WO2022001475A1 - Application access processing method and apparatus, terminal, and storage medium - Google Patents

Application access processing method and apparatus, terminal, and storage medium Download PDF

Info

Publication number
WO2022001475A1
WO2022001475A1 PCT/CN2021/095286 CN2021095286W WO2022001475A1 WO 2022001475 A1 WO2022001475 A1 WO 2022001475A1 CN 2021095286 W CN2021095286 W CN 2021095286W WO 2022001475 A1 WO2022001475 A1 WO 2022001475A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
level
access control
terminal
physical device
Prior art date
Application number
PCT/CN2021/095286
Other languages
French (fr)
Chinese (zh)
Inventor
谢军
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2022001475A1 publication Critical patent/WO2022001475A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a method, apparatus, terminal and storage medium for application access processing.
  • terminals have become an indispensable part of many people's lives, but at the same time, personal privacy information is also largely available to the mobile devices used, such as photos, recordings, location activity trajectories, files Therefore, how to limit the acquisition of private content that the user does not expect has become one of the core issues of terminal design.
  • the embodiments of the present application provide a method, device, terminal, and storage medium for application access processing.
  • An embodiment of the present application provides a method for application access processing.
  • the method includes the following steps: monitoring an application state and a physical device state of a terminal; and determining one or more of the terminal according to the monitored application state and physical device state. Access control level of each service module; one or more service modules of the terminal perform application access processing according to the access control level.
  • An embodiment of the present application provides an apparatus for application access processing, including: a monitoring module, configured to monitor the application state and physical device state of the terminal; and an acquisition module, configured to monitor the application state and physical device state according to the monitored The access control level of one or more service modules of the terminal is determined; the processing module is configured to perform application access processing according to the access control level of the one or more service modules of the terminal.
  • An embodiment of the present application further proposes a terminal, the terminal includes a memory, a processor, a program stored on the memory and executable on the processor, and configured to implement the processor and the memory A data bus that communicates with one another, the program, when executed by the processor, implements the steps of the aforementioned method.
  • the present application provides a computer-readable storage medium, the storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement the steps of the aforementioned methods.
  • FIG. 1 is a schematic flowchart of an application access processing method provided according to an embodiment of the present application.
  • FIG. 2 is a schematic block diagram of an application access processing apparatus provided according to an embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of the operation of the application access processing method provided according to the embodiment of the present application.
  • FIG. 4 is a flowchart of an abnormal application detection method based on access level restriction provided according to an embodiment of the present application.
  • this embodiment provides a method for processing application access, which may include the following steps:
  • Step S110 monitor the application state and physical device state of the terminal
  • Step S120 Determine the access control level of one or more service modules of the terminal according to the monitored application state and physical device state;
  • Step S130 One or more service modules of the terminal perform application access processing according to the access control level.
  • the application status includes any one or a combination of the following: CPU status, memory status, process status, and statistical indicator data status;
  • the physical device status includes: access status or running status of the physical device; specifically, the physical device status
  • the access status or running status of the device includes: WIFI status, Bluetooth status, screen display status, data status, and flight mode status;
  • the access control level includes one or more of the following: system-level access control level, application-level access control level .
  • the one or more service modules may be preset.
  • the embodiments of the present application further include: establishing and saving a system-level relationship table by associating various application states and physical device states of the terminal with different system-level access control levels respectively; The application state and the physical device state are respectively associated with different application-level access control levels, and an application-level relationship table is established and saved.
  • the system-level access control level is used for the overall service access statistics judgment of each application on the service module.
  • the embodiments of the present application further include: establishing a system-level threshold setting value relationship table by associating each system-level access control level with the threshold setting values of one or more service modules respectively; The control levels are respectively associated with threshold setting values of one or more service modules, and an application-level threshold setting value relation table is established; wherein, the system-level threshold setting value is greater than the application-level threshold setting value.
  • the application-level access control level is used for the application-level level for a single application.
  • obtaining the access control level of one or more service modules of the terminal according to the monitored application status and physical device status includes: according to the monitored application status and physical device status, from a pre-stored The system access control level of one or more service modules of the terminal corresponding to the application state and physical device state is obtained from the system-level level relationship table; The application access control level of one or more service modules of the terminal corresponding to the application state and the physical device state is obtained from the level relationship table.
  • performing application access processing by the one or more service modules of the terminal according to the access control level includes: when the access control level is a system-level access control level, the one or more service modules of the terminal utilize the access control level.
  • the system-level relationship table performs application access processing; when the access control level is an application-level access control level, one or more service modules of the terminal use the application-level relationship table to perform application access processing.
  • the application access processing is to prohibit access to corresponding application data at the system level or the application level.
  • an application access processing apparatus is provided.
  • FIG. 2 it is a schematic diagram of an application access processing apparatus provided in Embodiment 2 of the present application. As shown in FIG. 2 , it may include: a monitoring module 201 , an acquisition module 202 and processing module 203.
  • the monitoring module 201 is configured to monitor the application status and physical device status of the terminal; the acquisition module 202 is configured to determine one or more service modules of the terminal according to the monitored application status and physical device status the access control level; the processing module 203 is configured so that one or more service modules of the terminal perform application access processing according to the access control level.
  • a terminal may include a memory, a processor, a program stored on the memory and executable on the processor, and configured to implement the processor and the processor.
  • a data bus for connection and communication between the memories is used, and the program is executed by the processor to execute the application access processing method described in the above embodiment, so as to realize the specific steps shown in FIG. 1 .
  • a computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors in the above embodiments.
  • the application access processing method is described to implement the specific steps shown in FIG. 1 .
  • the application access processing method may run in the architecture shown in FIG. 3 .
  • the architecture includes the following units, an access control level calculation unit 11, and an access threshold configuration unit. 12.
  • the access statistics and abnormal monitoring unit 13 and the abnormal event processing unit 14 the applications 1-N of the application layer, the Framework/service system, the hardware abstraction layer HAL service 1-J and the driver 1-I of the kernel layer, as well as the drivers 1-I scattered in each Added Service Modules A1-AL, B1-BJ and C1-CI in Service Modules.
  • the access control level calculation unit 11 is configured to determine the access control level of one or more service modules, and the calculation of this level is to select an appropriate abnormality threshold required by one or more service modules to monitor, and the level and the corresponding abnormality threshold.
  • the threshold should be calculated according to the application status and physical device status, so as to achieve the user's expectation of the degree of control; in addition, this level can be a system-level level for the overall purpose of the system, indicating the comprehensive monitoring of each application, or it can be for a single application.
  • the application level indicates that each application is monitored separately.
  • the access threshold configuration unit 12 receives the level change of the access control level calculation unit 11 and sets it in the access statistics and exception monitoring unit 13, and here it mainly deals with how the threshold value corresponding to the level is represented.
  • the abnormal event processing unit 14 receives the abnormal event information generated by the access statistics and abnormal monitoring unit 13 , and is configured to prompt the user or adjust the threshold configuration parameters in the access threshold configuration unit 12 .
  • a method for detecting abnormal applications based on access level restrictions is provided, as shown in FIG. 4 , which may include:
  • Step 401 Calculate the current access control level of one or more service modules according to the application state and the physical device state, that is, determine to what extent the service module data needs to be allowed to be accessed.
  • the data acquisition is based on the user's perspective.
  • the application may read the service module data, or the application may send data to the service module, or it may be other service interface requests other than user data, such as requests to open or connect to the service module. Does not correspond to real user data, but can be treated as a factor equivalent to user data.
  • This level can be a system-level level for the overall purpose of the system, or an application-level level for a single application. That is to say, the level here can be the system level, which is used for the overall service access statistics judgment of each application on the service module, or the application level for a single application, which is used for the access statistics of a single application on the service module. Judgment, the service module will select at least one of the corresponding thresholds for monitoring. If system-level and application-level monitoring need to be enabled at the same time, generally one level will correspond to two sets of threshold configurations, and the system-level thresholds of the same level will generally not be smaller than the application level. In the following, for the sake of simplicity and clarity, a set of threshold settings is used to represent the situation that two types of thresholds are used at the same time.
  • level 1-5 level settings to correspond to simple user scenarios, as shown in Table 1, when the right scene conditions change to meet, start the corresponding left level settings, wherein the scene conditions are based on application status and physical equipment. state, in order to infer the level of control the user expects:
  • Table 1 The relationship between access control level and application state and physical device state
  • level 1 corresponds to the maximum limit level
  • module threshold value should be the smallest.
  • Instance, level and module intersection position contains the threshold within the specified time period, where the threshold measurement unit is indicated in brackets of the module name, -1 in the threshold value is used to indicate unlimited quantity, and NULL is used to indicate unlimited time segment, and the threshold value is expressed in the form of [a, b], the first is the quantity, and the second is the period limit for the first quantity value.
  • the quantity includes two sources, one is the real user data corresponding to the service module, or the international common data unit to which the service belongs, or the internal private data unit; the other source is based on other service interface requests other than user data, which can be used separately Define its quantity unit separately, or convert it into an equivalent user data unit through a certain conversion algorithm, and consider this factor within the control range, mainly because this factor also reflects a certain degree of user privacy or terminal power consumption, so the following
  • the amount of data described will optionally include the amount of data corresponding to this factor. For example, a wifi service module's search request for a wifi list can be equivalent to 10KB of user data. In the following, for the sake of clarity in the description, the individual threshold value of this factor will be ignored. Threshold description, and ignoring possible equivalent threshold transition descriptions.
  • the threshold value [0, the first 10 seconds] of level 1 and Camera in Figure 3 indicates that only the first time when level 1 starts
  • the maximum number of 0 frames allowed in a 10-second period is actually equivalent to prohibiting camera data acquisition; for example, the threshold setting value of level 2 and Audio [50, the first 30 seconds] means that only when level 2 starts, the first A maximum of 50 audio packets are allowed to be acquired within a 30-second period, and the acquisition of audio data is prohibited in other periods.
  • the audio packet is determined based on the data unit provided by the driver or an international standard, or based on the number of interface request calls of the service module. It is converted according to the preset coefficients of the module.
  • Table 2 Relationship between one or more service modules and access control levels
  • the thresholds corresponding to level 5 and Audio [-1, the first 120 seconds], [2000, the next 60 seconds period] represent a relatively complex quantity-time segment threshold distribution, in which level 5 starts After that, the first 120-second period does not limit the number of Audio packets acquired, and then counts in 60-second periods.
  • the maximum number of Audio packets per period is 2000.
  • system-level statistics the service data acquisition amounts of all applications are accumulated together for threshold comparison. It can also be counted according to a single application, which is called application-level statistics. Then the service module needs to Count the quantity value of each application obtained by data, and make judgment with the threshold respectively.
  • application-level statistics if a data request is provided to multiple applications, the amount of data can be evenly shared among participating applications during the per-application statistics.
  • the above quantitative values are set arbitrarily.
  • the method of sample training can be used. For example, all daily applications installed at the beginning have been guaranteed to be normal, and then the overall statistics of one or more service modules are performed.
  • the "quantity-time period" distribution value of data acquisition can also be counted separately according to the quantity-time period corresponding to a single application, and the state of each factor of the system when the distribution is correlated and counted.
  • the former corresponds to the threshold statement in the foregoing embodiment of the present application.
  • the combination of factors in the latter system corresponds to the description of user scenarios.
  • the statistical method can refer to the statistical knowledge of Naive Bayesian classification for common classification purposes, and inversely infer user scenarios from the time distribution of data acquisition.
  • Step 402 Set the thresholds as shown in FIG. 3 to the corresponding service modules respectively.
  • the threshold value includes the limit on the number of data accesses in the specified time period.
  • the threshold can be pre-configured or dynamically adjusted. , which can include several time periods and the actual amount of data that can be obtained.
  • the data of the quantity statistics can be the user data request size on the service module interface, or other interface access requests. The two can also be combined and converted according to a predetermined coefficient. for the same unit of measure.
  • Step 403 one or more service modules start to count the actual amount of data acquired in the time period according to the threshold time period according to the "quantity-time period" threshold setting value corresponding to the newly activated level, and determine whether it exceeds its threshold. Set value. If the threshold value used in the judgment is for the whole system, the comparison by statistical value of the system is used. If the threshold value is for a single application, the individual statistical value comparison of each application is used. If it is found that the threshold is exceeded, it will mark a system-level exception, or an application-level exception. The former will generally contain a list of applications related to the threshold, while the latter may only be a single application; and can optionally disable system-level or application-level exceptions Continue data request behavior.
  • One or more service modules enable access number statistics and monitor whether an exception exceeding the threshold occurs according to the content of the currently updated access threshold value. If it is an application-level threshold, if it is detected that the number of service requests of an application exceeds the threshold If it is set, it will perform application-level exception marking. If it is a system-level threshold, if it is detected that the number of service requests of each application to which it belongs exceeds the threshold setting, it will perform system-level exception marking, and optionally reject further interface services.
  • Step 404 is a continuation of the previous step.
  • the user is prompted for this abnormal access event, and the access details such as the relevant application list are displayed, and the user selects further processing operations, including ignoring and adjusting the threshold. , uninstall the application, etc., and then update the access level configuration and threshold content to one or more service modules according to the user's selection to continue abnormal monitoring.
  • the user selection information will be used to adjust the unreasonable level determination and unreasonable threshold setting in the preceding steps, so as to meet the user's demand for access restrictions as accurately as possible.
  • the user is prompted that an abnormal access event has occurred, and the access details such as the relevant application list are displayed.
  • the user can choose further processing operations, including ignoring, adjusting the threshold, uninstalling the application, etc., and then updating according to the user's choice.
  • Access level configuration and threshold content to one or more service modules to continue anomaly monitoring.
  • the method, device, terminal, and storage medium for application access processing proposed by the embodiments of the present application are a supplement to the common authorization methods for privacy control and enabling access control. Permissions can still continue to restrict access to the application's privacy services, so that user privacy can continue to be protected. In addition, general service access also has a certain effect on power consumption control.
  • the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical components Components execute cooperatively.
  • Some or all physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit .
  • Such software may be distributed on computer-readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media).
  • Computer storage media includes both volatile and nonvolatile implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules or other data flexible, removable and non-removable media.
  • Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices, or may Any other medium used to store desired information and which can be accessed by a computer.
  • communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and can include any information delivery media, as is well known to those of ordinary skill in the art .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

An application access processing method and apparatus, a terminal, and a storage medium. The method comprises: monitor an application state and a physical device state of the terminal (S110); determine access control levels of one or more service modules of the terminal according to the monitored application state and physical device state (S120); and the one or more service modules of the terminal perform application access processing according to the access control levels (S130).

Description

一种应用访问处理的方法、装置、终端和存储介质A method, device, terminal and storage medium for application access processing
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本申请基于申请号为202010603228.5、申请日为2020年06月29日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。This application is based on the Chinese patent application with the application number of 202010603228.5 and the filing date of June 29, 2020, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is incorporated herein by reference.
技术领域technical field
本申请涉及通信技术领域,尤其涉及一种应用访问处理的方法、装置、终端和存储介质。The present application relates to the field of communication technologies, and in particular, to a method, apparatus, terminal and storage medium for application access processing.
背景技术Background technique
随着移动互联技术的不断发展,终端已经成为很多人生活中不可或缺的一部分,但同时个人隐私信息也在很大程度上为所用移动设备可获取,例如拍照、录音、位置活动轨迹、文件发送等,所以如何限制用户不期望的隐私内容获取成为了终端设计的核心问题之一。With the continuous development of mobile Internet technology, terminals have become an indispensable part of many people's lives, but at the same time, personal privacy information is also largely available to the mobile devices used, such as photos, recordings, location activity trajectories, files Therefore, how to limit the acquisition of private content that the user does not expect has become one of the core issues of terminal design.
发明内容SUMMARY OF THE INVENTION
本申请实施例提出一种应用访问处理的方法、装置、终端和存储介质。The embodiments of the present application provide a method, device, terminal, and storage medium for application access processing.
本申请实施例提供了一种应用访问处理的方法,所述方法包括以下步骤:监测终端的应用状态和物理设备状态;根据所监测到的应用状态和物理设备状态,确定所述终端一个或多个服务模块的访问控制级别;所述终端一个或多个服务模块根据所述访问控制级别进行应用访问处理。An embodiment of the present application provides a method for application access processing. The method includes the following steps: monitoring an application state and a physical device state of a terminal; and determining one or more of the terminal according to the monitored application state and physical device state. Access control level of each service module; one or more service modules of the terminal perform application access processing according to the access control level.
本申请实施例提供了一种应用访问处理的装置,包括:监测模块,被设置成监测终端的应用状态和物理设备状态;获取模块,被设置成根据所监测到的应用状态和物理设备状态,确定所述终端一个或多个服务模块的访问控制级别;处理模块,被设置成所述终端一个或多个服务模块根据所述访问控制级别进行应用访问处理。An embodiment of the present application provides an apparatus for application access processing, including: a monitoring module, configured to monitor the application state and physical device state of the terminal; and an acquisition module, configured to monitor the application state and physical device state according to the monitored The access control level of one or more service modules of the terminal is determined; the processing module is configured to perform application access processing according to the access control level of the one or more service modules of the terminal.
本申请实施例还提出了一种终端,所述终端包括存储器、处理器、存储在所述存储器上并可在所述处理器上运行的程序以及被设置成实现所述处理器和所述存储器之间的连接通信的数据总线,所述程序被所述处理器执行时实现前述方法的步骤。An embodiment of the present application further proposes a terminal, the terminal includes a memory, a processor, a program stored on the memory and executable on the processor, and configured to implement the processor and the memory A data bus that communicates with one another, the program, when executed by the processor, implements the steps of the aforementioned method.
本申请提供了一种计算机可读存储介质,所述存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现前述方法的步骤。The present application provides a computer-readable storage medium, the storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement the steps of the aforementioned methods.
附图说明Description of drawings
图1是依据本申请实施例提供的一种应用访问处理方法的流程示意图。FIG. 1 is a schematic flowchart of an application access processing method provided according to an embodiment of the present application.
图2是依据本申请实施例提供的一种应用访问处理装置的示意框图。FIG. 2 is a schematic block diagram of an application access processing apparatus provided according to an embodiment of the present application.
图3是依据本申请实施例提供的应用访问处理方法运行的架构示意图图。FIG. 3 is a schematic structural diagram of the operation of the application access processing method provided according to the embodiment of the present application.
图4是依据本申请实施例提供的一种基于访问级别限制的异常应用检测方法的流程图。FIG. 4 is a flowchart of an abnormal application detection method based on access level restriction provided according to an embodiment of the present application.
具体实施方式detailed description
应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。It should be understood that the specific embodiments described herein are only used to explain the present application, but not to limit the present application.
在后续的描述中,使用用于表示元件的诸如“模块”、“部件”或“单元”的后缀仅为了有利于本申请的说明,其本身没有特有的意义。因此,“模块”、“部件”或“单元”可以混合地使用。In the following description, suffixes such as 'module', 'component' or 'unit' used to represent elements are used only to facilitate the description of the present application, and have no specific meaning per se. Thus, "module", "component" or "unit" may be used interchangeably.
在一实施例中,如图1所示,本实施例提供了一种应用访问处理方法,该方法可以包括以下步骤:In one embodiment, as shown in FIG. 1 , this embodiment provides a method for processing application access, which may include the following steps:
步骤S110:监测终端的应用状态和物理设备状态;Step S110: monitor the application state and physical device state of the terminal;
步骤S120:根据所监测到的应用状态和物理设备状态,确定所述终端一个或多个服务模块的访问控制级别;Step S120: Determine the access control level of one or more service modules of the terminal according to the monitored application state and physical device state;
步骤S130:所述终端一个或多个服务模块根据所述访问控制级别进行应用访问处理。Step S130: One or more service modules of the terminal perform application access processing according to the access control level.
其中,所述应用状态包括以下任一或组合:CPU状态、内存状态、进程状态以及统计指标数据状态;所述物理设备状态包括:物理设备的访问状态或运行状态;具体地说,所述物理设备的访问状态或运行状态包括:WIFI状态、蓝牙状态、屏幕显示状态、数据状态、飞行模式状态;所述访问控制级别包括以下一种或多种:***级访问控制级别、应用级访问控制级别。所述一个或多个服务模块可以是预先设置的。Wherein, the application status includes any one or a combination of the following: CPU status, memory status, process status, and statistical indicator data status; the physical device status includes: access status or running status of the physical device; specifically, the physical device status The access status or running status of the device includes: WIFI status, Bluetooth status, screen display status, data status, and flight mode status; the access control level includes one or more of the following: system-level access control level, application-level access control level . The one or more service modules may be preset.
本申请实施例还包括:通过将所述终端多种所述应用状态和物理设备状态分别与不同的***级访问控制级别进行关联处理,建立并保存***级级别关系表;通过将所述终端多种所述应用状态和物理设备状态分别与不同的应用级访问控制级别进行关联处理,建立并保存应用级级别关系表。其中,所述***级访问控制级别,用于服务模块上的所属各应用整体服务访问统计判断。The embodiments of the present application further include: establishing and saving a system-level relationship table by associating various application states and physical device states of the terminal with different system-level access control levels respectively; The application state and the physical device state are respectively associated with different application-level access control levels, and an application-level relationship table is established and saved. Wherein, the system-level access control level is used for the overall service access statistics judgment of each application on the service module.
本申请实施例还包括:通过将每个***级访问控制级别分别与一个或多个服务模块的门限设定值进行关联处理,建立***级门限设定值关系表;通过将每个应用级访问控制级别分别与一个或多个服务模块的门限设定值进行关联处理,建立应用级门限设定值关系表;其中,所述***级门限设定值大于所述应用级门限设定值。其中,所述应用级访问控制级别,用于针对单个应用的应用级级别。The embodiments of the present application further include: establishing a system-level threshold setting value relationship table by associating each system-level access control level with the threshold setting values of one or more service modules respectively; The control levels are respectively associated with threshold setting values of one or more service modules, and an application-level threshold setting value relation table is established; wherein, the system-level threshold setting value is greater than the application-level threshold setting value. Wherein, the application-level access control level is used for the application-level level for a single application.
在一些实例中,所述根据所监测到的应用状态和物理设备状态,得到所述终端一个或多个服务模块的访问控制级别包括:根据所监测到的应用状态和物理设备状态,从预存的***级级别关系表中得到与所述应用状态和物理设备状态对应的所述终端一个或多个服务模块的***访问控制级别;根据所监测到的应用状态和物理设备状态,从预存的应用级级别关系表中得到与所述应用状态和物理设备状态对应的所述终端一个或多个服务模块的应用访问控制级别。In some instances, obtaining the access control level of one or more service modules of the terminal according to the monitored application status and physical device status includes: according to the monitored application status and physical device status, from a pre-stored The system access control level of one or more service modules of the terminal corresponding to the application state and physical device state is obtained from the system-level level relationship table; The application access control level of one or more service modules of the terminal corresponding to the application state and the physical device state is obtained from the level relationship table.
在一些实例中,所述终端一个或多个服务模块根据所述访问控制级别进行应用访问处理包括:当所述访问控制级别为***级访问控制级别,所述终端一个或多个服务模块利用所述***级级别关系表进行应用访问处理;当所述访问控制级别为应用级访问控制级别,所述终端一个或多个服务模块利用所述应用级级别关系表进行应用访问处理。其中,所述应用访问处理为禁止***级或应用级的对应的应用数据被访问。In some instances, performing application access processing by the one or more service modules of the terminal according to the access control level includes: when the access control level is a system-level access control level, the one or more service modules of the terminal utilize the access control level. The system-level relationship table performs application access processing; when the access control level is an application-level access control level, one or more service modules of the terminal use the application-level relationship table to perform application access processing. Wherein, the application access processing is to prohibit access to corresponding application data at the system level or the application level.
在一实施例中,提供了一种应用访问处理装置,参见图2,是本申请实施例二提供的一种应用访问处理的装置示意图,如图2所示,可以包括:监测模块201、获取模块202 以及处理模块203。In an embodiment, an application access processing apparatus is provided. Referring to FIG. 2 , it is a schematic diagram of an application access processing apparatus provided in Embodiment 2 of the present application. As shown in FIG. 2 , it may include: a monitoring module 201 , an acquisition module 202 and processing module 203.
所述监测模块201,被设置成监测终端的应用状态和物理设备状态;所述获取模块202,被设置成根据所监测到的应用状态和物理设备状态,确定所述终端一个或多个服务模块的访问控制级别;所述处理模块203,被设置成所述终端一个或多个服务模块根据所述访问控制级别进行应用访问处理。The monitoring module 201 is configured to monitor the application status and physical device status of the terminal; the acquisition module 202 is configured to determine one or more service modules of the terminal according to the monitored application status and physical device status the access control level; the processing module 203 is configured so that one or more service modules of the terminal perform application access processing according to the access control level.
在一实施例中,提供了一种终端,所述终端可以包括存储器、处理器、存储在所述存储器上并可在所述处理器上运行的程序以及被设置成实现所述处理器和所述存储器之间的连接通信的数据总线,所述程序被所述处理器执行上述实施例中所述的应用访问处理方法,以实现如图1所示的具体步骤。In one embodiment, a terminal is provided that may include a memory, a processor, a program stored on the memory and executable on the processor, and configured to implement the processor and the processor. A data bus for connection and communication between the memories is used, and the program is executed by the processor to execute the application access processing method described in the above embodiment, so as to realize the specific steps shown in FIG. 1 .
在一实施例中,还提供了一种计算机可读存储介质,该计算机可读存储介质存储有一个或者多个程序,该一个或者多个程序可被一个或者多个处理器执行上述实施例中所述的应用访问处理方法,以实现如图1所示的具体步骤。In an embodiment, a computer-readable storage medium is also provided, and the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors in the above embodiments. The application access processing method is described to implement the specific steps shown in FIG. 1 .
在一实施方式中,所述应用访问处理方法可以运行于如图3所示的架构中,如图3所示,所述架构中包括下述单元,访问控制级别计算单元11、访问门限配置单元12、访问统计和异常监控单元13以及异常事件处理单元14、应用层的应用1-N,Framework/服务***、硬件抽象层HAL服务1-J和内核层的驱动1-I,以及分散于各服务模块中的新增服务模块A1-AL,B1-BJ和C1-CI。其中访问统计和异常监控:ABC 13编号中的ABC代表分散于一个或多个服务模块中的新增服务模块A1-AL,B1-BJ和C1-CI,每个需要监控的服务模块可选监控实现可以框架层的A类模块,也可以在硬件抽象层(HAL=Hardware Abstraction Layer)的B类模块,也可以在内核驱动层的C模块,三种至少存在一种即可实现控制和异常检测。In one embodiment, the application access processing method may run in the architecture shown in FIG. 3 . As shown in FIG. 3 , the architecture includes the following units, an access control level calculation unit 11, and an access threshold configuration unit. 12. The access statistics and abnormal monitoring unit 13 and the abnormal event processing unit 14, the applications 1-N of the application layer, the Framework/service system, the hardware abstraction layer HAL service 1-J and the driver 1-I of the kernel layer, as well as the drivers 1-I scattered in each Added Service Modules A1-AL, B1-BJ and C1-CI in Service Modules. Among them, access statistics and abnormal monitoring: ABC in the ABC 13 number represents the new service modules A1-AL, B1-BJ and C1-CI scattered in one or more service modules, and each service module that needs to be monitored can be monitored optionally It can realize the class A module of the framework layer, the class B module of the hardware abstraction layer (HAL=Hardware Abstraction Layer), or the C module of the kernel driver layer. There are at least one of the three types to realize control and anomaly detection. .
所述访问控制级别计算单元11被设置成确定一个或多个服务模块的访问控制级别,该级别的计算是为了选择合适的一个或多个服务模块监控需要的异常门限,而该级别及所对应的门限应根据应用状态和物理设备状态计算,以便实现用户对控制程度的期望;另外,该级别可以是针对***整体用途的***级级别,表示所属各应用的综合监控,也可以是针对单个应用的应用级级别,表示分别对各应用进行单独监控。The access control level calculation unit 11 is configured to determine the access control level of one or more service modules, and the calculation of this level is to select an appropriate abnormality threshold required by one or more service modules to monitor, and the level and the corresponding abnormality threshold. The threshold should be calculated according to the application status and physical device status, so as to achieve the user's expectation of the degree of control; in addition, this level can be a system-level level for the overall purpose of the system, indicating the comprehensive monitoring of each application, or it can be for a single application. The application level indicates that each application is monitored separately.
所述访问门限配置单元12接收访问控制级别计算单元11的级别变更,并设置到访问统计和异常监控单元13中,这里主要处理与级别对应的门限值如何表示。The access threshold configuration unit 12 receives the level change of the access control level calculation unit 11 and sets it in the access statistics and exception monitoring unit 13, and here it mainly deals with how the threshold value corresponding to the level is represented.
所述异常事件处理单元14接收访问统计和异常监控单元13产生的异常事件信息,被设置成提示用户或者调整访问门限配置单元12中的门限配置参数。The abnormal event processing unit 14 receives the abnormal event information generated by the access statistics and abnormal monitoring unit 13 , and is configured to prompt the user or adjust the threshold configuration parameters in the access threshold configuration unit 12 .
在一实施方式中,提供了一种基于访问级别限制的异常应用检测方法,如图4所示,可以包括:In one embodiment, a method for detecting abnormal applications based on access level restrictions is provided, as shown in FIG. 4 , which may include:
步骤401,根据应用状态和物理设备状态计算当前一个或多个服务模块所处访问控制级别,也就是确定需要多大程度上允许服务模块数据被访问,该数据获取是基于用户角度看待的,在实际模块服务中,可能是应用读取服务模块数据,也可能是应用发送数据给服务模块,还可能是用户数据之外的其它服务接口请求,例如打开或连接到服务模块的请求,该类请求虽然不对应真实的用户数据,但是可以作为与用户数据等同的因素予以对待。Step 401: Calculate the current access control level of one or more service modules according to the application state and the physical device state, that is, determine to what extent the service module data needs to be allowed to be accessed. The data acquisition is based on the user's perspective. In the module service, the application may read the service module data, or the application may send data to the service module, or it may be other service interface requests other than user data, such as requests to open or connect to the service module. Does not correspond to real user data, but can be treated as a factor equivalent to user data.
该级别可以是针对***整体用途的***级级别,也可以是针对单个应用的应用级级别。也就是说,这里所属级别可以是***级级别,用于服务模块上的所属各应用整体服务访问 统计判断,也可以是针对单个应用的应用级级别,用于服务模块上单个应用的访问情况统计判断,后续将由服务模块至少选择其一所对应的门限进行监控,如果同时需要启用***级和应用级监控,那么一般一个级别会对应两套门限配置,同等级别的***级门限一般不会小于应用级门限设置,下面为了描述简单明了,均使用一套门限设置来代表两种类型门限同时使用的情况。This level can be a system-level level for the overall purpose of the system, or an application-level level for a single application. That is to say, the level here can be the system level, which is used for the overall service access statistics judgment of each application on the service module, or the application level for a single application, which is used for the access statistics of a single application on the service module. Judgment, the service module will select at least one of the corresponding thresholds for monitoring. If system-level and application-level monitoring need to be enabled at the same time, generally one level will correspond to two sets of threshold configurations, and the system-level thresholds of the same level will generally not be smaller than the application level. In the following, for the sake of simplicity and clarity, a set of threshold settings is used to represent the situation that two types of thresholds are used at the same time.
如下实施例使用了level 1-5级别设置与简单的用户场景对应,如表1所示,当右边场景条件变化到满足时,启动对应的左边级别设置,其中场景条件是基于应用状态和物理设备状态而定,目的是据此推断用户期待的控制级别:The following embodiment uses level 1-5 level settings to correspond to simple user scenarios, as shown in Table 1, when the right scene conditions change to meet, start the corresponding left level settings, wherein the scene conditions are based on application status and physical equipment. state, in order to infer the level of control the user expects:
表1:访问控制级别与应用状态和物理设备状态的关系表Table 1: The relationship between access control level and application state and physical device state
Figure PCTCN2021095286-appb-000001
Figure PCTCN2021095286-appb-000001
如上级别分类的目的是为了对应到一个或多个服务模块不同的数据获取门限,以便进行异常应用判断,本例level 1对应最大限制级别,其对应的模块门限值应该最小,如下为对应表实例,level和模块交叉位置包含指定时段范围内的threshold门限,其中门限计量单位在模块名称括号中附带表示,门限值中的-1用于表示不限制数量,NULL则用于表示不限制时间段,而用[a,b]形式表示门限值中,第一个是数量,第二个是对第一个数量值的时段限制。其中数量量包含两个来源,一个是服务模块对应的真实用户数据,或借鉴服务所属国际常用数据单位,或内部私有数据单位;另一个来源则基于用户数据之外的其它服务接口请求,可以单独分开定义其数量单位,也可以通过一定转换算法转为等价的用户数据单位,将这方面因素考虑控制范围内,主要是该因素也体现了一定程度上的用户隐私或者终端功耗,所以以下描述的数据量将可选包含本因素对应的数据量,例如wifi服务模块对于一次wifi列表的搜索请求可相当于10KB用户数据量,以下为了描述清楚期间,将忽略对该因素门限值的单独门限描述,以及忽略可能的等价门限转换描述。The purpose of the above level classification is to correspond to different data acquisition thresholds of one or more service modules, so as to judge abnormal applications. In this example, level 1 corresponds to the maximum limit level, and the corresponding module threshold value should be the smallest. The following is the corresponding table. Instance, level and module intersection position contains the threshold within the specified time period, where the threshold measurement unit is indicated in brackets of the module name, -1 in the threshold value is used to indicate unlimited quantity, and NULL is used to indicate unlimited time segment, and the threshold value is expressed in the form of [a, b], the first is the quantity, and the second is the period limit for the first quantity value. The quantity includes two sources, one is the real user data corresponding to the service module, or the international common data unit to which the service belongs, or the internal private data unit; the other source is based on other service interface requests other than user data, which can be used separately Define its quantity unit separately, or convert it into an equivalent user data unit through a certain conversion algorithm, and consider this factor within the control range, mainly because this factor also reflects a certain degree of user privacy or terminal power consumption, so the following The amount of data described will optionally include the amount of data corresponding to this factor. For example, a wifi service module's search request for a wifi list can be equivalent to 10KB of user data. In the following, for the sake of clarity in the description, the individual threshold value of this factor will be ignored. Threshold description, and ignoring possible equivalent threshold transition descriptions.
另外,如上时间段限制可以有两种,一种是单个时段,例如图3中level 1和Camera的门限值[0,第一个10秒]表示,仅当level 1启动时的第一个10秒时段内最大允许0帧数,这个实际等价于禁止camera数据获取;又例如level 2和Audio的门限设置值[50,第一个30秒]表示,仅当level 2启动时的第一个30秒时段内最大允许获取50个音频包,随后其它时段禁止音频数据获取,该音频包基于驱动或某一种国际标准提供的数据单位而定,也可以是基于服务模块的接口请求调用次数按照模块预设系数转换而来。In addition, there can be two kinds of time period restrictions as above, one is a single period, for example, the threshold value [0, the first 10 seconds] of level 1 and Camera in Figure 3 indicates that only the first time when level 1 starts The maximum number of 0 frames allowed in a 10-second period is actually equivalent to prohibiting camera data acquisition; for example, the threshold setting value of level 2 and Audio [50, the first 30 seconds] means that only when level 2 starts, the first A maximum of 50 audio packets are allowed to be acquired within a 30-second period, and the acquisition of audio data is prohibited in other periods. The audio packet is determined based on the data unit provided by the driver or an international standard, or based on the number of interface request calls of the service module. It is converted according to the preset coefficients of the module.
表2:一个或多个服务模块与访问控制级别的关系表Table 2: Relationship between one or more service modules and access control levels
Figure PCTCN2021095286-appb-000002
Figure PCTCN2021095286-appb-000002
如表2中,level 5和Audio对应的[-1,第一个120秒],[2000,随后60秒周期]门限值则表示相对较为复杂的数量-时间段门限分布,其中level 5启动后,第一个120秒周期不限制Audio包获取数量,随后按60秒周期计数,每个周期最大Audio包数量为2000个。As shown in Table 2, the thresholds corresponding to level 5 and Audio [-1, the first 120 seconds], [2000, the next 60 seconds period] represent a relatively complex quantity-time segment threshold distribution, in which level 5 starts After that, the first 120-second period does not limit the number of Audio packets acquired, and then counts in 60-second periods. The maximum number of Audio packets per period is 2000.
另外,如上数量值可以准对***整体统计,称为***级统计,所有应用的服务数据获取量累加在一起用于门限比对,也可以按单个应用统计,称为应用级,那么服务模块需要按数据获取的各个应用分别统计其数量值,并分别与门限进行判断。在应用级统计中,如果一份数据请求提供给多个应用,则该按应用统计时,可将数据量平均分担给所参与的各应用。In addition, the above quantitative values can be compared to the overall statistics of the system, which is called system-level statistics. The service data acquisition amounts of all applications are accumulated together for threshold comparison. It can also be counted according to a single application, which is called application-level statistics. Then the service module needs to Count the quantity value of each application obtained by data, and make judgment with the threshold respectively. In application-level statistics, if a data request is provided to multiple applications, the amount of data can be evenly shared among participating applications during the per-application statistics.
如上的数量值设定比较随意,实际上为了实现对异常应用的准确判断,可以采用样本训练的方法,例如初始安装的所有日常应用均已确保正常,然后对一个或多个服务模块整体统计其数据获取的“数量-时间段”分布值,也可以按单个应用对应的数量-时间段分别统计,并关联统计该分布时的***各因素状态,前者对应前述本申请实施例的门限值声明,后者***各因素组合则对应用户场景描述,统计方法可以参考常见分类用途的朴素贝叶斯分类的统计学知识,从数据获取的时间分布反推用户场景。The above quantitative values are set arbitrarily. In fact, in order to achieve accurate judgment of abnormal applications, the method of sample training can be used. For example, all daily applications installed at the beginning have been guaranteed to be normal, and then the overall statistics of one or more service modules are performed. The "quantity-time period" distribution value of data acquisition can also be counted separately according to the quantity-time period corresponding to a single application, and the state of each factor of the system when the distribution is correlated and counted. The former corresponds to the threshold statement in the foregoing embodiment of the present application. , and the combination of factors in the latter system corresponds to the description of user scenarios. The statistical method can refer to the statistical knowledge of Naive Bayesian classification for common classification purposes, and inversely infer user scenarios from the time distribution of data acquisition.
步骤402,将如上图3的门限值分别设置到对应的服务模块中去。Step 402: Set the thresholds as shown in FIG. 3 to the corresponding service modules respectively.
将新计算出的与每个访问级别对应的预设门限值设置到各自对应的服务模块中,门限值包括指定时间段对数据访问的数量限制,该门限可预先配置,也可动态调整,可包括若干时间段及允许获取的实际数据量大小,其中数量统计的数据可以是服务模块接口上的用户数据请求大小,也可以是其它接口访问请求,两种还可以按照预定系数进行合并换算为同一种度量单位。Set the newly calculated preset threshold value corresponding to each access level to the corresponding service module. The threshold value includes the limit on the number of data accesses in the specified time period. The threshold can be pre-configured or dynamically adjusted. , which can include several time periods and the actual amount of data that can be obtained. The data of the quantity statistics can be the user data request size on the service module interface, or other interface access requests. The two can also be combined and converted according to a predetermined coefficient. for the same unit of measure.
步骤403,一个或多个服务模块根据新启动的level级别所对应的“数量-时间段”门限设定值,开始按门限时间段统计该时段内的数据实际获取量,并判断是否超过其门限设定值,如果该判定使用的门限值准对***整体,则使用按***统计值比对,如果该门限值准对单个应用,则使用每个应用的单独统计值比对。如果发现超过门限的情况,则标记***级异 常,或者应用级异常,前者一般将包含一组与该超门限相关的应用列表,而后者可能仅是单个应用;并可选禁止***级或应用级的继续数据请求行为。Step 403, one or more service modules start to count the actual amount of data acquired in the time period according to the threshold time period according to the "quantity-time period" threshold setting value corresponding to the newly activated level, and determine whether it exceeds its threshold. Set value. If the threshold value used in the judgment is for the whole system, the comparison by statistical value of the system is used. If the threshold value is for a single application, the individual statistical value comparison of each application is used. If it is found that the threshold is exceeded, it will mark a system-level exception, or an application-level exception. The former will generally contain a list of applications related to the threshold, while the latter may only be a single application; and can optionally disable system-level or application-level exceptions Continue data request behavior.
一个或多个服务模块根据当前所更新的访问门限值内容,启用访问数量统计并监控是否发生超门限规定的异常,如果是应用级门限,则如果检测到一个应用的服务请求数量超出该门限设定,则进行应用级异常标记,如果是***级门限,那么如果检测到所属各应用的服务请求数量超出该门限设定,则进行***级异常标记,并可选拒绝进一步的接口服务。One or more service modules enable access number statistics and monitor whether an exception exceeding the threshold occurs according to the content of the currently updated access threshold value. If it is an application-level threshold, if it is detected that the number of service requests of an application exceeds the threshold If it is set, it will perform application-level exception marking. If it is a system-level threshold, if it is detected that the number of service requests of each application to which it belongs exceeds the threshold setting, it will perform system-level exception marking, and optionally reject further interface services.
步骤404,是上一步处理的延续,根据***级或应用级的异常标记,提示用户本次异常访问事件,并展示相关应用列表等访问详情信息,由用户选择进一步处理操作,包括忽略、调整门限、卸载应用等,再根据用户选择更新访问级别配置及门限内容到一个或多个服务模块继续异常监控。该用户选择信息将用于调整前述步骤中的不合理的级别确定以及不合理的门限设置,以尽可能最大程度准确满足用户对访问限制的需求。Step 404 is a continuation of the previous step. According to the abnormal flag at the system level or the application level, the user is prompted for this abnormal access event, and the access details such as the relevant application list are displayed, and the user selects further processing operations, including ignoring and adjusting the threshold. , uninstall the application, etc., and then update the access level configuration and threshold content to one or more service modules according to the user's selection to continue abnormal monitoring. The user selection information will be used to adjust the unreasonable level determination and unreasonable threshold setting in the preceding steps, so as to meet the user's demand for access restrictions as accurately as possible.
根据***级或应用级的异常标记,提示用户发生了异常访问事件,并展示相关应用列表等访问详情信息,由用户选择进一步处理操作,包括忽略、调整门限、卸载应用等,再根据用户选择更新访问级别配置及门限内容到一个或多个服务模块继续异常监控。According to the system-level or application-level exception flag, the user is prompted that an abnormal access event has occurred, and the access details such as the relevant application list are displayed. The user can choose further processing operations, including ignoring, adjusting the threshold, uninstalling the application, etc., and then updating according to the user's choice. Access level configuration and threshold content to one or more service modules to continue anomaly monitoring.
应说明的是,上述基于访问级别限制的异常应用检测方法也可以应用到所述应用访问处理方法的相关步骤中。It should be noted that the above-mentioned abnormal application detection method based on access level restriction can also be applied to the relevant steps of the application access processing method.
本申请实施例提出的一种应用访问处理的方法、装置、终端和存储介质,其是对常见授权方式隐私控制和使能访问控制方式的一种补充,也就是说,即使用户授予了应用一定权限,仍然能够继续实现对该应用的隐私服务访问的限制作用,以使得用户隐私持续得以保护。另外,一般服务访问对功耗控制也有一定作用。The method, device, terminal, and storage medium for application access processing proposed by the embodiments of the present application are a supplement to the common authorization methods for privacy control and enabling access control. Permissions can still continue to restrict access to the application's privacy services, so that user privacy can continue to be protected. In addition, general service access also has a certain effect on power consumption control.
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、***、设备中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。Those of ordinary skill in the art can understand that all or some of the steps in the methods disclosed above, functional modules/units in the systems, and devices can be implemented as software, firmware, hardware, and appropriate combinations thereof.
在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical components Components execute cooperatively. Some or all physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit . Such software may be distributed on computer-readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As known to those of ordinary skill in the art, the term computer storage media includes both volatile and nonvolatile implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules or other data flexible, removable and non-removable media. Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cartridges, magnetic tape, magnetic disk storage or other magnetic storage devices, or may Any other medium used to store desired information and which can be accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and can include any information delivery media, as is well known to those of ordinary skill in the art .
以上参照附图说明了本申请的一些实施例,并非因此局限本申请的权利范围。本领域技术人员不脱离本申请的范围和实质内所作的任何修改、等同替换和改进,均应在本申请的权利范围之内。Some embodiments of the present application have been described above with reference to the accompanying drawings, which are not intended to limit the scope of the right of the present application. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and essence of the present application shall fall within the scope of the right of the present application.

Claims (10)

  1. 一种应用访问处理的方法,包括以下步骤:A method for application access processing, comprising the following steps:
    监测终端的应用状态和物理设备状态;Monitor the application status and physical device status of the terminal;
    根据所监测到的应用状态和物理设备状态,确定所述终端一个或多个服务模块的访问控制级别;Determine the access control level of one or more service modules of the terminal according to the monitored application state and physical device state;
    所述终端一个或多个服务模块根据所述访问控制级别进行应用访问处理。One or more service modules of the terminal perform application access processing according to the access control level.
  2. 根据权利要求1所述的方法,其中,所述应用状态包括以下任一或组合:CPU状态、内存状态、进程状态以及统计指标数据状态;所述物理设备状态包括:所述终端的物理设备的访问状态或运行状态;所述访问控制级别包括以下一种或多种:***级访问控制级别、应用级访问控制级别。The method according to claim 1, wherein the application status includes any one or a combination of the following: CPU status, memory status, process status, and statistical indicator data status; and the physical device status includes: the physical device status of the terminal. Access state or running state; the access control level includes one or more of the following: system-level access control level and application-level access control level.
  3. 根据权利要求1所述的方法,还包括:The method of claim 1, further comprising:
    通过将所述终端多种所述应用状态和物理设备状态分别与不同的***级访问控制级别进行关联处理,建立并保存***级级别关系表;Establish and save a system-level relationship table by associating the various application states and physical device states of the terminal with different system-level access control levels respectively;
    通过将所述终端多种所述应用状态和物理设备状态分别与不同的应用级访问控制级别进行关联处理,建立并保存应用级级别关系表。By associating the various application states and physical device states of the terminal with different application-level access control levels respectively, an application-level relationship table is established and saved.
  4. 根据权利要求1所述的方法,还包括:The method of claim 1, further comprising:
    通过将每个***级访问控制级别分别与一个或多个服务模块的门限设定值进行关联处理,建立***级门限设定值关系表;By associating each system-level access control level with the threshold settings of one or more service modules, a relationship table of system-level threshold settings is established;
    通过将每个应用级访问控制级别分别与一个或多个服务模块的门限设定值进行关联处理,建立应用级门限设定值关系表;By associating each application-level access control level with the threshold setting values of one or more service modules, an application-level threshold setting value relation table is established;
    其中,所述***级门限设定值大于所述应用级门限设定值。Wherein, the system-level threshold setting value is greater than the application-level threshold setting value.
  5. 根据权利要求3所述的方法,其中,所述根据所监测到的应用状态和物理设备状态,确定所述终端一个或多个服务模块的访问控制级别包括:The method according to claim 3, wherein the determining the access control level of one or more service modules of the terminal according to the monitored application state and physical device state comprises:
    根据所监测到的应用状态和物理设备状态,从预存的***级级别关系表中得到与所述应用状态和物理设备状态对应的所述终端一个或多个服务模块的***访问控制级别;According to the monitored application state and physical device state, obtain the system access control level of one or more service modules of the terminal corresponding to the application state and physical device state from a pre-stored system-level relationship table;
    根据所监测到的应用状态和物理设备状态,从预存的应用级级别关系表中得到与所述应用状态和物理设备状态对应的所述终端一个或多个服务模块的应用访问控制级别。According to the monitored application state and physical device state, the application access control level of one or more service modules of the terminal corresponding to the application state and physical device state is obtained from a pre-stored application level relationship table.
  6. 根据权利要求3所述的方法,其中,所述终端一个或多个服务模块根据所述访问控制级别进行应用访问处理包括:The method according to claim 3, wherein the processing of application access by one or more service modules of the terminal according to the access control level comprises:
    当所述访问控制级别为***级访问控制级别,所述终端一个或多个服务模块利用所述***级级别关系表进行应用访问处理;When the access control level is a system-level access control level, one or more service modules of the terminal use the system-level relationship table to perform application access processing;
    当所述访问控制级别为应用级访问控制级别,所述终端一个或多个服务模块利用所述应用级级别关系表进行应用访问处理。When the access control level is an application-level access control level, one or more service modules of the terminal use the application-level relationship table to perform application access processing.
  7. 根据权利要求6所述的方法,其中,所述应用访问处理为禁止***级或应用级的对应的应用数据被访问。The method according to claim 6, wherein the application access processing is to prohibit the corresponding application data at the system level or the application level from being accessed.
  8. 一种异常应用检测的装置,包括:A device for abnormal application detection, comprising:
    监测模块,被设置成监测终端的应用状态和物理设备状态;The monitoring module is configured to monitor the application status and physical device status of the terminal;
    获取模块,被设置成根据所监测到的应用状态和物理设备状态,确定所述终端一个或多个服务模块的访问控制级别;an acquisition module, configured to determine the access control level of one or more service modules of the terminal according to the monitored application state and physical device state;
    处理模块,被设置成所述终端一个或多个服务模块根据所述访问控制级别进行应用访问处理。The processing module is configured to perform application access processing according to the access control level by one or more service modules of the terminal.
  9. 一种终端,包括存储器、处理器、存储在所述存储器上并可在所述处理器上运行的程序以及被设置成实现所述处理器和所述存储器之间的连接通信的数据总线,其中,所述程序被所述处理器执行时实现如权利要求1-7任一项所述的异常应用检测的方法的步骤。A terminal comprising a memory, a processor, a program stored on the memory and executable on the processor, and a data bus configured to implement connection communication between the processor and the memory, wherein , when the program is executed by the processor to implement the steps of the method for detecting abnormal applications according to any one of claims 1-7.
  10. 一种计算机可读存储介质,存储有一个或者多个程序,其中,所述一个或者多个程序可被一个或者多个处理器执行,以实现权利要求1至7中任一项所述的异常应用检测的方法的步骤。A computer-readable storage medium storing one or more programs, wherein the one or more programs can be executed by one or more processors to implement the exception described in any one of claims 1 to 7 The steps of applying the method of detection.
PCT/CN2021/095286 2020-06-29 2021-05-21 Application access processing method and apparatus, terminal, and storage medium WO2022001475A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010603228.5 2020-06-29
CN202010603228.5A CN113873504A (en) 2020-06-29 2020-06-29 Application access processing method, device, terminal and storage medium

Publications (1)

Publication Number Publication Date
WO2022001475A1 true WO2022001475A1 (en) 2022-01-06

Family

ID=78980925

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/095286 WO2022001475A1 (en) 2020-06-29 2021-05-21 Application access processing method and apparatus, terminal, and storage medium

Country Status (2)

Country Link
CN (1) CN113873504A (en)
WO (1) WO2022001475A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826785A (en) * 2022-06-29 2022-07-29 湖北芯擎科技有限公司 Dynamic protection method, system-on-chip, electronic device and medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114745191B (en) * 2022-04-22 2024-03-08 中国电力科学研究院有限公司 Trusted real-time measurement method, device, equipment and medium for energy internet terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013116856A1 (en) * 2012-02-02 2013-08-08 Seven Networks, Inc. Dynamic categorization of applications for network access in a mobile network
CN105227572A (en) * 2015-10-19 2016-01-06 武汉大学 Based on the access control system of context aware and method on a kind of mobile platform
CN107704754A (en) * 2017-08-22 2018-02-16 努比亚技术有限公司 A kind of terminal control method and device, computer-readable recording medium
CN108875356A (en) * 2018-05-29 2018-11-23 努比亚技术有限公司 A kind of data access method, terminal and computer readable storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013116856A1 (en) * 2012-02-02 2013-08-08 Seven Networks, Inc. Dynamic categorization of applications for network access in a mobile network
CN105227572A (en) * 2015-10-19 2016-01-06 武汉大学 Based on the access control system of context aware and method on a kind of mobile platform
CN107704754A (en) * 2017-08-22 2018-02-16 努比亚技术有限公司 A kind of terminal control method and device, computer-readable recording medium
CN108875356A (en) * 2018-05-29 2018-11-23 努比亚技术有限公司 A kind of data access method, terminal and computer readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826785A (en) * 2022-06-29 2022-07-29 湖北芯擎科技有限公司 Dynamic protection method, system-on-chip, electronic device and medium

Also Published As

Publication number Publication date
CN113873504A (en) 2021-12-31

Similar Documents

Publication Publication Date Title
WO2022001475A1 (en) Application access processing method and apparatus, terminal, and storage medium
US10291538B2 (en) Flow control in connection with an access request
JP6932653B2 (en) Systems and methods for collecting, tracking, and storing system performance and event data for computing devices
US20170092340A1 (en) Method and device for adjusting hardware refresh rate of terminal
US9176788B2 (en) Method and system for real time detection of resource requirement and automatic adjustments
US20150106649A1 (en) Dynamic scaling of memory and bus frequencies
WO2019007420A1 (en) Load balance scheduling method and device, and computer readable storage medium
WO2016107077A1 (en) Method and apparatus for determining remaining use duration of filter element of air purifier
CN108469893B (en) Display screen control method, device, equipment and computer readable storage medium
US9449359B2 (en) Rendering settings in a multi-graphics processing unit system
WO2017113686A1 (en) Method and apparatus for controlling network connection state of terminal
WO2019057089A1 (en) Network card image packet capture method, terminal, and readable storage medium
KR20180055273A (en) Electronic Apparatus and the Method for Controlling Traffic thereof
US10277676B2 (en) Storage management device, storage management method, and computer-readable recording medium
US20190147443A1 (en) Payment method based on mobile terminal and mobile terminal
CN106575414B (en) Contextual platform feature recommendation
CN112463367A (en) Method and system for optimizing performance of storage system, electronic equipment and storage medium
US20140149262A1 (en) Controlling Data Access and Rate in a Network
CN110806908A (en) Application software pre-starting method, terminal and computer readable storage medium
US20180309686A1 (en) Reducing rate limits of rate limiters
CN112422632A (en) File uploading control method and device, electronic equipment and storage medium
CN109815067B (en) Pressure testing method, pressure testing device, computer equipment and computer readable storage medium
CN109670932B (en) Credit data accounting method, apparatus, system and computer storage medium
US11188358B2 (en) Interaction apparatus and method
CN108804152B (en) Method and device for adjusting configuration parameters

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21832840

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 15/05/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 21832840

Country of ref document: EP

Kind code of ref document: A1