CN103034810B - A kind of detection method, device and electronic equipment - Google Patents
A kind of detection method, device and electronic equipment Download PDFInfo
- Publication number
- CN103034810B CN103034810B CN201110294346.3A CN201110294346A CN103034810B CN 103034810 B CN103034810 B CN 103034810B CN 201110294346 A CN201110294346 A CN 201110294346A CN 103034810 B CN103034810 B CN 103034810B
- Authority
- CN
- China
- Prior art keywords
- application
- eigenwert
- eigenvalue
- storehouse
- feature storehouse
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of detection method, device and electronic equipment, described method comprises: receive sense command; Read at least one the First Eigenvalue according to described sense command from fisrt feature storehouse, read at least one Second Eigenvalue from second feature storehouse; Each the First Eigenvalue is compared with all Second Eigenvalues in second feature storehouse successively, detects the First Eigenvalue and the Second Eigenvalue that whether there is coupling, obtain testing result; When described testing result shows to there is coupling, output detections result.Application the present invention, when totally killing virus, the value in the feature database that direct use has stored compares, and without the need to calculating one by one each application, drastically increases detection speed, saves the resource of CPU, thus also more energy-conservation.
Description
Technical field
The present invention relates to field of computer technology, particularly a kind of detection method, device and electronic equipment.
Background technology
At present, perform the method for killing malicious application normally, inside scanning executable file, whether have the specific coding in malicious application planting modes on sink characteristic as specific binary string or cryptographic hash.The method was both applicable to computing machine, was also applicable to the equipment such as smart mobile phone.
But the method killing speed is very slow, and very consumes cpu resource, and power consumption is large, not energy-conservation.
Summary of the invention
The embodiment of the present invention provides a kind of detection method, device and electronic equipment, and consume cpu resource greatly to solve testing process, power consumption is large, not energy-conservation problem.
The invention provides a kind of detection method, be applied to electronic equipment, described method comprises:
Receive sense command;
Read at least one the First Eigenvalue according to described sense command from fisrt feature storehouse, read at least one Second Eigenvalue from second feature storehouse;
Each the First Eigenvalue is compared with all Second Eigenvalues in second feature storehouse successively, detects the First Eigenvalue and the Second Eigenvalue that whether there is coupling, obtain testing result;
When described testing result shows to there is coupling, output detections result;
Wherein, described fisrt feature storehouse is application characteristic storehouse, and described the First Eigenvalue is application characteristic value; Described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; Or described fisrt feature storehouse is malicious application feature database, described the First Eigenvalue is malicious application eigenwert; Described second feature storehouse is application characteristic storehouse, and described Second Eigenvalue is application characteristic value.
Wherein, before reception sense command, described method also comprises:
Described electronic equipment when installing or upgrade the first application, calculate install or the eigenwert of more new opplication;
Using the eigenwert that calculates as the First Eigenvalue, be stored in fisrt feature storehouse; Wherein, described fisrt feature storehouse is application characteristic storehouse.
Wherein, install when electronic equipment or upgrade the first application, and for after the computation installing or upgrade goes out eigenwert, described method also comprises:
Detection trigger order, detect to the first computation of installing or upgrading go out eigenwert and whether mate with all Second Eigenvalues in second feature storehouse, obtain testing result; Wherein, described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert;
When described testing result shows to there is coupling, output detections result.
Wherein, described each application characteristic value comprises the eigenwert of developer's signing certificate and/or the eigenwert of application program itself; Described malicious application eigenwert comprises the malicious application eigenwert of developer's signing certificate and/or the malicious application eigenwert of application program itself.
Wherein, when the eigenwert of application program itself and the malicious application eigenwert of application program itself match, corresponding to the eigenwert confirming described application program itself, be applied as malicious application.
Wherein, when the eigenwert of developer's signing certificate and the malicious application eigenwert of developer's signing certificate match, confirm that the application corresponding to eigenwert of developer's signing certificate is first kind application.
Wherein, when the eigenwert of developer's signing certificate and the malicious application eigenwert of developer's signing certificate match, and the application corresponding to eigenwert of described developer's signing certificate produced security incident, then confirmed that the application corresponding to eigenwert of developer's signing certificate was Equations of The Second Kind application.
Wherein, when the eigenwert of developer's signing certificate and the malicious application eigenwert of developer's signing certificate match, if the eigenwert of described developer's signing certificate is identical with the eigenwert of system default signing certificate, then the application corresponding to eigenwert of originator signing certificate is the 3rd class application.
The embodiment of the present invention additionally provides a kind of pick-up unit, is applied to electronic equipment, and described device comprises:
Receiving element, for receiving sense command;
Reading unit, for reading at least one the First Eigenvalue according to described sense command from fisrt feature storehouse, reads at least one Second Eigenvalue from second feature storehouse;
Contrast unit, for being compared with all Second Eigenvalues in second feature storehouse successively by each the First Eigenvalue, detecting the First Eigenvalue and the Second Eigenvalue that whether there is coupling, obtaining testing result;
Output unit, during for showing to there is coupling when described testing result, output detections result;
Wherein, described fisrt feature storehouse is application characteristic storehouse, and described the First Eigenvalue is application characteristic value; Described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; Or described fisrt feature storehouse is malicious application feature database, described the First Eigenvalue is malicious application eigenwert; Described second feature storehouse is application characteristic storehouse, and described Second Eigenvalue is application characteristic value.
Wherein, described device also comprises:
Computing unit, for before reception sense command, described electronic equipment when installing or upgrade the first application, calculate install or the eigenwert of more new opplication;
Storage unit, for the eigenwert that will calculate as the First Eigenvalue, is stored in fisrt feature storehouse; Wherein, described fisrt feature storehouse is application characteristic storehouse.
Wherein, described device also comprises:
Trigger element, for installing when electronic equipment or upgrading the first application, and for after the computation installing or upgrade goes out eigenwert, detection trigger order;
Described contrast unit, also for detect to the first computation of installing or upgrading go out eigenwert and whether mate with all Second Eigenvalues in second feature storehouse, obtain testing result; Wherein, described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert;
Described output unit, time also for showing to there is coupling when described testing result, output detections result.
Wherein, described each application characteristic value comprises the eigenwert of developer's signing certificate and/or the eigenwert of application program itself; Described malicious application eigenwert comprises the malicious application eigenwert of developer's signing certificate and/or the malicious application eigenwert of application program itself.
The embodiment of the present invention additionally provides a kind of electronic equipment, and described electronic equipment comprises:
Storage unit, for storing fisrt feature storehouse and second feature storehouse;
Processing unit, for receiving sense command; Read at least one the First Eigenvalue according to described sense command from fisrt feature storehouse, read at least one Second Eigenvalue from second feature storehouse; Each the First Eigenvalue is compared with all Second Eigenvalues in second feature storehouse successively, detects the First Eigenvalue and the Second Eigenvalue that whether there is coupling, obtain testing result; When described testing result shows to there is coupling, output detections result;
Wherein, described fisrt feature storehouse is application characteristic storehouse, and described the First Eigenvalue is application characteristic value; Described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; Or described fisrt feature storehouse is malicious application feature database, described the First Eigenvalue is malicious application eigenwert; Described second feature storehouse is application characteristic storehouse, and described Second Eigenvalue is application characteristic value.
Wherein, described processing unit, also for before reception sense command, when installing or upgrade the first application, calculate install or the eigenwert of more new opplication; Using the eigenwert that calculates as the First Eigenvalue, be stored in fisrt feature storehouse; Wherein, described fisrt feature storehouse is application characteristic storehouse.
Wherein, described processing unit, also for applying when installation first, and for after the computation installing or upgrade goes out eigenwert, detection trigger order; Detect to the first computation of installing or upgrading go out eigenwert and whether mate with all Second Eigenvalues in second feature storehouse, acquisition testing result; Wherein, described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; When described testing result shows to there is coupling, output detections result.
Method, device and electronic equipment that the application embodiment of the present invention provides, when totally killing virus, the value in the feature database that direct use has stored compares, without the need to calculating one by one each application, drastically increase detection speed, save the resource of CPU, thus also more energy-conservation.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of detection method process flow diagram according to the embodiment of the present invention;
Fig. 2 is the process flow diagram of the specific embodiment that the embodiment of the present invention provides;
Fig. 3 is a kind of pick-up unit logical organization schematic diagram according to the embodiment of the present invention;
Fig. 4 is the logical organization schematic diagram of a kind of electronic equipment according to the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
In order to better the present invention is described, first simple introduction is done to several concept below:
Application, refer to the application program that can run in this article, it may be the safety applications not being embedded into vicious function, also may be the malicious application being embedded into vicious function.
Application characteristic value, the value obtained by calculating application such as, can be cryptographic hash, binary coded value etc.;
Malicious application, refers to the application program of infected virus or vicious function in this article, namely comprises the improper application program of virus or vicious function.Virus comprises: code device software/hardware being caused to damage.Vicious function comprises: data theft function and expense steal function, and data theft comprises stealing following data such as private data (user data as note, mail, chat record, account number cipher etc., geographic position data, operation note etc.); Expense is stolen and is comprised, and participates in without the need to user, and to cause the short message of expenses to send, network is accessed, and calls.
Malicious application eigenwert, the value obtained by calculating malicious application such as, can be cryptographic hash, binary coded value etc.
See Fig. 1, it is a kind of detection method process flow diagram according to the embodiment of the present invention, be applied to electronic equipment, described electronic equipment comprises at least one application, application characteristic value set and malicious application characteristic value collection, described application characteristic data acquisition comprises the application characteristic value of at least one application at least one application described, described malicious application characteristic value collection comprises at least one malicious application eigenwert, and shown in Fig. 1, flow process specifically comprises:
Step 101, receives sense command;
Step 102, reads at least one the First Eigenvalue according to described sense command from fisrt feature storehouse, reads at least one Second Eigenvalue from second feature storehouse;
Step 103, compares with all Second Eigenvalues in second feature storehouse successively by each the First Eigenvalue, detects the First Eigenvalue and the Second Eigenvalue that whether there is coupling, obtains testing result;
Step 104, when described testing result shows to there is coupling, output detections result;
Wherein, described fisrt feature storehouse is application characteristic storehouse, and described the First Eigenvalue is application characteristic value; Described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; Or described fisrt feature storehouse is malicious application feature database, described the First Eigenvalue is malicious application eigenwert; Described second feature storehouse is application characteristic storehouse, and described Second Eigenvalue is application characteristic value.
That is, when using method shown in Fig. 1, each application characteristic value namely can be used to compare with all malicious application eigenwerts successively, each malicious application eigenwert also can be used to compare with all application characteristic values successively.
It should be noted that, when described testing result shows to there is coupling, the Apply Names list corresponding with application characteristic value can be comprised in output detections result, to represent that the application in this list may be malicious application or risky application; When described testing result shows to there is not coupling, also can output detections result, this testing result shows to there is not malicious application or risky application.
It should be noted that, before reception sense command, flow process shown in Fig. 1 can also comprise: described electronic equipment when installing or upgrade the first application, calculate install or the eigenwert of more new opplication; Using the eigenwert that calculates as the First Eigenvalue, be stored in fisrt feature storehouse; Wherein, described fisrt feature storehouse is application characteristic storehouse.That is, before reception sense command, when installing or upgrade certain application, just calculate install or the eigenwert of more new opplication, and, calculated eigenwert is saved in application characteristic storehouse.
It should be noted that, install when electronic equipment or upgrade the first application, and for after the computation installing or upgrade goes out eigenwert, flow process shown in Fig. 1 can also comprise: detection trigger order, detect to the first computation of installing or upgrading go out eigenwert and whether mate with all Second Eigenvalues in second feature storehouse, acquisition testing result; Wherein, described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; When described testing result shows to there is coupling, output detections result.That is, in certain application mounted or upgrade and and after calculating the application characteristic value of this application, one-time detection can be carried out to this application immediately, with ensure the application of installing or upgrading be safe.
With similar, when described testing result shows to there is coupling, the Apply Names just installed can be comprised in output detections result, to represent that this application may be malicious application or risky application above; When described testing result shows to there is not coupling, also can output detections result, this testing result shows that installed application is not malicious application or risky application.
It should be noted that, when described testing result shows to there is coupling, can also comprise: the application corresponding to the application characteristic value that the instruction received (instruction that Tathagata produces automatically from instruction or the system of user) unloading and malicious application eigenwert match, concrete operation can be:
When installing or upgrade the first application, calculate institute install or more new opplication eigenwert after, record the Apply Names corresponding with this eigenwert and installation site as path; When described testing result shows to there is coupling, according to the instruction received, according to the installation site of recording and Apply Names, the application corresponding to application characteristic value that unloading and malicious application eigenwert match.Like this, the loss operation due to this malicious application can being avoided to bring.
It should be noted that, described each application characteristic value comprises the eigenwert of developer's signing certificate and/or the eigenwert of application program itself; Described malicious application eigenwert comprises the malicious application eigenwert of developer's signing certificate and/or the malicious application eigenwert of application program itself.Like this,
When the eigenwert of application program itself and the malicious application eigenwert of application program itself match, corresponding to the eigenwert confirming described application program itself, be applied as malicious application.
When the eigenwert of developer's signing certificate and the malicious application eigenwert of developer's signing certificate match, confirm that the application corresponding to eigenwert of developer's signing certificate is first kind application.Wherein, the application of this first kind refers to that risk is applied, as doubtful malicious application.
When the eigenwert of developer's signing certificate and the malicious application eigenwert of developer's signing certificate match, and the application corresponding to eigenwert of described developer's signing certificate produced security incident, then confirmed that the application corresponding to eigenwert of developer's signing certificate was Equations of The Second Kind application.Wherein, the application of this Equations of The Second Kind refers to that excessive risk is applied, as doubtful and risky malicious application.
When the eigenwert of developer's signing certificate and the malicious application eigenwert of developer's signing certificate match, if the eigenwert of described developer's signing certificate is identical with the eigenwert of system default signing certificate, then the application corresponding to eigenwert of originator signing certificate is the 3rd class application.Wherein, the 3rd class application refers to that low-risk is applied, as application that may be risky.
When the eigenwert of developer's signing certificate and the malicious application eigenwert of developer's signing certificate match, if the eigenwert of described developer's signing certificate is identical with the eigenwert of system default signing certificate, and the application corresponding to eigenwert of described developer's signing certificate produced security incident, then confirmed that the application corresponding to eigenwert of developer's signing certificate was Equations of The Second Kind application.Wherein, the application of this Equations of The Second Kind refers to that excessive risk is applied, as doubtful and risky malicious application.
That is, the risk that the risk that Equations of The Second Kind is applied is applied higher than the first kind, and the risk that the risk of first kind application is applied higher than the 3rd class.
Above-mentioned security incident can be obtained by daily record, and above-mentioned security incident comprises accessing address list, peeps the events such as private data, consumption of natural resource, consumption rate.That is, all security-related events all can be used as record.
When the eigenwert of developer's signing certificate and the malicious application eigenwert of developer's signing certificate match
Visible, the method that the application embodiment of the present invention provides, when totally killing virus, value in the feature database that direct use has stored compares, and without the need to calculating one by one each application, drastically increases detection speed, save the resource of CPU, thus also more energy-conservation.
More known by practice, along with the increase of the quantity of application to be detected, the method that the application embodiment of the present invention provides, remain at about 5 seconds detection time, and make other killing instruments, when detecting the number of applications of as much, detection time is about several times of the inventive method.If the quantity of application reaches 100 or more, then use other times required for killing instrument will be far longer than more than 10 times of the inventive method required time.
Below in conjunction with an instantiation, the present invention is elaborated again.
See Fig. 2, its be the embodiment of the present invention the process flow diagram of a specific embodiment is provided.In this example, comprise A, B two feature databases, wherein A feature database is application characteristic storehouse, and B feature database is malicious application feature database, and each application characteristic value stored in application characteristic storehouse comprises the eigenwert of developer's signing certificate and the eigenwert of application program itself; The each malicious application eigenwert stored in malicious application feature database comprises the malicious application eigenwert of developer's signing certificate and the malicious application eigenwert of application program itself.Such as, the eigenwert of developer's signing certificate can be the cryptographic hash (HASH) of application signature certificate, the eigenwert of application program itself can be the HASH of APK, accordingly, the malicious application eigenwert of developer's signing certificate can be the cryptographic hash (HASH) of malicious application signing certificate, and the malicious application eigenwert of application program itself can be the HASH of malice APK.
It should be noted that, number due to the author of malicious application and the eigenwert of developer's signing certificate is far smaller than the number of the eigenwert of malicious application and application program itself, therefore, in the present embodiment, first mate the eigenwert of developer's signing certificate, if match, then confirm it may is malicious application, the eigenwert of recycling application program itself is mated, or utilizes other information to carry out risk stratification; If do not match, directly can confirm that it is not malicious application.Described in Fig. 2, flow process specifically comprises:
00) whenever capturing application and installing or upgrade, just calculate install or the application characteristic value of more new opplication; The application characteristic value calculated is stored in application characteristic storehouse.
01) when needs detect, whether the eigenwert of contrast developer signing certificate is identical with the malicious application eigenwert of developer's signing certificate, if identical, then performs step 02), otherwise perform step 09);
02) judge that whether the eigenwert of described developer's signing certificate is the eigenwert of system default signing certificate, if so, then perform step 03), otherwise perform step 04);
03) detect this application whether triggering secure event, if so, then perform step 06), otherwise perform step 09);
04) whether the eigenwert contrasting application program itself is identical with the malicious application eigenwert of application program itself, if identical, then performs step 05); Otherwise perform step 06);
05) confirm to there is malicious application in this application, then perform step 09); ;
06) confirm that this is applied as application that may be risky, then perform step 09);
07) detect this application whether triggering secure event, if so, then perform step 08), otherwise perform step 09);
08) confirm that this is applied as Equations of The Second Kind application and doubtful risky malicious application, then perform step 09);
09) judge whether that all contrast is complete, if so, then terminates, otherwise perform step 10);
10) obtain the application characteristic value of next application, then perform step 01).
The method that the application embodiment of the present invention provides, when totally killing virus, the value in the feature database that direct use has stored compares, without the need to calculating one by one each application, drastically increase detection speed, save the resource of CPU, thus also more energy-conservation.
The embodiment of the present invention additionally provides a kind of pick-up unit, is applied to electronic equipment, and see Fig. 3, described device comprises:
Receiving element 301, for receiving sense command;
Reading unit 302, for reading at least one the First Eigenvalue according to described sense command from fisrt feature storehouse, reads at least one Second Eigenvalue from second feature storehouse;
Contrast unit 303, for being compared with all Second Eigenvalues in second feature storehouse successively by each the First Eigenvalue, detecting the First Eigenvalue and the Second Eigenvalue that whether there is coupling, obtaining testing result;
Output unit 304, during for showing to there is coupling when described testing result, output detections result;
Wherein, described fisrt feature storehouse is application characteristic storehouse, and described the First Eigenvalue is application characteristic value; Described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; Or described fisrt feature storehouse is malicious application feature database, described the First Eigenvalue is malicious application eigenwert; Described second feature storehouse is application characteristic storehouse, and described Second Eigenvalue is application characteristic value.
Wherein, Fig. 3 shown device can also comprise:
Computing unit (not shown), for before reception sense command, described electronic equipment when installing or upgrade the first application, calculate install or the eigenwert of more new opplication;
Storage unit (not shown), for the eigenwert that will calculate as the First Eigenvalue, is stored in fisrt feature storehouse; Wherein, described fisrt feature storehouse is application characteristic storehouse.
Wherein, Fig. 3 shown device can also comprise:
Trigger element (not shown), for installing when electronic equipment or upgrading the first application, and for after the computation installing or upgrade goes out eigenwert, detection trigger order;
Described contrast unit, also for detect to the first computation of installing or upgrading go out eigenwert and whether mate with all Second Eigenvalues in second feature storehouse, obtain testing result; Wherein, described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert;
Described output unit, time also for showing to there is coupling when described testing result, output detections result.
Above-mentioned each application characteristic value comprises the eigenwert of developer's signing certificate and/or the eigenwert of application program itself; Above-mentioned malicious application eigenwert comprises the malicious application eigenwert of developer's signing certificate and/or the malicious application eigenwert of application program itself.
The device that the application embodiment of the present invention provides, when totally killing virus, the value in the feature database that direct use has stored compares, without the need to calculating one by one each application, drastically increase detection speed, save the resource of CPU, thus also more energy-conservation.
The embodiment of the present invention additionally provides a kind of electronic equipment, and see Fig. 4, described electronic equipment comprises:
Storage unit 401, for storing fisrt feature storehouse and second feature storehouse;
Processing unit 402, for receiving sense command; Read at least one the First Eigenvalue according to described sense command from fisrt feature storehouse, read at least one Second Eigenvalue from second feature storehouse; Each the First Eigenvalue is compared with all Second Eigenvalues in second feature storehouse successively, detects the First Eigenvalue and the Second Eigenvalue that whether there is coupling, obtain testing result; When described testing result shows to there is coupling, output detections result;
Wherein, described fisrt feature storehouse is application characteristic storehouse, and described the First Eigenvalue is application characteristic value; Described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; Or described fisrt feature storehouse is malicious application feature database, described the First Eigenvalue is malicious application eigenwert; Described second feature storehouse is application characteristic storehouse, and described Second Eigenvalue is application characteristic value.
Above-mentioned processing unit 402, also for before reception sense command, when installing or upgrade the first application, calculate install or the eigenwert of more new opplication; Using the eigenwert that calculates as the First Eigenvalue, be stored in fisrt feature storehouse; Wherein, described fisrt feature storehouse is application characteristic storehouse.
Above-mentioned processing unit 402, also for applying when installation first, and for after the computation installing or upgrade goes out eigenwert, detection trigger order; Detect to the first computation of installing or upgrading go out eigenwert and whether mate with all Second Eigenvalues in second feature storehouse, acquisition testing result; Wherein, described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; When described testing result shows to there is coupling, output detections result.
The electronic equipment that the application embodiment of the present invention provides, when totally killing virus, the value in the feature database that direct use has stored compares, without the need to calculating one by one each application, drastically increase detection speed, save the resource of CPU, thus also more energy-conservation.
For device and electronic equipment embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, relevant part illustrates see the part of embodiment of the method.
It should be noted that, in this article, the such as relational terms of first and second grades and so on is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment comprising described key element and also there is other identical element.
One of ordinary skill in the art will appreciate that all or part of step realized in said method embodiment is that the hardware that can carry out instruction relevant by program has come, described program can be stored in computer read/write memory medium, here the alleged storage medium obtained, as: ROM/RAM, magnetic disc, CD etc.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.All any amendments done within the spirit and principles in the present invention, equivalent replacement, improvement etc., be all included in protection scope of the present invention.
Claims (15)
1. a detection method, is applied to electronic equipment, it is characterized in that, described method comprises:
Receive sense command;
Read at least one the First Eigenvalue according to described sense command from fisrt feature storehouse, read at least one Second Eigenvalue from second feature storehouse;
Each the First Eigenvalue is compared with all Second Eigenvalues in second feature storehouse successively, detects the First Eigenvalue and the Second Eigenvalue that whether there is coupling, obtain testing result;
When described testing result shows to there is coupling, output detections result;
Wherein, described fisrt feature storehouse is application characteristic storehouse, and described the First Eigenvalue is application characteristic value; Described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; Or described fisrt feature storehouse is malicious application feature database, described the First Eigenvalue is malicious application eigenwert; Described second feature storehouse is application characteristic storehouse, and described Second Eigenvalue is application characteristic value.
2. method according to claim 1, is characterized in that, before reception sense command, described method also comprises:
Described electronic equipment when installing or upgrade the first application, calculate install or the eigenwert of more new opplication;
Using the eigenwert that calculates as the First Eigenvalue, be stored in fisrt feature storehouse; Wherein, described fisrt feature storehouse is application characteristic storehouse.
3. method according to claim 2, is characterized in that, installs or upgrade the first application when electronic equipment, and for after the computation installing or upgrade goes out eigenwert, described method also comprises:
Detection trigger order, detect to the first computation of installing or upgrading go out eigenwert and whether mate with all Second Eigenvalues in second feature storehouse, obtain testing result; Wherein, described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert;
When described testing result shows to there is coupling, output detections result.
4. method according to claim 1, is characterized in that,
Described each application characteristic value comprises the eigenwert of developer's signing certificate and/or the eigenwert of application program itself;
Described malicious application eigenwert comprises the malicious application eigenwert of developer's signing certificate and/or the malicious application eigenwert of application program itself.
5. method according to claim 4, is characterized in that,
When the eigenwert of application program itself and the malicious application eigenwert of application program itself match, corresponding to the eigenwert confirming described application program itself, be applied as malicious application.
6. method according to claim 4, it is characterized in that, when the eigenwert of developer's signing certificate and the malicious application eigenwert of developer's signing certificate match, confirm that the application corresponding to eigenwert of developer's signing certificate is first kind application, the application of this first kind refers to that risk is applied.
7. method according to claim 6, it is characterized in that, when the eigenwert of developer's signing certificate and the malicious application eigenwert of developer's signing certificate match, and the application corresponding to eigenwert of described developer's signing certificate produced security incident, then confirm that the application corresponding to eigenwert of developer's signing certificate is Equations of The Second Kind application, the application of this Equations of The Second Kind refers to that excessive risk is applied.
8. method according to claim 6, it is characterized in that, when the eigenwert of developer's signing certificate and the malicious application eigenwert of developer's signing certificate match, if the eigenwert of described developer's signing certificate is identical with the eigenwert of system default signing certificate, then the application corresponding to eigenwert of developer's signing certificate is the 3rd class application, and the 3rd class application refers to that low-risk is applied.
9. a pick-up unit, is applied to electronic equipment, it is characterized in that, described device comprises:
Receiving element, for receiving sense command;
Reading unit, for reading at least one the First Eigenvalue according to described sense command from fisrt feature storehouse, reads at least one Second Eigenvalue from second feature storehouse;
Contrast unit, for being compared with all Second Eigenvalues in second feature storehouse successively by each the First Eigenvalue, detecting the First Eigenvalue and the Second Eigenvalue that whether there is coupling, obtaining testing result;
Output unit, during for showing to there is coupling when described testing result, output detections result;
Wherein, described fisrt feature storehouse is application characteristic storehouse, and described the First Eigenvalue is application characteristic value; Described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; Or described fisrt feature storehouse is malicious application feature database, described the First Eigenvalue is malicious application eigenwert; Described second feature storehouse is application characteristic storehouse, and described Second Eigenvalue is application characteristic value.
10. device according to claim 9, is characterized in that, described device also comprises:
Computing unit, for before reception sense command, described electronic equipment when installing or upgrade the first application, calculate install or the eigenwert of more new opplication;
Storage unit, for the eigenwert that will calculate as the First Eigenvalue, is stored in fisrt feature storehouse; Wherein, described fisrt feature storehouse is application characteristic storehouse.
11. devices according to claim 10, is characterized in that, described device also comprises:
Trigger element, for installing when electronic equipment or upgrading the first application, and for after the computation installing or upgrade goes out eigenwert, detection trigger order;
Described contrast unit, also for detect to the first computation of installing or upgrading go out eigenwert and whether mate with all Second Eigenvalues in second feature storehouse, obtain testing result; Wherein, described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert;
Described output unit, time also for showing to there is coupling when described testing result, output detections result.
12. devices according to claim 9, is characterized in that,
Described each application characteristic value comprises the eigenwert of developer's signing certificate and/or the eigenwert of application program itself;
Described malicious application eigenwert comprises the malicious application eigenwert of developer's signing certificate and/or the malicious application eigenwert of application program itself.
13. 1 kinds of electronic equipments, is characterized in that, described electronic equipment comprises:
Storage unit, for storing fisrt feature storehouse and second feature storehouse;
Processing unit, for receiving sense command; Read at least one the First Eigenvalue according to described sense command from fisrt feature storehouse, read at least one Second Eigenvalue from second feature storehouse; Each the First Eigenvalue is compared with all Second Eigenvalues in second feature storehouse successively, detects the First Eigenvalue and the Second Eigenvalue that whether there is coupling, obtain testing result; When described testing result shows to there is coupling, output detections result;
Wherein, described fisrt feature storehouse is application characteristic storehouse, and described the First Eigenvalue is application characteristic value; Described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; Or described fisrt feature storehouse is malicious application feature database, described the First Eigenvalue is malicious application eigenwert; Described second feature storehouse is application characteristic storehouse, and described Second Eigenvalue is application characteristic value.
14. electronic equipments according to claim 13, is characterized in that,
Described processing unit, also for before reception sense command, when installing or upgrade the first application, calculate install or the eigenwert of more new opplication; Using the eigenwert that calculates as the First Eigenvalue, be stored in fisrt feature storehouse; Wherein, described fisrt feature storehouse is application characteristic storehouse.
15. electronic equipments according to claim 13, is characterized in that,
Described processing unit, also for applying when installation first, and for after the computation installing or upgrade goes out eigenwert, detection trigger order; Detect to the first computation of installing or upgrading go out eigenwert and whether mate with all Second Eigenvalues in second feature storehouse, acquisition testing result; Wherein, described second feature storehouse is malicious application feature database, and described Second Eigenvalue is malicious application eigenwert; When described testing result shows to there is coupling, output detections result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110294346.3A CN103034810B (en) | 2011-09-29 | 2011-09-29 | A kind of detection method, device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110294346.3A CN103034810B (en) | 2011-09-29 | 2011-09-29 | A kind of detection method, device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103034810A CN103034810A (en) | 2013-04-10 |
| CN103034810B true CN103034810B (en) | 2016-04-27 |
Family
ID=48021696
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110294346.3A Active CN103034810B (en) | 2011-09-29 | 2011-09-29 | A kind of detection method, device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103034810B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103684872A (en) * | 2013-12-26 | 2014-03-26 | 深圳数字电视国家工程实验室股份有限公司 | Control method and device for application programs |
| CN104200163A (en) * | 2014-08-27 | 2014-12-10 | 哈尔滨工业大学(威海) | Virus detection method and virus detection engine |
| CN105975855B (en) * | 2015-08-28 | 2019-07-23 | 武汉安天信息技术有限责任公司 | A kind of malicious code detecting method and system based on apk certificate similitude |
| CN106790287A (en) * | 2017-03-03 | 2017-05-31 | 努比亚技术有限公司 | A kind of Malware hold-up interception method and device |
| CN109714296A (en) * | 2017-10-26 | 2019-05-03 | 中国电信股份有限公司 | Threaten intelligence analysis method and apparatus |
| CN112052454B (en) * | 2020-10-12 | 2022-04-15 | 腾讯科技(深圳)有限公司 | Method, device and equipment for searching and killing applied viruses and computer storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101304426A (en) * | 2008-07-10 | 2008-11-12 | 腾讯科技(深圳)有限公司 | Method and device for recognizing and reporting questionable document |
| CN101458751A (en) * | 2009-01-06 | 2009-06-17 | 华中科技大学 | Storage abnormal detecting method based on artificial immunity |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8181248B2 (en) * | 2006-11-23 | 2012-05-15 | Electronics And Telecommunications Research Institute | System and method of detecting anomaly malicious code by using process behavior prediction technique |
-
2011
- 2011-09-29 CN CN201110294346.3A patent/CN103034810B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101304426A (en) * | 2008-07-10 | 2008-11-12 | 腾讯科技(深圳)有限公司 | Method and device for recognizing and reporting questionable document |
| CN101458751A (en) * | 2009-01-06 | 2009-06-17 | 华中科技大学 | Storage abnormal detecting method based on artificial immunity |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103034810A (en) | 2013-04-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109492378B (en) | Identity verification method based on equipment identification code, server and medium | |
| CN103034810B (en) | A kind of detection method, device and electronic equipment | |
| CN102404706B (en) | Method for managing tariff safety and mobile terminal | |
| KR101503785B1 (en) | Method And Apparatus For Protecting Dynamic Library | |
| CN103839005A (en) | Malware detection method and malware detection system of mobile operating system | |
| US7607122B2 (en) | Post build process to record stack and call tree information | |
| CN108763951B (en) | Data protection method and device | |
| CN105357204B (en) | Method and device for generating terminal identification information | |
| CN102521548A (en) | Method for managing using rights of function and mobile terminal | |
| CN102340398A (en) | Security policy setting and determining method, and method and device for executing operation by application program | |
| CN104199654A (en) | Open platform calling method and device | |
| CN107808096A (en) | Method, terminal device and the storage medium of malicious code are injected into during detection APK operations | |
| CN102479305A (en) | Software licensing verification method and system | |
| CN103065072A (en) | Method and device to improve Java software jailbreak difficulty and copyright verification method | |
| CN104217162A (en) | Method and system for detecting malicious software in smart terminal | |
| CN103971056A (en) | Method and device for preventing application program in operating system from being uninstalled | |
| CN106548065B (en) | Application program installation detection method and device | |
| CN111160879A (en) | Hardware wallet and security improving method and device thereof | |
| CN105320886A (en) | Method for detecting malware in mobile terminal and mobile terminal | |
| US10296743B2 (en) | Method and device for constructing APK virus signature database and APK virus detection system | |
| CN104978517A (en) | Android system illegal root detection method and Android system illegal root detection system | |
| Kim et al. | Runtime detection framework for android malware | |
| CN107948973B (en) | Equipment fingerprint generation method applied to IOS (input/output system) for security risk control | |
| WO2015188728A1 (en) | Mobile payment security protection method, apparatus and cloud server | |
| WO2022078366A1 (en) | Application protection method and apparatus, device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |