Search

CN-121997236-A - Abnormal software behavior remote identification method and system for multi-player game terminal

CN121997236ACN 121997236 ACN121997236 ACN 121997236ACN-121997236-A

Abstract

The invention discloses a method and a system for remotely identifying abnormal software behaviors of a multi-player game terminal, in particular relates to the technical field of chess and card game terminal safety protection, and is used for solving the problems that in the prior art, the acquisition granularity of behavior characteristic data is different due to terminal heterogeneity, so that the remote identification effectiveness is reduced; the method comprises the steps of synchronously binding and collecting granularity information when behavior characteristic data are collected at a terminal side, checking the integrity and granularity marking effectiveness of the data after the server receives the data, carrying out cluster classification according to the terminal type and fitting and collecting granularity marking probability distribution, calculating local outlier factors and screening out data sets conforming to a non-outlier threshold value according to the cluster classification, constructing priori distribution based on the probability distribution to calculate association confidence and screening out confidence standard reaching data sets, merging according to granularity marking to obtain the same granularity characteristic data set, and carrying out quantitative calibration and association analysis on the data set, so that the accurate identification of abnormal software behaviors is realized.

Inventors

  • CHEN SHAOGUANG
  • ZHANG YANG
  • WEI CONG
  • LIU FENG

Assignees

  • 成都市雀友圈文化传播有限公司

Dates

Publication Date
20260508
Application Date
20260129

Claims (10)

  1. 1. The abnormal software behavior remote identification method for the multi-player game terminal is characterized by comprising the following steps of: S1, synchronously recording and collecting granularity information and binding to generate a software behavior characteristic data set with granularity marks when a chess and card game terminal collects software behavior characteristic data; s2, remotely transmitting the software behavior characteristic data set to a server, and checking the data integrity and the validity of the granularity mark by the server; s3, the server performs cluster classification on the software behavior feature data set passing verification according to the terminal type, fits the probability distribution of the acquisition granularity marks of various terminals, calculates the local outlier factor of the single terminal acquisition granularity mark in the affiliated cluster, and screens out the software behavior feature data set conforming to the non-outlier threshold; S4, constructing priori distribution based on the probability distribution of the collected granularity marks of various terminals, calculating the associated confidence coefficient of the granularity marks of the software behavior characteristic data set which accords with the non-outlier threshold and the terminal types, and screening the confidence coefficient standard data set; S5, merging the confidence standard data sets according to granularity marks to obtain feature data sets with the same granularity; And S6, quantitatively calibrating the same-granularity characteristic data set, and identifying abnormal software behaviors through correlation analysis of the quantized and calibrated same-granularity characteristic data set.
  2. 2. The remote recognition method of abnormal software behavior for a multiplayer game terminal according to claim 1, wherein S1 comprises: collecting behavior characteristic data generated by software in the running process of the chess and card game terminal; determining acquisition granularity information based on an acquisition environment of the behavior characteristic data; Binding the collected granularity information as granularity marks with the collected behavior feature data to generate a software behavior feature data set with granularity marks.
  3. 3. The remote recognition method of abnormal software behavior for a multiplayer game terminal according to claim 1, wherein S2 comprises: remotely transmitting the software behavior characteristic data set with granularity marks from the chess and card game terminal to a server; after receiving the software behavior feature data set with the granularity mark, the server performs data integrity check on the software behavior feature data set with the granularity mark; and verifying the format and the content validity of the granularity marks in the software behavior characteristic data set with the granularity marks.
  4. 4. The remote recognition method of abnormal software behavior for a multiplayer game terminal according to claim 1, wherein S3 comprises: Performing cluster classification based on the terminal types corresponding to the software behavior characteristic data sets passing the verification to obtain a plurality of terminal clusters; Fitting and collecting particle size marker probability distribution based on particle size markers in all software behavior feature data sets passing verification in each terminal cluster; calculating local outlier factors based on the positions of the granularity marks of the software behavior characteristic data sets passing each verification in the acquisition granularity mark probability distribution of the terminal cluster; And comparing the local outlier factor with the non-outlier threshold according to a preset non-outlier threshold, and screening out a software behavior characteristic data set of which the local outlier factor does not exceed the non-outlier threshold.
  5. 5. The remote recognition method for abnormal software behaviors of a multi-player game terminal according to claim 4, wherein the local outlier factor is calculated based on the position of the granularity mark in the acquisition granularity mark probability distribution of the terminal cluster, and specifically comprises the steps of determining the probability density of the software behavior feature data set passing verification in the acquisition granularity mark probability distribution of the terminal cluster based on the granularity mark of the software behavior feature data set, and calculating the local outlier factor by comparing the probability density with the probability density of the adjacent area in the acquisition granularity mark probability distribution.
  6. 6. The remote recognition method of abnormal software behavior for a multiplayer game terminal according to claim 1, wherein S4 comprises: Constructing prior distribution representing association relation between granularity marks and terminal types based on the probability distribution of the acquisition granularity marks of various terminals; Aiming at each software behavior characteristic data set conforming to the non-outlier threshold, calculating the associated confidence degree by combining the prior distribution according to the granularity mark and the terminal type of the software behavior characteristic data set; And comparing the association confidence with a preset confidence threshold, and screening out a data set with the association confidence reaching the confidence threshold as a confidence standard data set.
  7. 7. The remote recognition method of abnormal software behavior for a multiplayer game terminal according to claim 1, wherein S5 comprises: merging confidence standard reaching data sets with the same granularity marks into the same set based on granularity marks contained in the confidence standard reaching data sets to form a plurality of characteristic data sets with the same granularity; Wherein the software behavior feature data within each co-granular feature data set has the same granular marking.
  8. 8. The remote recognition method of abnormal software behavior for a multiplayer game terminal according to claim 1, wherein S6 comprises: Carrying out quantitative calibration processing on software behavior characteristic data in the same granularity characteristic data group; Based on the quantized and calibrated feature data sets with the same granularity, carrying out correlation analysis between software behavior feature data; and identifying abnormal software behaviors according to the result of the relevance analysis.
  9. 9. The remote recognition method for abnormal software behaviors of the multiplayer game terminal according to claim 8, wherein the correlation analysis between the software behavior feature data is performed based on the quantized and calibrated same-granularity feature data set, and specifically comprises the steps of calculating correlation metrics between different software behavior feature data in the quantized and calibrated same-granularity feature data set, and determining the result of the correlation analysis to be used for recognizing the abnormal software behaviors based on the distribution of the correlation metrics.
  10. 10. A multi-player game terminal-oriented abnormal software behavior remote recognition system for implementing the multi-player game terminal-oriented abnormal software behavior remote recognition method according to any one of claims 1 to 9, characterized by comprising: The collection marking module is used for synchronously recording and collecting granularity information and binding to generate a software behavior characteristic data set with granularity marks when the chess and card game terminal collects the software behavior characteristic data; the transmission verification module is used for remotely transmitting the software behavior characteristic data set to the server, and the server verifies the data integrity and the validity of the granularity mark; The cluster screening module is used for carrying out cluster classification on the software behavior characteristic data set passing verification by the server according to the terminal type, fitting the acquisition granularity marking probability distribution of various terminals, calculating the local outlier factor of the single terminal acquisition granularity marking in the affiliated cluster, and screening out the software behavior characteristic data set conforming to the non-outlier threshold; the confidence screening module is used for constructing priori distribution based on the probability distribution of the collected granularity marks of various terminals, calculating the association confidence of the granularity marks of the software behavior characteristic data set conforming to the non-outlier threshold and the terminal types, and screening confidence standard data sets; The merging and grouping module is used for merging the confidence standard reaching data sets according to granularity marks to obtain characteristic data sets with the same granularity; And the calibration identification module is used for quantitatively calibrating the same-granularity characteristic data set and identifying abnormal software behaviors through the correlation analysis of the quantized and calibrated same-granularity characteristic data set.

Description

Abnormal software behavior remote identification method and system for multi-player game terminal Technical Field The invention relates to the technical field of safety protection of chess and card game terminals, in particular to a method and a system for remotely identifying abnormal software behaviors of a multi-player game terminal. Background The chess and card game belongs to a typical multi-player game, and in the field of chess and card game terminal safety protection, the security risks such as cheating caused by abnormal software behaviors can be prevented through a remote identification technology, the core logic is that behavior characteristic data in the software running process is collected through a terminal side, and after remote transmission, aggregation analysis of multi-terminal data is completed through a server side, so that abnormal behaviors are identified and terminal safety protection is realized, and the chess and card game belongs to the core research category of computer terminal safety protection. Because chess and card game terminals are various in form and cover various types of mobile terminals, desktop terminals, simulators and the like, the system architecture, the acquisition interface authority and the data acquisition precision of different terminals are naturally different, so that the software behavior characteristic data acquired by the terminal sides are obviously different in granularity. In the prior art, a terminal side only carries out simple format normalization pretreatment on collected original behavior characteristic data and then remotely transmits the data to a server side, and the server side mainly carries out normalization treatment on formats of data uploaded by different terminals in an aggregation analysis stage so as to complete integration and subsequent analysis of multi-terminal data. In the existing abnormal software behavior remote identification technology for the multi-user game terminal, in the full-link processing of terminal side acquisition and server side aggregation analysis, an adaptive cooperative processing mechanism is not established aiming at the behavior feature acquisition granularity difference caused by terminal isomerism, the terminal side does not uniformly mark the granularity information of acquired data, and the server side does not perform effective granularity calibration and uniform quantization processing, so that the problem of effective feature dilution or distortion of behavior feature data with different granularities appears in the same analysis system, the core features of abnormal software behaviors cannot be extracted accurately, the effectiveness of remote identification is seriously reduced, and the safety protection requirement of chess and card game terminals is difficult to be reliably ensured. Disclosure of Invention In order to overcome the defects in the prior art, the invention provides a method and a system for remotely identifying abnormal software behaviors of a multi-player game terminal so as to solve the problems in the background art. In order to achieve the above purpose, the present invention provides the following technical solutions: The abnormal software behavior remote identification method for the multi-player game terminal comprises the following steps: S1, synchronously recording and collecting granularity information and binding to generate a software behavior characteristic data set with granularity marks when a chess and card game terminal collects software behavior characteristic data; s2, remotely transmitting the software behavior characteristic data set to a server, and checking the data integrity and the validity of the granularity mark by the server; s3, the server performs cluster classification on the software behavior feature data set passing verification according to the terminal type, fits the probability distribution of the acquisition granularity marks of various terminals, calculates the local outlier factor of the single terminal acquisition granularity mark in the affiliated cluster, and screens out the software behavior feature data set conforming to the non-outlier threshold; S4, constructing priori distribution based on the probability distribution of the collected granularity marks of various terminals, calculating the associated confidence coefficient of the granularity marks of the software behavior characteristic data set which accords with the non-outlier threshold and the terminal types, and screening the confidence coefficient standard data set; S5, merging the confidence standard data sets according to granularity marks to obtain feature data sets with the same granularity; And S6, quantitatively calibrating the same-granularity characteristic data set, and identifying abnormal software behaviors through correlation analysis of the quantized and calibrated same-granularity characteristic data set. Further, S1 includes: collecting behavior characteristic dat