Security detection method, apparatus, device, and medium

By classifying the application's display interface and simulating trigger operations, the page classification model is used to detect security vulnerabilities in the application, solving the problem of user data leakage caused by the difficulty in identifying control elements, and achieving more efficient security detection and protection.

CN115758364BActive Publication Date: 2026-06-26TENCENT TECHNOLOGY (SHENZHEN) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
TENCENT TECHNOLOGY (SHENZHEN) CO LTD
Filing Date
2022-12-06
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

Existing technologies are insufficient to effectively detect security vulnerabilities in applications, especially when control elements are difficult to identify, which may lead to user data leaks and violations of privacy protection policies.

Method used

A page classification model is used to take screenshots of the application's display interface. Based on the page types obtained from training on historical program screenshots, simulated trigger operations are performed and response data is analyzed to determine whether there are any security risks.

Benefits of technology

By applying the page classification model, the page type of the application can be accurately identified and simulated trigger operations can be executed, which improves the efficiency and accuracy of security detection and ensures the safe use of the application and the protection of user data.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115758364B_ABST
    Figure CN115758364B_ABST
Patent Text Reader

Abstract

The application discloses a security detection method, device and equipment and a medium, and relates to the field of data security. The security detection method is executed by a security program, and the method comprises the following steps: acquiring a program screenshot corresponding to a display interface of a to-be-detected program; determining a page type of the program screenshot based on a page classification model, wherein the page classification model is trained according to a plurality of historical program screenshots of at least one application program; determining a simulated trigger operation corresponding to the display interface based on the page type, executing the simulated trigger operation on the display interface, and acquiring response data of the to-be-detected program to the simulated trigger operation; and determining whether the to-be-detected program has a security risk according to the response data. The embodiment provides a security detection method for an application program, so that the security management of the application program is enhanced, the safe use of the application program is ensured, and the security of user data is protected.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of data security, and in particular to a security detection method, apparatus, equipment and medium. Background Technology

[0002] As people's needs continue to increase, more applications are being installed on terminals.

[0003] For any application, it's typically necessary to monitor the control elements on its display interface. When a triggering operation occurs on a control element, the corresponding triggering behavior is executed. In some implementation scenarios, certain triggering behaviors executed by the application may pose security risks, such as violating privacy policies or unauthorized acquisition of user data. To ensure the secure use of the application and the protection of user data, security testing of the application is usually required. Summary of the Invention

[0004] This application provides a security detection method, apparatus, device, and medium, which can provide a new security detection method to ensure the secure use of applications and protect user data. The technical solution is as follows:

[0005] According to one aspect of this application, a security detection method is provided, the method being executed by a security program, the method comprising:

[0006] Obtain a screenshot of the program's interface corresponding to the program under test;

[0007] Based on the page classification model, the page type of the program screenshot is determined. The page classification model is trained based on multiple historical program screenshots of at least one application.

[0008] Based on the page type, determine the simulated trigger operation corresponding to the display interface, execute the simulated trigger operation on the display interface, and obtain the response data of the program under test to the simulated trigger operation;

[0009] Based on the response data, determine whether the tested program has any security vulnerabilities.

[0010] According to one aspect of this application, a security detection device is provided, the device comprising:

[0011] The acquisition module is used to acquire screenshots of the program's display interface.

[0012] The determination module is used to determine the page type of the program screenshot based on the page classification model, which is trained based on multiple historical program screenshots of at least one application.

[0013] The acquisition module is also used to determine the simulated trigger operation corresponding to the display interface based on the page type, execute the simulated trigger operation on the display interface, and obtain the response data of the tested program to the simulated trigger operation;

[0014] The determination module is also used to determine whether there are any security risks in the program under test based on the response data.

[0015] According to one aspect of this application, a computer device is provided, the computer device including a memory and a processor; the memory stores at least one piece of program code, which is loaded and executed by the processor to implement the security detection method as described above.

[0016] According to one aspect of this application, a computer-readable storage medium is provided, in which a computer program is stored, the computer program being executed by a processor to implement the security detection method described above.

[0017] According to one aspect of this application, a chip is provided, the chip including programmable logic circuitry and / or program instructions, for implementing the security detection method described above when an electronic device on which the chip is installed is running.

[0018] According to one aspect of this application, a computer program product is provided, comprising computer instructions stored in a computer-readable storage medium, wherein a processor reads from and executes the computer instructions to implement the security detection method described above.

[0019] The beneficial effects of the technical solutions provided in this application include at least the following:

[0020] This paper presents a security testing method for applications to enhance application security management, ensure secure application use, and protect user data security. Specifically, based on a page classification model, the method categorizes the screenshots corresponding to the displayed interface of the program under test into different page types. Then, based on the response data under different page types, it determines whether the program under test has any security vulnerabilities. Attached Figure Description

[0021] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0022] Figure 1 This is a schematic diagram of a computer system provided in an exemplary embodiment of this application;

[0023] Figure 2 This is a flowchart of a security detection method provided in an exemplary embodiment of this application;

[0024] Figure 3 This is a flowchart of a training page classification model provided in an exemplary embodiment of this application;

[0025] Figure 4 This is a flowchart of a training page classification model provided in an exemplary embodiment of this application;

[0026] Figure 5 This is a flowchart illustrating image clustering provided in an exemplary embodiment of this application;

[0027] Figure 6 This is a schematic diagram of a display page for a permission authorization type provided in an exemplary embodiment of this application;

[0028] Figure 7 This is a schematic diagram of a login type display page provided in an exemplary embodiment of this application;

[0029] Figure 8 This is a flowchart of a security detection method provided in an exemplary embodiment of this application;

[0030] Figure 9 This is a flowchart illustrating the triggering behavior of the program under test, provided in an exemplary embodiment of this application.

[0031] Figure 10 This is a schematic diagram illustrating the execution of different triggering behaviors provided in an exemplary embodiment of this application;

[0032] Figure 11 This is a flowchart of a security detection method provided in an exemplary embodiment of this application;

[0033] Figure 12 This is a schematic diagram of a security detection device provided in an exemplary embodiment of this application;

[0034] Figure 13 This is a schematic diagram of the structure of a computer device provided in an exemplary embodiment of this application. Detailed Implementation

[0035] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims.

[0036] It should be understood that "several" in this article refers to one or more, and "multiple" refers to two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone. The character " / " generally indicates that the preceding and following related objects have an "or" relationship.

[0037] First, a brief introduction to the terms used in the embodiments of this application will be given.

[0038] Artificial Intelligence (AI) is the theory, methods, technology, and application systems that use digital computers or machines controlled by digital computers to simulate, extend, and expand human intelligence, perceive the environment, acquire knowledge, and use that knowledge to achieve optimal results. In other words, AI is a comprehensive technology within computer science that attempts to understand the essence of intelligence and produce a new kind of intelligent machine that can react in a way similar to human intelligence. AI studies the design principles and implementation methods of various intelligent machines, enabling them to possess the functions of perception, reasoning, and decision-making.

[0039] Artificial intelligence (AI) is a comprehensive discipline encompassing a wide range of fields, including both hardware and software technologies. Fundamental AI technologies generally include sensors, dedicated AI chips, cloud computing, distributed storage, big data processing, operating / interactive systems, and mechatronics. AI software technologies primarily include computer vision, speech processing, natural language processing, and machine learning / deep learning.

[0040] Security program: refers to an application program used to maintain terminal security.

[0041] Endpoint security involves multiple aspects, including data security, privacy protection, and virus detection. For example, a security program can be any of the applications related to endpoint security, such as endpoint management applications, virus scanning applications, and privacy detection applications.

[0042] The program under test refers to any application launched by the user.

[0043] It should be understood that the program under test is an application launched by the user in real time. For example, the program under test may be a chat application, a game application, etc., launched by the user in real time. In some embodiments, the program under test may be an application that comes pre-installed on the terminal, an application that can be downloaded and / or installed from an application store associated with the terminal, or an application that the user downloads and / or installs through an external link. This application does not limit the type, source, installation location, or operation method of the program under test; the program under test can be any type of application.

[0044] Page classification model: An AI model provided in the embodiments of this application.

[0045] As an illustration, the page classification model is trained based on multiple historical screenshots of at least one application, and is used to classify the displayed pages of the application. The historical screenshots indicate the interface images of a particular application's historical displayed pages, and can be obtained by taking screenshots. The model training process will be described in detail below and is omitted here.

[0046] In some embodiments, the page classification model is used as follows: the security program obtains the page classification model; after the user launches the program under test in real time, the security program can take a screenshot of the current display interface of the program under test to obtain the program screenshot corresponding to the current display interface; subsequently, the security program inputs the program screenshot into the page classification model, and the page classification model outputs the page type of the program screenshot.

[0047] After determining the page type of the program screenshot, the response data corresponding to the program under test can be obtained to determine whether the program under test has any security risks (i.e., the security detection method provided in this application), the details of which will be elaborated below.

[0048] Figure 1 The diagram illustrates a computer system 100 provided in an exemplary embodiment of this application. The computer system 100 includes a training device 110 for a page classification model and a device 120 for using the page classification model. The training device 110 sends the trained page classification model to the device 120. The page classification model is an AI model that applies the security detection method provided in this application.

[0049] The training device 110 and the user device 120 can be computer devices with machine learning capabilities, such as terminals or servers.

[0050] Optionally, the training device 110 and the user device 120 can be the same computer device, or they can be different computer devices. Furthermore, when the training device 110 and the user device 120 are different devices, they can be of the same type, such as both being servers; or they can be of different types, such as the training device 110 being a server and the user device 120 being a terminal. The server can be an independent physical server, a server cluster or distributed system composed of multiple physical servers, or a cloud server providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms. The terminal can be a smartphone, tablet, laptop, desktop computer, smart TV, in-vehicle terminal, wearable device, or smart speaker, but is not limited to these. Terminals and servers can be connected directly or indirectly via wired or wireless communication, and this application does not impose any restrictions on this.

[0051] During model training, the training device 110 needs to acquire multiple historical screenshots of at least one application, with each historical screenshot corresponding to the historical display interface of an application.

[0052] It should be noted that before and during the collection of user data (including but not limited to historical program screenshots), a prompt interface, pop-up window, or voice prompt message can be displayed. This prompt interface, pop-up window, or voice prompt message is used to inform the user that their data is currently being collected. This ensures that the application only begins executing the steps related to collecting user data after receiving confirmation from the user regarding the prompt interface or pop-up window; otherwise (i.e., without receiving confirmation from the user), the steps related to collecting user data end, meaning no user data is collected. In other words, all user data collected in this application is collected with the user's consent and authorization, and the collection, use, and processing of relevant user data must comply with the relevant laws, regulations, and standards of the relevant countries and regions. In the following embodiments, all steps involving data collection, use, and processing should be carried out with the user's consent and authorization, and in compliance with the relevant laws, regulations, and standards of the relevant countries and regions, and will not be elaborated further.

[0053] Figure 2The diagram illustrates a flowchart of a security detection method provided in an exemplary embodiment of this application, which is executed by a security program. The security program refers to an application used to maintain terminal security, and can be any of the terminal security-related applications such as terminal management applications, virus scanning applications, and privacy detection applications.

[0054] In this embodiment, the security program is used to detect whether the program under test has any security vulnerabilities. The program under test refers to any application launched by the user. It should be understood that the program under test is an application launched by the user in real time. This application does not limit the type, source, installation location, or operation method of the program under test; the program under test can be any type of application.

[0055] As an illustration, the security detection method provided in this application includes the following steps:

[0056] Step 101: Obtain a screenshot of the program's display interface.

[0057] When displaying the interface of the program under test, the terminal can take a screenshot of the interface to obtain a screenshot of the program.

[0058] It should be noted that the program screenshots obtained in this application were collected with the user's consent and authorization, and the collection, use and processing of the program screenshots involved must comply with the relevant laws, regulations and standards of the relevant countries and regions.

[0059] Step 102: Determine the page type of the program screenshot based on the page classification model.

[0060] As an illustration, the page classification model is trained based on multiple historical screenshots of at least one application. These historical screenshots indicate the interface images of a particular application's historically displayed pages, and can be obtained by taking screenshots of these historically displayed interfaces.

[0061] It should be understood that the page classification model is invoked by the security program to determine the page type of the program screenshot, thereby judging whether the tested program has any security vulnerabilities. The page classification model can be trained on a terminal with the security program installed, or it can be trained on another terminal and then sent to the terminal with the security program installed.

[0062] In some embodiments, with user consent, the terminal training the model can obtain multiple historical screenshots of at least one application. For example, it can obtain m historical screenshots of n applications, with each application corresponding to a different number of historical screenshots. Subsequently, image clustering or text recognition methods are used to process the m historical screenshots to determine the type label for each historical screenshot, thereby achieving type classification of the m historical screenshots. Based on the m historical screenshots and their corresponding type labels, a corresponding training set is constructed, thereby training the page classification model required in this embodiment of the application.

[0063] After obtaining the page classification model, the security program can input a screenshot into the model. The model then determines the page type corresponding to the screenshot. It should be understood that the page classification model can be set within the security program and called directly by it; alternatively, it can be set in other locations on the terminal where the security program is installed, or in a cloud server and called indirectly by the security program. This application does not limit the location where the page classification model is set.

[0064] It should be understood that the page types in the program screenshots can be categorized according to actual needs. For example, page types include permission authorization type, login type, and text input type. Specifically, permission authorization type refers to the page type where the displayed interface grants certain permissions (such as reading data or obtaining private data) to the program under test; login type refers to the page type where the displayed page is used to log in to the associated account of the program under test; and text input type refers to the page type where the displayed page is used to input text on the current page. It should be understood that the above types are merely illustrative examples and do not limit this application. Other classifications are also within the scope of protection of this application and will not be elaborated further.

[0065] In some embodiments, in addition to the multiple page types indicated by the page classification model, there may be cases where the page type of the program interface is unknown. This can also be understood as cases where the program interface does not belong to any of the page types indicated by the page classification model. In this case, steps 103 and 104 below will not be executed.

[0066] Step 103: Determine the simulated trigger operation corresponding to the display interface based on the page type, execute the simulated trigger operation on the display interface, and obtain the response data of the tested program to the simulated trigger operation.

[0067] After determining the page type of the screenshot, the security program can determine the simulated trigger operation corresponding to the displayed interface of the program under test based on that page type. The simulated trigger operation refers to at least one trigger operation that can be performed on the displayed interface based on that page type. For example, if the page type is a permission authorization type, the simulated trigger operations corresponding to the displayed interface include "agree" and "disagree". Specifically, a simulated trigger operation responding to "agree" can grant a certain permission to the program under test; a simulated trigger operation responding to "disagree" can refuse to grant a certain permission to the program under test.

[0068] After determining the simulated trigger operation, the security program can simulate the trigger operation on the program under test to obtain the response data of the program under test. Taking permission authorization type as an example, since the simulated trigger operation includes two types, "agree" and "disagree", the security program executes the two simulated trigger operations on the display interface (i.e., permission authorization interface) and obtains the response data of the program under test to the two simulated trigger operations respectively.

[0069] For example, for a simulated "agree" trigger, the tested program performs an operation to acquire a certain permission, and the response data can be marked as the tested program acquiring permission. For a simulated "disagree" trigger, the tested program will receive a notification from the terminal that authorization has been denied. If the tested program exits, the response data can be marked as exiting; if the tested program proceeds to the next display interface, the response data can be marked as continuing subsequent operations. Based on this, for permission authorization types, the security program will obtain the tested program's response data to at least one simulated trigger operation on the display interface to facilitate subsequent operations.

[0070] Step 104: Based on the response data, determine whether the tested program has any security vulnerabilities.

[0071] According to step 103, for different page types, the security program can obtain the response data of the tested program to at least one simulated trigger operation on the display interface. Subsequently, the security program can detect the response data. If the response data contains security vulnerabilities, the tested program is identified as having security risks; if the response data does not contain security vulnerabilities, the tested program is determined to have no security risks.

[0072] The security vulnerability in the response data can be understood as follows: based on different page types, the response of the tested program to simulated trigger operations may have terminal security risks, which may lead to risks such as the theft of user data, privacy leaks, and virus intrusion.

[0073] Furthermore, the existence of security vulnerabilities in the corresponding data can also be understood as follows: based on different page types, the tested program's response to simulated trigger operations does not comply with relevant laws and regulations. For example, for a display interface used to implement privacy authorization, its corresponding program screenshot can be used to determine the permission authorization type. If the tested program's response data to a simulated "disagree" trigger operation is marked as exiting the program, meaning the user does not agree to privacy authorization, then the user is not allowed to use the tested program. If this operation violates national laws and regulations regarding privacy authorization, then the tested program can be identified as having security risks.

[0074] In summary, this application provides a security testing method for applications (i.e., the program under test) to enhance application security management, ensure the safe use of applications, and protect user data security. Specifically, based on a page classification model, the screenshots corresponding to the display interface of the program under test can be classified into pages, facilitating the classification and testing of different functions of the program under test. Subsequently, based on the response data under different page types, it is determined whether the program under test has any security vulnerabilities, thus facilitating the management of the program under test and providing reminders to users.

[0075] In some embodiments, the page classification model can also be invoked by the program under test to trigger an operation.

[0076] The program under test is any application that the user launches in real time.

[0077] During application usage, page triggering is typically based on control elements; that is, the corresponding trigger behavior is executed by detecting trigger operations on control elements. In some scenarios (such as externally installed applications), control elements may not be recognized, which may lead to trigger failures.

[0078] In essence, the triggering schemes in related technologies primarily rely on matching control elements on the display interface to initiate the operation. Therefore, it's difficult to determine the specific type of the current display interface based on a single control element; it requires considering other different elements within the interface, leading to a more complex implementation. Furthermore, since applications may be installed via external links, there's a possibility that control elements may be difficult to identify. For example, some game applications use game frameworks for development, making it impossible to obtain the control elements in the current display interface.

[0079] As an illustration, if the program under test can call the page classification model, the following steps can be achieved:

[0080] The program under test can take screenshots of its display interface to obtain program screenshots;

[0081] Subsequently, a screenshot of the program is input into the page classification model to obtain the triggering rules corresponding to the displayed page; based on these triggering rules, the program under test can respond to triggering operations on the display interface.

[0082] Referring to the foregoing, the tested program calls the page classification model, which can avoid the possibility of control element matching failure during the triggering process. This makes page classification no longer solely dependent on control elements, and eliminates the need to use complex technical means to match other elements in the display interface, thus effectively improving triggering efficiency.

[0083] Referring to the foregoing, the page classification model is trained based on multiple historical screenshots of at least one application. The following will describe the model training process in detail:

[0084] Figure 3 This is a flowchart illustrating a training page classification model provided in an exemplary embodiment of this application. In some embodiments, the page classification model is trained by a terminal with security software installed; in other embodiments, the page classification model is trained by other terminals, and this application does not limit this.

[0085] As an illustration, the page classification model is trained through the following steps:

[0086] Step 201: Obtain multiple historical screenshots of at least one application.

[0087] Here, historical program screenshots are used to indicate the interface images of the historical display pages of a certain application, which can be obtained by taking screenshots of the historical display interfaces. In some embodiments, with the user's consent, the terminal performing model training can obtain multiple historical program screenshots of at least one application, for example, obtaining m historical program screenshots of n applications, with each application corresponding to a different number of historical program screenshots.

[0088] In some embodiments, the i-th historical program screenshot among multiple historical program screenshots is obtained by taking a screenshot of the i-th historical display interface among multiple historical display interfaces of at least one application, where i is a positive integer not less than 0.

[0089] Optionally, step 201 can be implemented as follows:

[0090] Take a screenshot of the i-th history display interface from multiple history display interfaces of at least one application to obtain the i-th history program screenshot among multiple history program screenshots.

[0091] This can be understood as follows: for at least one application, after it starts running, with the user's consent, multiple historical display interfaces can be screenshotted to obtain the historical program screenshots corresponding to each historical display interface. These historical program screenshots are used to build the training set for the page classification model.

[0092] It should be understood that in the security detection method provided in this application embodiment, the display interface of the program under test is also screenshotted to obtain a corresponding program screenshot, which is used for optimizing the training of the page classification model. The acquisition of the program screenshot also requires user consent.

[0093] Step 202: Cluster the multiple historical program screenshots to obtain the clustering results.

[0094] After obtaining multiple historical program screenshots, the terminal training the model can perform clustering on these historical program screenshots to facilitate the classification of multiple historical program screenshots.

[0095] Optionally, step 202 can be implemented as follows:

[0096] Based on the deep residual network model, multiple historical program screenshots are transformed into vector space to obtain vectors corresponding to multiple historical program screenshots. One historical program screenshot corresponds to one vector in the vector space.

[0097] A distance relation network is constructed based on the vector space. The distance relation network is used to describe the similarity between multiple historical program screenshots. The vector corresponding to a historical program screenshot is a node in the distance relation network.

[0098] Clustering of multiple historical program screenshots based on distance relationship networks yields the clustering results.

[0099] Among them, the deep residual network model can be referred to as the ResNet model.

[0100] Based on a deep residual network model, vector transformation can be performed on the original images of multiple historical program screenshots, converting them into a vector space. For example, a 512-dimensional vector can be generated for each historical program screenshot, and multiple vectors constitute the aforementioned vector space.

[0101] A distance relationship network can be constructed based on multiple vectors in a vector space. The cosine distance between two vectors in the vector space can indicate the similarity between two historical screenshots. For example, assuming there are three historical screenshots A, B, and C, if the cosine distance (A, B) < the cosine distance (A, C), then historical screenshot A and historical screenshot B are more similar.

[0102] Subsequently, based on the distance relationship network, multiple vectors in the vector space can be clustered (which can be understood as clustering multiple historical program screenshots) to obtain the clustering results. (Illustrative example) Figure 4 This application illustrates a flowchart of an exemplary embodiment of image clustering, which includes the following steps:

[0103] Step 1: Convert the image space to the vector space.

[0104] For example, a deep residual network model is used to generate a 512-dimensional vector for each image (i.e., each historical screenshot).

[0105] Step 2: Construct a distance relationship network graph.

[0106] Based on each image in step 1, each image is treated as a node in the network. If the cosine distance between two images is less than a predefined threshold (for example, the threshold is 0.05), then there is an edge between the two images.

[0107] Step 3: Calculate connected components based on the relational network graph.

[0108] For example, connected components with no more than a predefined threshold (for example, the threshold is 128) are directly treated as a single cluster; connected components with more than this threshold are fed into a k-means clustering algorithm (which can be labeled as the kmeans algorithm). Reference Figure 4 For example, k is 128.

[0109] Step 4: Combine the clusters of the small connected components and the clusters output by kmeans to obtain the final clustering result.

[0110] It should be understood that, based on the clustering process described above, it should be possible to classify multiple historical program screenshots, with each clustering result corresponding to a specific category. Step 203 can then be executed to label each clustering result.

[0111] Step 203: Obtain the type label after labeling each clustering result.

[0112] Indicatively, a type label is used to indicate a page type.

[0113] The type label is marked based on the following influencing factors: the function of multiple history display pages; the text in multiple page images; and the images in multiple page images.

[0114] Referring to the foregoing, the page types in program screenshots can be categorized according to actual needs. Exemplary page types include permission authorization types, login types, and text input types. Therefore, type tags can be understood as markers for these various page types.

[0115] It should be understood that each type tag corresponds one-to-one with a page type. Optionally, type tags include at least one of the following tags: authorization tag, login tag, and text input tag. Other type tags may exist depending on the page type, and this application does not limit this.

[0116] Figure 5 and Figure 6 The diagrams show the display pages for permission authorization types and login types, respectively. (Refer to...) Figure 5 Based on the function and text of the displayed page, as shown in (a) and (b), it can be determined that the page is used to grant privacy permissions, and therefore it can be classified as a permission authorization type; see reference. Figure 6 Based on the text in (a) and (b), it can be determined that the page is for logging in to an account, and therefore it can be identified as a login type.

[0117] Based on this, each historical program screenshot can be labeled to clearly identify its corresponding type tag.

[0118] Step 204: Construct the training set for the page classification model.

[0119] For illustration purposes, the training set includes multiple historical program screenshots and the type label corresponding to each historical program screenshot.

[0120] Referring to the foregoing, based on steps 202 and 203, multiple historical program screenshots and their corresponding type labels can be obtained; subsequently, a training set for the page classification model can be constructed based on this, facilitating model training. The naming of the historical program screenshots, i.e., the type labels, can be set according to actual needs, and this application does not impose any restrictions on this.

[0121] Step 205: Train the page classification model based on the training set.

[0122] After constructing the training set, the model can be trained based on it. Specifically, through processes such as defining the model architecture, model training, error loss calculation, and model adjustment based on the error loss, the page classification model can be finally determined. The model architecture and error loss calculation processes involved in the model training can be set according to actual needs, and this application does not impose any limitations on them.

[0123] After training the page classification model, the security program can input screenshots into the page classification model; subsequently, after the model's judgment, the security program can determine the page type corresponding to the screenshot and perform subsequent operations.

[0124] Referring to the foregoing content, Figure 7 A specific implementation method for model training is given: First, multiple historical program screenshots need to be obtained; then, the steps of classifying the screenshot data, obtaining clustering results, selecting target types, inputting target images, training the model, and outputting the classification model file are carried out step by step.

[0125] The step of selecting the target model can also be understood as the step of obtaining type labels; the target image is any one of multiple historical program screenshots. The target image is used as the input of the model for model training, and its output is the type label.

[0126] In some embodiments, multiple historical program screenshots can be obtained by taking screenshots of multiple historical display interfaces of at least one application. These multiple historical program screenshots are then clustered to obtain clustering results; subsequently, the clustering results are labeled, with each clustering result labeled as a page type (i.e., the selection target type). Based on this, a training set for the page classification model is obtained.

[0127] Subsequently, any one of multiple historical program screenshots is selected as the model input (i.e., the input target image) for model training. The input result is then compared with the page type corresponding to the historical program screenshot to output a classification model file. The classification model file includes at least one page type. For example, page types include permission authorization type, login type, and text input type. Permission authorization type refers to the page type where the display interface grants a certain permission of the terminal to the program under test; login type refers to the page type where the display page is used to log in to the associated account of the program under test; and text input type refers to the page type where the display page is used to input text on the current page. For example, if the display page is used to determine whether to grant the program under test permission to read data, it can be identified as a permission authorization type. It should be understood that the above types are merely illustrative examples of page types and do not limit this application. Other classifications are also within the scope of protection of this application and will not be elaborated further.

[0128] Furthermore, as the types and / or functions of applications increase, the page classification model can be optimized and trained. Specifically, after obtaining user consent, screenshots of newly added page applications or screenshots of newly added functions of existing page applications are obtained. These screenshots form a new training set, which is then used to optimize and train the page classification model.

[0129] It should be understood that optimizing the training of a page classification model may also lead to an increase in page types. For example, based on similar new features added to multiple applications, a new page type can be obtained through image clustering, and this page type is associated with similar new features added to multiple applications.

[0130] Based on this, the output classification model file will be updated, making the page classification model more refined in determining the type of display pages for different applications. This will improve the accuracy of page classification, further enhance the security management of applications, and further ensure the secure use of applications and the security of user data.

[0131] In summary, the embodiments of this application provide a training method for a page classification model.

[0132] This process involves clustering multiple historical screenshots to obtain clustering results, enabling the classification of these screenshots. Each clustering result is then labeled to determine the type label corresponding to each historical screenshot. Based on this, a training set can be constructed for model training. Subsequently, the multiple historical screenshots are used as model input, and the type labels are used as model output for model training, ultimately yielding the page classification model required in this embodiment.

[0133] Referring to the foregoing, in some embodiments, besides image clustering, the training set can be determined through other methods to train the page classification model. Optionally, the page classification model can also be trained through the following steps:

[0134] Obtain multiple screenshots of historical processes;

[0135] Perform text recognition on multiple historical program screenshots to obtain the text recognition results;

[0136] Obtain the type labels after marking the text recognition results. Each type label is used to indicate a page type.

[0137] Construct a training set for the page classification model. The training set includes multiple historical program screenshots and the type label corresponding to each historical program screenshot.

[0138] A page classification model is trained based on the training set.

[0139] For example, text recognition can be achieved through Optical Character Recognition (OCR). Based on OCR, text information (i.e., text recognition results) can be obtained from each historical program screenshot, and the page type can be determined based on the text information. Subsequently, the process of labeling type, building a training set, and training the model can refer to the aforementioned content and will not be repeated here.

[0140] For example, Figure 8 A flowchart of a security detection method provided in an exemplary embodiment of this application is shown. The method is executed by a security program and includes the following steps:

[0141] Step 301: After the program under test starts, obtain a screenshot of the program's display interface.

[0142] Among them, program screenshots can be achieved by taking a screenshot of the display interface of the program under test.

[0143] Step 302: Save the screenshot of the program.

[0144] It should be understood that step 302 is an optional step. During the security test of the program under test, the security program can take a screenshot of its display interface and save the screenshot. This data is used for the optimization training of the page classification model to improve the accuracy of the page classification model.

[0145] Step 303: Classify images based on the page classification model.

[0146] After taking a screenshot of the displayed interface, the security program can identify the page type by calling the page classification model, thereby determining the type of the displayed interface.

[0147] The description of the page classification model can be found in the foregoing; the training process of the page classification model is as follows: Figure 8 The step shown in the dashed box on the left is related to... Figure 7 Similarly, I will not elaborate further.

[0148] refer to Figure 8 Based on the determined category (i.e. page type), it should be possible to determine the trigger operation corresponding to the display interface of that category, and thus the trigger behavior corresponding to the trigger operation.

[0149] Step 304: Determine whether the displayed interface matches the triggering rule.

[0150] Here, the triggering rule can be understood as a one-to-one correspondence between triggering operations and responses, with one triggering operation uniquely corresponding to one response. In some embodiments, before performing security testing, the security program has pre-entered the corresponding triggering rules according to different page types. This step can be understood as determining whether the page type of the screenshot corresponding to the currently displayed page of the program under test belongs to any type included in the page classification model. Subsequently, based on the determined page type, the security program can determine that a matching triggering rule exists for that page type; if the page type is unknown, the security program can determine that no matching triggering rule exists for that page type.

[0151] For illustrative purposes, if the triggering rule is matched, step 3051 is executed; if the triggering rule is not matched, step 3052 is executed. Either step 3051 or step 3052 may be executed.

[0152] Step 3051: If the triggering rule is matched, execute the corresponding triggering behavior on the display interface.

[0153] Among them, the trigger behavior can be understood as the response of the program under test to different trigger operations. Based on the trigger behavior, the response data of the program under test to the trigger operation can be generated.

[0154] refer to Figure 8 Triggering operations include, but are not limited to, the following behaviors: clicking, swiping, and text input. Different triggering operations have different triggering behaviors. For example, if the triggering operation is a click, the corresponding triggering behavior could be switching pages, granting permissions, or opening a control in the display interface.

[0155] As mentioned above, different page types have different triggering rules. Within these rules, the response to the same triggering operation may be the same or different. For example, in the triggering rules for permission authorization, a click operation corresponds to obtaining permissions; while in the triggering rules for login, a click operation corresponds to switching the display to the main page of the program under test.

[0156] It should be understood that there are differences in triggering rules, triggering operations, and responses for different page types, and this application does not limit these; moreover, the above content is only an illustrative example and should not limit this application.

[0157] Step 3052: If no triggering rule is matched, trigger randomly.

[0158] Random triggering refers to the program under test randomly executing a trigger operation.

[0159] This can be understood as follows: when the page type is unknown, and it is determined that there is no matching trigger rule for that page type (i.e., no matching trigger rule), the security program can randomly select a trigger operation to execute. For example, the security program can randomly execute an operation such as clicking, swiping, or inputting in a text box. The randomly executed trigger operation can be performed in a pre-set order by the security program, or it can be randomly selected from multiple trigger operations.

[0160] It should be understood that the triggering operations involved in steps 3051 and 3052 should all be performed on the display interface of the program under test.

[0161] Step 306: Determine whether the termination condition is met.

[0162] It should be understood that termination conditions are used to indicate the conditions under which security testing of the program under test is terminated.

[0163] Optionally, the termination condition includes, but is not limited to, at least one of the following conditions:

[0164] The dwell time on the display interface exceeds the time threshold;

[0165] The number of times the trigger operation on the display interface is triggered exceeds the threshold.

[0166] refer to Figure 8 , Figure 9 This application illustrates a flowchart of a test program's execution trigger behavior according to an exemplary embodiment, which specifically includes the following steps:

[0167] Step 401: After the program under test starts, the program under test sends a screenshot to the security program.

[0168] Among them, the screenshots are judged by the page classification model called by the security program.

[0169] Step 402: The tested program obtains the classification results.

[0170] The classification results are sent via a security program, which can be understood as the page type obtained after the page classification model makes a determination.

[0171] Step 403: Determine whether the classification result is a known classification.

[0172] It should be understood that this judgment step can be determined by the security procedure to determine whether the displayed page of the program under test belongs to any of the page types indicated by the page classification model.

[0173] If the classification result is a known classification, the specific type is determined and step 4041 is executed; if the classification result is not a known classification, step 4042 is executed. Steps 4041 and 4042 must be executed separately and cannot be executed simultaneously.

[0174] Step 4041: Determine the trigger configuration for the target type.

[0175] The trigger configuration can also be understood as the trigger rules mentioned above.

[0176] Step 405: Select the triggering behavior based on the target type.

[0177] Step 406: Execute the triggering behavior.

[0178] Step 4042: Perform a random operation.

[0179] The random operation can be understood as the random triggering in step 3052.

[0180] refer to Figure 10 This application provides, exemplarily, a schematic diagram illustrating the execution of different triggering behaviors.

[0181] For example, for the trigger configuration, there are multiple trigger conditions, and the i-th trigger condition corresponds to the i-th trigger behavior. In step 403, if the classification result is determined to be a known classification, it can be understood as determining that one of the multiple trigger conditions is met, and then executing the corresponding trigger behavior when the trigger condition is met; if the classification result is determined to be not a known classification, it can be understood as not meeting any of the trigger conditions, and in this case, a random operation is performed, and a random behavior is executed.

[0182] It should be understood that random behavior can be any behavior such as clicking or swiping, and this application does not limit it.

[0183] Step 407: Obtain a screenshot of the program.

[0184] It should be understood that the screenshot obtained in step 407 can be the same as the screenshot obtained in step 401, or it can be a different screenshot obtained after the interface is switched following the triggered behavior. For illustrative purposes, step 407 is an optional step, and this screenshot is used for the optimized training of the page classification model to improve its accuracy.

[0185] In summary, this application provides a security testing method for applications (i.e., the program under test) to enhance application security management, ensure the safe use of applications, and protect user data security. Specifically, based on a page classification model, the screenshots corresponding to the display interface of the program under test can be classified into pages, facilitating the classification and testing of different functions of the program under test. Subsequently, based on the response data under different page types, it is determined whether the program under test has any security vulnerabilities, thus facilitating the management of the program under test and providing reminders to users.

[0186] refer to Figure 2 , Figure 11 A flowchart of a security detection method provided by an exemplary embodiment of this application is shown. Optionally, step 104 can be implemented as step 1041, and the security detection method provided in this application further includes steps 105, 106, and 107. Steps 103 and 105 can be executed selectively, but not simultaneously; steps 105 and 106 can be executed sequentially or simultaneously. Specifically:

[0187] Step 1041: If the response data has a security vulnerability, determine that the program under test has a security risk and mark the program under test as a security anomaly program.

[0188] According to step 103, for different page types, the security program can obtain the response data of the tested program to at least one simulated trigger operation on the display interface. Subsequently, the security program can detect the response data. If the response data contains security vulnerabilities, the tested program is identified as having security risks; if the response data does not contain security vulnerabilities, the tested program is determined to have no security risks.

[0189] The security vulnerability in the response data can be understood as follows: based on different page types, the response of the tested program to simulated trigger operations has terminal security risks, leading to risks such as the theft of user data, privacy leaks, and virus intrusion.

[0190] Furthermore, the existence of security vulnerabilities in the corresponding data can also be understood as follows: based on different page types, the tested program's response to simulated trigger operations does not comply with relevant laws and regulations. For example, for a display interface used to implement privacy authorization, its corresponding program screenshot can be used to determine the permission authorization type. If the tested program's response data to a simulated "disagree" trigger operation is marked as exiting the program, meaning the user does not agree to privacy authorization, then the user is not allowed to use the tested program. If this operation violates national laws and regulations regarding privacy authorization, then the tested program can be identified as having security risks.

[0191] Step 105: If the program screenshot does not belong to any page type indicated by the page classification model, perform a random trigger operation on the display interface and obtain the response data of the tested program to the random trigger operation.

[0192] Referring to the foregoing, during the model determination process of the page classification model, there may be situations where the type of the program screenshot is unknown, meaning the program screenshot does not belong to any of the page types indicated by the page classification model. In this case, the security program can perform a random trigger operation on the displayed interface, that is, randomly perform a trigger action and record the response data of the tested program to this random trigger operation.

[0193] Subsequently, the security procedure can still determine whether the tested program has any security vulnerabilities based on the response data.

[0194] Step 106: Save the program screenshot.

[0195] The screenshots are illustrative and used to optimize the training of the page classification model.

[0196] Referring to the foregoing, since the type of program screenshot is unknown, the security program can save the program screenshot. After saving a certain number of program screenshots, the page classification model can be optimized and trained to improve the accuracy of the page classification model.

[0197] Step 107: If the dwell time on the display interface exceeds the first threshold and / or the number of simulated trigger operations exceeds the second threshold, stop the security test of the program under test.

[0198] For security testing of the program under test, a termination condition can be set to indicate the conditions for ending the security testing of the program under test. The termination condition includes, but is not limited to: the dwell time on the display interface exceeding a first threshold and / or the number of simulated trigger operations exceeding a second threshold.

[0199] Based on this, termination conditions can be set for the security checks of security programs to avoid excessive terminal power consumption caused by excessive security checks.

[0200] In summary, the security detection method provided in this application embodiment can mark the tested program as a security anomaly program when there are security vulnerabilities in the response data, thereby strengthening the security management of the application, ensuring the safe use of the application, and protecting the security of user data.

[0201] Optionally, if the program screenshot does not belong to any of the page types indicated by the page classification model, a random trigger operation can be performed on the displayed interface to obtain the response data of the program under test to the random trigger operation, thereby performing security detection and further realizing the secure use of the application and the protection of data security.

[0202] Optionally, if the screenshot does not belong to any of the page types indicated by the page classification model, the screenshot can be saved to facilitate the optimization and training of the page classification model, improve the accuracy of the model, and further enhance the security management of the application.

[0203] The following are device embodiments of this application. For details not described in detail in the device embodiments, please refer to the corresponding descriptions in the above method embodiments. They will not be repeated here.

[0204] Figure 12 This application shows a schematic diagram of a security detection device provided in an exemplary embodiment, the device comprising:

[0205] The acquisition module 1210 is used to acquire a screenshot of the program corresponding to the display interface of the program under test.

[0206] The determination module 1220 is used to determine the page type of the program screenshot based on the page classification model, which is trained based on multiple historical program screenshots of at least one application.

[0207] The acquisition module 1210 is also used to determine the simulated trigger operation corresponding to the display interface based on the page type, execute the simulated trigger operation on the display interface, and acquire the response data of the tested program to the simulated trigger operation;

[0208] The determination module 1220 is also used to determine whether there are any security risks in the program under test based on the response data.

[0209] Optionally, the page classification model is trained through the following steps: acquiring multiple historical program screenshots; clustering the multiple historical program screenshots to obtain clustering results; obtaining type labels after labeling each clustering result, with each type label indicating a page type; constructing a training set for the page classification model, which includes multiple historical program screenshots and the type label corresponding to each historical program screenshot; and training the page classification model based on the training set.

[0210] It should be understood that the device may also include a model training module for training the page classification model.

[0211] Optionally, the i-th historical program screenshot among multiple historical program screenshots is obtained by taking a screenshot of the i-th historical display interface among multiple historical display interfaces of at least one application, where i is a positive integer not less than 0.

[0212] Optionally, the page classification model is trained through the following steps: acquiring multiple historical program screenshots; performing text recognition on the multiple historical program screenshots to obtain text recognition results; obtaining type labels after labeling the text recognition results, where each type label indicates a page type; constructing a training set for the page classification model, which includes multiple historical program screenshots and the type label corresponding to each historical program screenshot; and training the page classification model based on the training set.

[0213] Optionally, the device also includes a processing module 1230, which is used to perform a random trigger operation on the display interface when the program screenshot does not belong to any page type indicated by the page classification model, and to obtain the response data of the program under test to the random trigger operation.

[0214] Optionally, the processing module 1230 is also used to save program screenshots, which are used to optimize the training of the page classification model.

[0215] Optionally, the determination module 1220 is used to determine that the program under test has security risks if there are security vulnerabilities in the response data, and to mark the program under test as a security abnormal program.

[0216] Optionally, the processing module 1230 is also used to stop the security detection of the program under test if the dwell time on the display interface exceeds a first threshold and / or the number of times the simulated trigger operation is triggered exceeds a second threshold.

[0217] Please refer to Figure 13 This illustration shows a structural block diagram of a computer device 1300 provided in an exemplary embodiment of this application. The computer device 1300 may be a portable mobile terminal, such as a smartphone, tablet computer, MP3 player (Moving Picture Experts Group Audio Layer III), or MP4 player (Moving Picture Experts Group Audio Layer IV). The computer device 1300 may also be referred to as a user device, portable terminal, or other names.

[0218] Typically, computer device 1300 includes a processor 1301 and a memory 1302.

[0219] Processor 1301 may include one or more processing cores, such as a quad-core processor, an octa-core processor, etc. Processor 1301 may be implemented using at least one hardware form selected from DSP (Digital Signal Processing), FPGA (Field-Programmable Gate Array), and PLA (Programmable Logic Array). Processor 1301 may also include a main processor and a coprocessor. The main processor, also known as a CPU (Central Processing Unit), is used to process data in the wake-up state; the coprocessor is a low-power processor used to process data in the standby state. In some embodiments, processor 1301 may integrate a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content to be displayed on the screen. In some embodiments, processor 1301 may also include an AI (Artificial Intelligence) processor, which is used to handle computational operations related to machine learning.

[0220] The memory 1302 may include one or more computer-readable storage media, which may be tangible and non-transitory. The memory 1302 may also include high-speed random access memory and non-volatile memory, such as one or more disk storage devices or flash memory devices. In some embodiments, the non-transitory computer-readable storage media in the memory 1302 are used to store at least one instruction, which is executed by the processor 1301 to implement the security detection method provided in the embodiments of this application.

[0221] In some embodiments, the computer device 1300 may also optionally include: a peripheral device interface 1303 and at least one peripheral device. Specifically, the peripheral device includes at least one of: a radio frequency circuit 1304, a touch display screen 1305, a camera assembly 1306, an audio circuit 1307, and a power supply 1308.

[0222] Peripheral device interface 1303 can be used to connect at least one I / O (Input / Output) related peripheral device to processor 1301 and memory 1302. In some embodiments, processor 1301, memory 1302 and peripheral device interface 1303 are integrated on the same chip or circuit board; in some other embodiments, any one or two of processor 1301, memory 1302 and peripheral device interface 1303 can be implemented on separate chips or circuit boards, which is not limited in this embodiment.

[0223] The radio frequency (RF) circuit 1304 is used to receive and transmit RF (Radio Frequency) signals, also known as electromagnetic signals. The RF circuit 1304 communicates with communication networks and other communication devices via electromagnetic signals. The RF circuit 1304 converts electrical signals into electromagnetic signals for transmission, or converts received electromagnetic signals back into electrical signals. Optionally, the RF circuit 1304 includes: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a user identity module card, etc. The RF circuit 1304 can communicate with other terminals through at least one wireless communication protocol. This wireless communication protocol includes, but is not limited to: the World Wide Web, metropolitan area networks, intranets, various generations of mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and / or WiFi networks. In some embodiments, the RF circuit 1304 may also include circuitry related to NFC (Near Field Communication), which is not limited in this application.

[0224] Touchscreen display 1305 is used to display a UI (User Interface). This UI may include graphics, text, icons, videos, and any combination thereof. Touchscreen display 1305 also has the ability to acquire touch signals on or above its surface. These touch signals can be input as control signals to processor 1301 for processing. Touchscreen display 1305 is used to provide virtual buttons and / or comment keyboards, also known as soft buttons and / or soft keyboards. In some embodiments, touchscreen display 1305 may be a single display, located on the front panel of computer device 1300; in other embodiments, there may be at least two touchscreen displays, respectively located on different surfaces of computer device 1300 or in a folded design; in still other embodiments, touchscreen display 1305 may be a flexible display, located on a curved or folded surface of computer device 1300. Furthermore, touchscreen display 1305 may also be configured as a non-rectangular, irregular shape, i.e., a non-rectangular screen. The touch display screen 1305 can be made of materials such as LCD (Liquid Crystal Display) and OLED (Organic Light-Emitting Diode).

[0225] The camera assembly 1306 is used to acquire images or videos. Optionally, the camera assembly 1306 includes a front-facing camera and a rear-facing camera. Typically, the front-facing camera is used for video calls or selfies, and the rear-facing camera is used for taking photos or videos. In some embodiments, there are at least two rear-facing cameras, which are any one of a main camera, a depth-sensing camera, and a wide-angle camera, to achieve background blurring by fusion of the main camera and the depth-sensing camera, and panoramic shooting and VR (Virtual Reality) shooting by fusion of the main camera and the wide-angle camera. In some embodiments, the camera assembly 1306 may also include a flash. The flash can be a single-color temperature flash or a dual-color temperature flash. A dual-color temperature flash is a combination of a warm light flash and a cool light flash, which can be used for light compensation at different color temperatures.

[0226] Audio circuitry 1307 provides an audio interface between the user and computer device 1300. Audio circuitry 1307 may include a microphone and a speaker. The microphone is used to collect sound waves from the user and the environment, converting the sound waves into electrical signals that are input to processor 1301 for processing, or input to radio frequency circuitry 1304 for voice communication. For stereo sound acquisition or noise reduction purposes, multiple microphones may be used, each located at a different location within computer device 1300. The microphone may also be an array microphone or an omnidirectional microphone. The speaker is used to convert electrical signals from processor 1301 or radio frequency circuitry 1304 into sound waves. The speaker may be a conventional diaphragm speaker or a piezoelectric ceramic speaker. When the speaker is a piezoelectric ceramic speaker, it can convert electrical signals not only into audible sound waves but also into inaudible sound waves for purposes such as distance measurement. In some embodiments, audio circuitry 1307 may also include a headphone jack.

[0227] Power supply 1308 is used to supply power to the various components in computer device 1300. Power supply 1308 can be AC ​​power, DC power, a disposable battery, or a rechargeable battery. When power supply 1308 includes a rechargeable battery, the rechargeable battery can be a wired rechargeable battery or a wireless rechargeable battery. A wired rechargeable battery is a battery that is charged via a wired line, and a wireless rechargeable battery is a battery that is charged via a wireless coil. The rechargeable battery can also be used to support fast charging technology.

[0228] In some embodiments, the computer device 1300 further includes one or more sensors 1309. The one or more sensors 1309 include, but are not limited to, an accelerometer 1310, a gyroscope 1311, a pressure sensor 1312, an optical sensor 1313, and a proximity sensor 1314.

[0229] Accelerometer 1310 can detect the magnitude of acceleration along the three coordinate axes of a coordinate system established by computer device 1300. For example, accelerometer 1310 can be used to detect the components of gravitational acceleration along the three coordinate axes. Processor 1301 can control touchscreen display 1305 to display the user interface in landscape or portrait view based on the gravitational acceleration signal acquired by accelerometer 1310. Accelerometer 1310 can also be used for games or for acquiring user motion data.

[0230] The gyroscope sensor 1311 can detect the orientation and rotation angle of the computer device 1300. The gyroscope sensor 1311 can work in conjunction with the accelerometer sensor 1310 to acquire the user's 3D movements on the computer device 1300. Based on the data acquired by the gyroscope sensor 1311, the processor 1301 can perform the following functions: motion sensing (e.g., changing the UI based on the user's tilt), image stabilization during shooting, game control, and inertial navigation.

[0231] The pressure sensor 1312 can be disposed on the side bezel of the computer device 1300 and / or on the lower layer of the touch display screen 1305. When the pressure sensor 1312 is disposed on the side bezel of the computer device 1300, it can detect the user's grip signal on the computer device 1300 and perform left / right hand recognition or quick operation based on the grip signal. When the pressure sensor 1312 is disposed on the lower layer of the touch display screen 1305, it can control the operable controls on the UI interface based on the user's pressure operation on the touch display screen 1305. The operable controls include at least one of button controls, scroll bar controls, icon controls, and menu controls.

[0232] The optical sensor 1313 is used to collect ambient light intensity. In one embodiment, the processor 1301 can control the display brightness of the touch screen 1305 based on the ambient light intensity collected by the optical sensor 1313. Specifically, when the ambient light intensity is high, the display brightness of the touch screen 1305 is increased; when the ambient light intensity is low, the display brightness of the touch screen 1305 is decreased. In another embodiment, the processor 1301 can also dynamically adjust the shooting parameters of the camera assembly 1306 based on the ambient light intensity collected by the optical sensor 1313.

[0233] The proximity sensor 1314, also known as a distance sensor, is typically located on the front of the computer device 1300. The proximity sensor 1314 is used to detect the distance between the user and the front of the computer device 1300. In one embodiment, when the proximity sensor 1314 detects that the distance between the user and the front of the computer device 1300 is gradually decreasing, the processor 1301 controls the touch display screen 1305 to switch from a screen-on state to a screen-off state; when the proximity sensor 1314 detects that the distance between the user and the front of the computer device 1300 is gradually increasing, the processor 1301 controls the touch display screen 1305 to switch from a screen-off state to a screen-on state.

[0234] Those skilled in the art will understand that Figure 13 The structure shown does not constitute a limitation on the computer device 1300, and may include more or fewer components than shown, or combine certain components, or use different component arrangements.

[0235] This application also provides a computer device including a memory and a processor; the memory stores at least one piece of program code, which is loaded and executed by the processor to implement the security detection method described above.

[0236] This application also provides a computer-readable storage medium storing a computer program that is executed by a processor to implement the security detection method described above.

[0237] This application also provides a chip, which includes programmable logic circuits and / or program instructions, for implementing the security detection method described above when the electronic device on which the chip is installed is running.

[0238] This application also provides a computer program product, which includes computer instructions stored in a computer-readable storage medium. The processor reads and executes the computer instructions from the computer-readable storage medium to implement the security detection method described above.

[0239] It should be understood that "multiple" as used in this article refers to two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone. The character " / " generally indicates that the preceding and following related objects have an "or" relationship.

[0240] Those skilled in the art will understand that all or part of the steps of the above embodiments can be implemented by hardware or by a program instructing related hardware. The program can be stored in a computer-readable storage medium, such as a read-only memory, a disk, or an optical disk.

[0241] The above description is merely an optional embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.

Claims

1. A security detection method, characterized in that, The method is executed by a secure procedure, and the method includes: Obtain a screenshot of the program's interface corresponding to the program under test; Based on a page classification model, the page type of the program screenshot is determined. The page classification model is trained based on multiple historical program screenshots of at least one application. Based on the page type, the simulated trigger operation corresponding to the display interface is determined. The simulated trigger operation is executed on the display interface, and the response data of the tested program to the simulated trigger operation is obtained. Based on the response data, determine whether the tested program has any security vulnerabilities; The page classification model is trained through the following steps: Obtain the plurality of historical program screenshots of the at least one application; Based on the deep residual network model, the multiple historical program screenshots are transformed into a vector space to obtain the vectors corresponding to the multiple historical program screenshots, wherein one historical program screenshot corresponds to one vector in the vector space; A distance relationship network is constructed based on the cosine distance between vectors in the vector space. The distance relationship network is used to describe the similarity between the multiple historical program screenshots. The vector corresponding to a historical program screenshot is a node in the distance relationship network. Based on the distance relationship network, connected components are calculated. For connected components with no more than a predefined threshold number of nodes, they are directly treated as a cluster. For connected components with more than the predefined threshold number of nodes, all nodes in the large connected components are input into the k-means clustering algorithm. The clustering result is obtained by combining the clusters of the connected components that are not greater than a predefined threshold and the clusters output by the k-means clustering algorithm; Obtain a type label for each of the clustering results, wherein each type label indicates a page type; A training set for the page classification model is constructed, the training set including the multiple historical program screenshots and the type label corresponding to each historical program screenshot; the page classification model is trained based on the training set.

2. The method according to claim 1, characterized in that, The acquisition of the multiple historical program screenshots includes: Take a screenshot of the i-th historical display interface among the multiple historical display interfaces of the at least one application to obtain the i-th historical program screenshot among the multiple historical program screenshots, where i is a positive integer not less than 0.

3. The method according to claim 1 or 2, characterized in that, The method further includes: If the screenshot does not belong to any page type indicated by the page classification model, a random trigger operation is performed on the display interface to obtain the response data of the tested program to the random trigger operation.

4. The method according to claim 3, characterized in that, The method further includes: Save the program screenshot, which is used to optimize and train the page classification model.

5. The method according to claim 1 or 2, characterized in that, The step of determining whether the tested program has security vulnerabilities based on the response data includes: If the response data contains security vulnerabilities, the tested program is determined to have security risks and is marked as a security anomaly program.

6. The method according to claim 1 or 2, characterized in that, The method further includes: If the dwell time on the display interface exceeds a first threshold and / or the number of times the simulated trigger operation is triggered exceeds a second threshold, the security detection of the program under test shall be stopped.

7. A safety detection device, characterized in that, The device includes: The acquisition module is used to acquire screenshots of the program's display interface. A determination module is used to determine the page type of the program screenshot based on a page classification model, wherein the page classification model is trained based on multiple historical program screenshots of at least one application. The acquisition module is further configured to determine the simulated trigger operation corresponding to the display interface based on the page type, execute the simulated trigger operation on the display interface, and acquire the response data of the tested program to the simulated trigger operation; The determining module is further configured to determine, based on the response data, whether the tested program has any security vulnerabilities. The page classification model is trained through the following steps: The acquisition module is used to acquire the plurality of historical program screenshots of the at least one application; The determining module is used to convert the multiple historical program screenshots into a vector space based on a deep residual network model, so as to obtain the vectors corresponding to the multiple historical program screenshots, wherein one historical program screenshot corresponds to one vector in the vector space; The determining module is used to construct a distance relationship network based on the cosine distance between vectors in the vector space. The distance relationship network is used to describe the similarity between the multiple historical program screenshots. The vector corresponding to a historical program screenshot is a node in the distance relationship network. The determining module is used to calculate connected components based on the distance relationship network. For connected components with no more than a predefined threshold number of nodes, they are directly treated as a cluster. For connected components with more than the predefined threshold number of nodes, all nodes in the large connected components are input into the k-means clustering algorithm. The determining module is used to combine the clusters of the connected components that are not greater than a predefined threshold and the clusters output by the k-means clustering algorithm to obtain the clustering result; The acquisition module is used to acquire type labels after marking each clustering result, where a type label is used to indicate a page type; The determining module is used to construct a training set for the page classification model, wherein the training set includes the plurality of historical program screenshots and the type label corresponding to each historical program screenshot; The determining module is used to train the page classification model based on the training set.

8. The apparatus according to claim 7, characterized in that, The device includes: The acquisition module is used to take a screenshot of the i-th historical display interface among the multiple historical display interfaces of the at least one application, and obtain the i-th historical program screenshot among the multiple historical program screenshots, where i is a positive integer not less than 0.

9. The apparatus according to claim 7 or 8, characterized in that, The device further includes: The display module is used to perform a random trigger operation on the display interface when the program screenshot does not belong to any page type indicated by the page classification model, and to obtain the response data of the program under test to the random trigger operation.

10. The apparatus according to claim 9, characterized in that, The device further includes: A storage module is used to save the program screenshots, which are used to optimize and train the page classification model.

11. The apparatus according to claim 7 or 8, characterized in that, The device includes: The determining module is used to determine that the tested program has security risks when the response data has security vulnerabilities, and to mark the tested program as a security-abnormal program.

12. The apparatus according to claim 7 or 8, characterized in that, The device includes: The control module is used to stop the security detection of the program under test if the dwell time on the display interface exceeds a first threshold and / or the number of times the simulated trigger operation is triggered exceeds a second threshold.

13. A computer device, characterized in that, The computer device includes a memory and a processor; The memory stores at least one piece of program code, which is loaded and executed by the processor to implement the security detection method as described in any one of claims 1 to 6.

14. A computer-readable storage medium, characterized in that, The storage medium stores a computer program, which is executed by a processor to implement the security detection method as described in any one of claims 1 to 6.

15. A chip, characterized in that, The chip includes programmable logic circuits and / or program instructions, and when the electronic device equipped with the chip is running, it is used to implement the security detection method as described in any one of claims 1 to 6.

16. A computer program product, characterized in that, The computer program product includes computer instructions stored in a computer-readable storage medium, and a processor reads from and executes the computer instructions to implement the security detection method as described in any one of claims 1 to 6.