.
  11. 根据权利要求7所述的装置,其中,所述检测请求中包括授权令牌,所述装置还包括:The device of claim 7, wherein the detection request includes an authorization token, the device further comprising:
    第二发送模块,用于在所述REE侧将所述授权令牌发送至所述TEE侧;a second sending module, configured to send the authorization token to the TEE side on the REE side;
    第二确定模块,用于在所述TEE侧在对所述授权令牌进行验证成功的情况下,确定对所述目标应用授权验证成功。The second determination module is configured to determine that authorization verification of the target application is successful when the TEE side successfully verifies the authorization token.
  12. 根据权利要求7所述的装置,其中,所述检测请求中包括所述目标应用的包名信息和签名信息中的至少一种;The device according to claim 7, wherein the detection request includes at least one of package name information and signature information of the target application;
    所述获取模块,包括: The acquisition module includes:
    第三发送模块,用于向云端发送身份验证请求,所述身份验证请求中包括所述目标应用的包名信息和签名信息中的至少一种,所述身份验证请求用于请求对所述目标应用进行身份验证;The third sending module is used to send an identity verification request to the cloud. The identity verification request includes at least one of the package name information and the signature information of the target application. The identity verification request is used to request a verification request for the target application. Application for authentication;
    第一接收模块,用于接收所述云端响应于所述身份验证请求发送的身份验证结果;A first receiving module, configured to receive the identity verification result sent by the cloud in response to the identity verification request;
    特征信息获取模块,用于在所述身份验证结果表示身份验证通过的情况下,获取所述特征信息。A feature information acquisition module is configured to acquire the feature information when the identity verification result indicates that the identity verification is passed.
  13. 一种电子设备,包括处理器和存储器,其中,所述存储器存储可在所述处理器上运行的程序或指令,所述程序或指令被所述处理器执行时实现如权利要求1-6任一项所述的欺诈行为检测方法的步骤。An electronic device, including a processor and a memory, wherein the memory stores programs or instructions that can be run on the processor, and when the programs or instructions are executed by the processor, any of claims 1-6 is implemented. A step of the fraud detection method.
  14. 一种可读存储介质,所述可读存储介质上存储程序或指令,其中,所述程序或指令被处理器执行时实现如权利要求1-6任一项所述的欺诈行为检测方法的步骤。A readable storage medium on which a program or instructions are stored, wherein when the program or instructions are executed by a processor, the steps of the fraud detection method according to any one of claims 1-6 are implemented. .
  15. 一种计算机程序产品,所述程序产品被至少一个处理器执行以实现如权利要求1至6任一项所述的欺诈行为检测方法。A computer program product, which is executed by at least one processor to implement the fraud detection method according to any one of claims 1 to 6.
  16. 一种芯片,所述芯片包括处理器和通信接口,所述通信接口和所述处理器耦合,所述处理器用于运行程序或指令,实现如权利要求1至6中任一项所述的欺诈行为检测方法。 A chip, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is used to run programs or instructions to implement fraud as claimed in any one of claims 1 to 6. Behavior detection methods.
PCT/CN2023/098223 2022-06-10 2023-06-05 Fraudulent behavior detection method and apparatus, electronic device, and readable storage medium WO2023236884A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210656948.7A CN115037482A (en) 2022-06-10 2022-06-10 Fraud detection method and device, electronic equipment and readable storage medium
CN202210656948.7 2022-06-10

Publications (1)

Publication Number Publication Date
WO2023236884A1 true WO2023236884A1 (en) 2023-12-14

Family

ID=83125214

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/098223 WO2023236884A1 (en) 2022-06-10 2023-06-05 Fraudulent behavior detection method and apparatus, electronic device, and readable storage medium

Country Status (2)

Country Link
CN (1) CN115037482A (en)
WO (1) WO2023236884A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115037482A (en) * 2022-06-10 2022-09-09 维沃移动通信有限公司 Fraud detection method and device, electronic equipment and readable storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101142570A (en) * 2004-06-14 2008-03-12 约维申有限公司 Network security and fraud detection system and method
CN106295350A (en) * 2015-06-04 2017-01-04 联想移动通信软件(武汉)有限公司 Auth method, device and the terminal of a kind of credible execution environment
US20200322364A1 (en) * 2012-10-02 2020-10-08 Mordecai Barkan Program verification and malware detection
CN111859394A (en) * 2020-07-21 2020-10-30 中国人民解放军国防科技大学 TEE-based software behavior active measurement method and system
CN112307464A (en) * 2020-10-30 2021-02-02 维沃移动通信有限公司 Fraud identification method and device and electronic equipment
US20210075790A1 (en) * 2019-08-23 2021-03-11 Sap Se Attacker detection via fingerprinting cookie mechanism
CN114598541A (en) * 2022-03-18 2022-06-07 维沃移动通信有限公司 Security assessment method and device, electronic equipment and readable storage medium
CN115037482A (en) * 2022-06-10 2022-09-09 维沃移动通信有限公司 Fraud detection method and device, electronic equipment and readable storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109787943B (en) * 2017-11-14 2022-02-22 华为技术有限公司 Method and equipment for resisting denial of service attack
CN111046383B (en) * 2018-10-12 2023-10-13 华为技术有限公司 Terminal attack defense method and device, terminal and cloud server
KR102161777B1 (en) * 2018-12-14 2020-10-05 서울여자대학교 산학협력단 Trusted execution environment system
CN110096881A (en) * 2019-05-07 2019-08-06 百度在线网络技术(北京)有限公司 Malice calls means of defence, device, equipment and computer-readable medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101142570A (en) * 2004-06-14 2008-03-12 约维申有限公司 Network security and fraud detection system and method
US20200322364A1 (en) * 2012-10-02 2020-10-08 Mordecai Barkan Program verification and malware detection
CN106295350A (en) * 2015-06-04 2017-01-04 联想移动通信软件(武汉)有限公司 Auth method, device and the terminal of a kind of credible execution environment
US20210075790A1 (en) * 2019-08-23 2021-03-11 Sap Se Attacker detection via fingerprinting cookie mechanism
CN111859394A (en) * 2020-07-21 2020-10-30 中国人民解放军国防科技大学 TEE-based software behavior active measurement method and system
CN112307464A (en) * 2020-10-30 2021-02-02 维沃移动通信有限公司 Fraud identification method and device and electronic equipment
CN114598541A (en) * 2022-03-18 2022-06-07 维沃移动通信有限公司 Security assessment method and device, electronic equipment and readable storage medium
CN115037482A (en) * 2022-06-10 2022-09-09 维沃移动通信有限公司 Fraud detection method and device, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
CN115037482A (en) 2022-09-09

Similar Documents

Publication Publication Date Title
US11783314B2 (en) Contacts for misdirected payments and user authentication
CN111429254B (en) Business data processing method and device and readable storage medium
US8768847B2 (en) Privacy enhancing personal data brokerage service
US8595808B2 (en) Methods and systems for increasing the security of network-based transactions
US8095519B2 (en) Multifactor authentication with changing unique values
CN110826043B (en) Digital identity application system and method, identity authentication system and method
US9934502B1 (en) Contacts for misdirected payments and user authentication
CN113902446A (en) Face payment security method based on security unit and trusted execution environment
WO2021169107A1 (en) Internet identity protection method and apparatus, electronic device, and storage medium
US20130020389A1 (en) Systems and methods for authenticating near field communcation financial transactions
US11943256B2 (en) Link detection method and apparatus, electronic device, and storage medium
US12063311B2 (en) System and method for internet access age-verification
CN102160059A (en) Authorization of server operations
US20170286944A1 (en) Secure transfer of payment data
CA3054287C (en) Contacts for misdirected payments and user authentication
CN114598541B (en) Security assessment method and device, electronic equipment and readable storage medium
CN117751551A (en) System and method for secure internet communications
WO2023236884A1 (en) Fraudulent behavior detection method and apparatus, electronic device, and readable storage medium
JP2023507568A (en) System and method for protection against malicious program code injection
CN115550002B (en) TEE-based intelligent home remote control method and related device
US20140143147A1 (en) Transaction fee negotiation for currency remittance
US20240171399A1 (en) Using secondary blockchain addresses to prevent malicious transfers
CN113839785A (en) Electronic signature system
CN118282711A (en) Cross-system automatic login method, device and storage medium
CN116957575A (en) System, method, device, equipment and storage medium for augmented reality service payment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23819049

Country of ref document: EP

Kind code of ref document: A1