CN103177214B - The detection method of Malware, system and communication terminal - Google Patents
The detection method of Malware, system and communication terminal Download PDFInfo
- Publication number
- CN103177214B CN103177214B CN201110439584.9A CN201110439584A CN103177214B CN 103177214 B CN103177214 B CN 103177214B CN 201110439584 A CN201110439584 A CN 201110439584A CN 103177214 B CN103177214 B CN 103177214B
- Authority
- CN
- China
- Prior art keywords
- software under
- evaluation
- under testing
- estimate
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention is applicable to communication technical field, provides a kind of detection method of Malware, system and communication terminal, and described detection method comprises step to be had: software under testing calculates the theoretical dangerous values of described software under testing after being triggered and detecting; Obtain user's evaluation of estimate of described software under testing; According to theoretical dangerous values and user's evaluation of estimate generation testing result information of described software under testing.Whereby, the testing result of Malware of the present invention more comprehensively and accuracy rate is higher, thus more can have the infringement effectively avoiding Malware to communication terminal.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of detection method of Malware, system and communication terminal.
Background technology
The automatic detection model of the Malware built is used to detect software under testing in prior art, to try hard to avoid Malware to cause adverse effect to communication terminal.But in actual testing process, because the behavior of a lot of Malware is more hidden, the detection technique of current automatic detection model is limited, objectively can't detect these hidden out-of-the-way malicious acts in all directions, more cannot detect the malicious act of unknown malware, therefore cannot really avoid Malware to the infringement of communication terminal.
In summary, in actual use, obviously there is inconvenience and defect, so be necessary to be improved in the detection technique of existing Malware.
Summary of the invention
For above-mentioned defect, the object of the present invention is to provide a kind of detection method of Malware, system and communication terminal, its testing result more comprehensively and accuracy rate is higher, thus can more effectively avoid Malware to the infringement of communication terminal.
To achieve these goals, the invention provides a kind of detection method of Malware, comprise step as follows:
Software under testing calculates the theoretical dangerous values of described software under testing after being triggered and detecting;
Obtain user's evaluation of estimate of described software under testing;
According to theoretical dangerous values and user's evaluation of estimate generation testing result information of described software under testing.
According to detection method of the present invention, the step of the theoretical dangerous values of the described software under testing of described calculating comprises:
Communication terminal extracts the behavioural characteristic of described software under testing with generating feature array;
The feature array of described software under testing is uploaded to server;
Server analyzes the feature array of described software under testing by automatic detection model, calculates the theoretical dangerous values of described software under testing.
According to detection method of the present invention, the step of user's evaluation of estimate of described acquisition software under testing comprises:
Server is analyzed according to the feature array of described software under testing and the feature array of known software, draws similar sofware and the similarity of described software under testing from described known software;
Obtain user's evaluation of estimate of described similar sofware;
User's evaluation of estimate of software under testing according to user's evaluation of estimate of described similar sofware and Similarity Measure.
According to detection method of the present invention, the step of the theoretical dangerous values of the described software under testing of described calculating comprises:
Communication terminal calculates the theoretical dangerous values of described software under testing by automatic detection model, and is uploaded to server;
The step obtaining user's evaluation of estimate of described software under testing comprises:
Server obtains user's evaluation of estimate of described software under testing;
The step that the described theoretical dangerous values according to software under testing and user's evaluation of estimate generate testing result information comprises:
Server generates testing result information according to the theoretical dangerous values of described software under testing and user's evaluation of estimate and feeds back to communication terminal.
According to detection method of the present invention, the step of the theoretical dangerous values of the described software under testing of described calculating comprises:
Communication terminal calculates the theoretical dangerous values of described software under testing by automatic detection model;
The step obtaining user's evaluation of estimate of described software under testing comprises:
Communication terminal obtains user's evaluation of estimate of described software under testing from server;
The step that the described theoretical dangerous values according to software under testing and user's evaluation of estimate generate testing result information comprises:
Communication terminal generates testing result information according to the theoretical dangerous values of software under testing and user's evaluation of estimate.
The present invention also provides a kind of detection system of Malware, comprising:
First dangerous values computing module, after detecting, calculates the theoretical dangerous values of described software under testing for being triggered at software under testing;
First evaluation of estimate acquisition module, for obtaining user's evaluation of estimate of described software under testing;
First testing result generation module, for generating testing result information according to the theoretical dangerous values of described software under testing and user's evaluation of estimate.
According to detection system of the present invention, described detection system comprises communication terminal and server, and described first dangerous values computing module, the first evaluation of estimate acquisition module and the first testing result generation module are located in described server;
Described communication terminal comprises further:
Characteristic extracting module, for extracting the behavioural characteristic of described software under testing with generating feature array;
Transmission module in feature, for being uploaded to server by the feature array of described software under testing;
First dangerous values computing module of described server analyzes the feature array of described software under testing by automatic detection model, calculate the theoretical dangerous values of described software under testing.
According to detection system of the present invention, the first evaluation of estimate acquisition module of described server comprises further:
Analyzing submodule, for analyzing according to the feature array of described software under testing and the feature array of known software, from described known software, drawing similar sofware and the similarity of described software under testing;
Obtain submodule, obtain user's evaluation of estimate of described similar sofware;
Calculating sub module, for user's evaluation of estimate of software under testing according to user's evaluation of estimate of described similar sofware and Similarity Measure.
According to detection system of the present invention, described detection system comprises communication terminal and server, described first dangerous values computing module is located in described communication terminal, and described first evaluation of estimate acquisition module and the first testing result generation module are located in described server;
First dangerous values computing module of described communication terminal is used for the theoretical dangerous values being calculated described software under testing by automatic detection model, and is uploaded to server;
First evaluation of estimate acquisition module of described server is for obtaining user's evaluation of estimate of described software under testing;
First testing result generation module of described server is used for generating testing result information according to the theoretical dangerous values of described software under testing and user's evaluation of estimate and feeding back to communication terminal.
The present invention also provides a kind of communication terminal, comprising:
Second dangerous values computing module, after detecting, calculates the theoretical dangerous values of described software under testing for being triggered at software under testing by automatic detection model;
Second evaluation of estimate acquisition module, for obtaining user's evaluation of estimate of described software under testing from server;
Second testing result generation module, for generating testing result information according to the theoretical dangerous values of described software under testing and user's evaluation of estimate.
The present invention is after software under testing is triggered detection, obtain theoretical dangerous values and user's evaluation of estimate of software under testing respectively, this theoretical dangerous values can be drawn by automatic detection model analysis, this user's evaluation of estimate can by users according to use experience provide and be stored in server; Testing result is generated again according to described theoretical dangerous values and user's evaluation of estimate, user judges whether install or use this software under testing according to this testing result, due to the testing result that draws in conjunction with objective theoretical dangerous values and subjective user's evaluation of estimate more comprehensively and accuracy rate is higher, even if hidden malicious act also can detect, therefore, it is possible to more effectively avoid Malware to the infringement of communication terminal.Be more preferably, the behavioural characteristic generating feature array that communication terminal extracts software under testing is uploaded to server, server calculates the theoretical dangerous values of software under testing according to feature array on the one hand, on the other hand, the feature array of server to software under testing and known software is carried out analysis and is drawn similar sofware and similarity, according to user's evaluation of estimate of similar sofware and user's evaluation of estimate of Similarity Measure software under testing, finally draw testing result according to theoretical dangerous values and user's evaluation of estimate, thus the detection in advance realized the software under testing harmfulness of the unknown, and software under testing need not be uploaded onto the server by user, a large amount of flows can be saved.
Accompanying drawing explanation
Fig. 1 is the structural representation of the detection system of Malware of the present invention;
Fig. 2 is the structural representation of the detection system of Malware in first embodiment of the invention;
Fig. 3 is the structural representation of the detection system of Malware in second embodiment of the invention;
Fig. 4 is the structural representation of communication terminal in third embodiment of the invention;
Fig. 5 is the process flow diagram of the detection method of Malware of the present invention;
Fig. 6 is the process flow diagram of the detection method of Malware in first embodiment of the invention;
Fig. 7 is the process flow diagram of the detection method of Malware in second embodiment of the invention; And
Fig. 8 is the process flow diagram of the detection method of Malware in third embodiment of the invention.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
Fig. 1 shows the structure of the detection system of Malware of the present invention, and the detection system 100 of described Malware at least comprises the first dangerous values computing module 10, first evaluation of estimate acquisition module 20 and the first testing result generation module 30, wherein:
First dangerous values computing module 10, after detecting for being triggered at software under testing, calculate the theoretical dangerous values of this software under testing, preferably calculate the theoretical dangerous values of software under testing with automatic detection model, described theoretical dangerous values can certainly be calculated by other known arrangement.Described first dangerous values computing module 10 can be located in communication terminal or server, because theoretical dangerous values needs a large amount of calculating, realize in the server, and described server is preferably Cloud Server so preferably put.The described software under testing mode detected that is triggered is a lot, when such as communication terminal is installed first after downloading software under testing or runs, and the automatic detection trigger of system; Or system increases new test option, user is when preparing install or run software under testing, and show described test options for user and select, user clicks detection trigger after this test option.
First evaluation of estimate acquisition module 20, for obtaining user's evaluation of estimate of software under testing.Described first evaluation of estimate acquisition module 20 can be located in communication terminal or server.
First testing result generation module 30, for reference for generating testing result information according to the theoretical dangerous values of software under testing and user's evaluation of estimate.Described first testing result generation module 30 can be located in communication terminal or server.
The testing result that binding isotherm dangerous values of the present invention and user's evaluation of estimate draw more comprehensively and accuracy rate higher and, user more adequately can recognize that the theoretical harmfulness of software under testing and other users are to the evaluation of this software under testing, even if malicious act hidden so also can detect, therefore, it is possible to more effectively avoid Malware to the infringement of communication terminal, can also prevent normal software from being manslaughtered simultaneously.
Fig. 2 is the structural representation of the detection system of Malware in first embodiment of the invention, and the detection system of described Malware comprises communication terminal 50 and server 60, wherein:
Described communication terminal 50 is provided with transmission module 52 in characteristic extracting module 51 and feature:
Characteristic extracting module 51, for extracting the behavioural characteristic of software under testing with generating feature array.Specifically, the behavioural characteristic that communication terminal 50 can utilize local behavior feature extraction tools to extract software under testing forms a feature array, and the data volume of this feature array is little so that upload server 60.Described behavioural characteristic includes but not limited to the authority of software under testing, the function of access kernel, the function etc. of access application.Behavioural characteristic is extracted and can be adopted static API (ApplicationProgrammingInterface, application programming interface) extracting method, also the Technique dynamic ground such as hook (hook) can be utilized to extract API, extract the related function of software under testing to analyze its behavioural characteristic etc.
Transmission module 52 in feature, for being uploaded to server 60 by the feature array of software under testing.
The first dangerous values computing module 61, first evaluation of estimate acquisition module 62 and the first testing result generation module 63 is provided with in described server 60:
First dangerous values computing module 61, for being analyzed the feature array of software under testing by automatic detection model, calculates the theoretical dangerous values of software under testing.
First evaluation of estimate acquisition module 62, for obtaining user's evaluation of estimate of software under testing.
First testing result generation module 63, for generating testing result information according to the theoretical dangerous values of software under testing and user's evaluation of estimate, and can by described testing result information feed back to communication terminal 50, communication terminal 50 again by described testing result information displaying to user's reference, user determines whether continue install or run this software under testing accordingly, or directly deletes this software under testing.
Preferably, the theoretical dangerous values of described software under testing and user's evaluation of estimate are evaluated threshold values with the theoretical hazard threshold prestored and user and are compared by the first testing result generation module 63 respectively, if the theoretical dangerous values of described software under testing or user's evaluation of estimate are greater than described theoretical hazard threshold and user evaluates threshold values, generate a Malware information and feed back to communication terminal 50, namely provide significantly negative prompting suggestion user and do not install or run; Or be added after the theoretical dangerous values of described software under testing and user's evaluation of estimate are multiplied by respective weight by the first testing result generation module 63 respectively and obtain integrated value, and described integrated value is compared with the comprehensive threshold values prestored, if described integrated value is greater than the comprehensive threshold values prestored, generate a Malware information and feed back to communication terminal 50, namely provide significantly negative prompting suggestion user and do not install or run.
Be more preferably, the first evaluation of estimate acquisition module 62 of server 60 comprises further:
Analyzing submodule 621, for analyzing according to the feature array of software under testing and the feature array of known software, from known software, drawing similar sofware and the similarity of software under testing.Described known software refers to that server 60 has stored or registered existing software, and server 60 can in advance or the feature array of known software described in Real-time Obtaining.Because software under testing may be unknown software, so carry out similarity system design with software under testing and known software, obtain similar sofware as evaluation basis.
Obtain submodule 622, obtain user's evaluation of estimate of similar sofware.Evaluate certain user that existing software provides according to self service condition because server 60 remains users, the user that acquisition submodule 622 can collect described similar sofware evaluates and analyzes total user's evaluation of estimate.
Calculating sub module 623, for according to user's evaluation of estimate of similar sofware and user's evaluation of estimate of Similarity Measure software under testing.The specific algorithm of described user's evaluation of estimate is not limit, user's evaluation of estimate of such as described similar sofware is 0.8, the similarity of described software under testing and similar sofware is 0.9, and so user's evaluation of estimate of software under testing is user's evaluation of estimate of similar sofware and the product of similarity, is 0.72.
The feature array need extracting software under testing due to communication terminal in the present embodiment 50 is uploaded to server 60 and analyzes, and software under testing need not be uploaded onto the server 60, can save a large amount of flows; In addition, because server 60 according to user's evaluation of estimate of the Similarity Measure software under testing of software under testing and known software, therefore can detect the harmfulness of unknown software under testing effectively, to prevent malice infringement.
Fig. 3 is the structural representation of the detection system of Malware in second embodiment of the invention, and the detection system of described Malware comprises communication terminal 70 and server 80, wherein:
Be provided with the first dangerous values computing module 71 in described communication terminal 70, described first dangerous values computing module 71 for being calculated the theoretical dangerous values of software under testing by automatic detection model, and is uploaded to server 80.
Described server 80 is preferably Cloud Server, is provided with the first evaluation of estimate acquisition module 81 and the first testing result generation module 82 in this server 80:
First evaluation of estimate acquisition module 81, for obtaining user's evaluation of estimate of software under testing;
First testing result generation module 82, for generating testing result information according to the theoretical dangerous values of software under testing and user's evaluation of estimate, and by described testing result information feed back to communication terminal 70.
Fig. 4 is the structural representation of communication terminal in third embodiment of the invention, described communication terminal 200 can be mobile phone, PDA (PersonalDigitalAssistant, personal digital assistant), panel computer etc., and at least comprise the second dangerous values computing module 210, second evaluation of estimate acquisition module 220 and the second testing result generation module 230, wherein:
Second dangerous values computing module 210, after detecting, calculates the theoretical dangerous values of software under testing for being triggered at software under testing by automatic detection model.
Second evaluation of estimate acquisition module 220, for obtaining user's evaluation of estimate of software under testing from server 300.
Second testing result generation module 230, for generating testing result information according to the theoretical dangerous values of software under testing and user's evaluation of estimate, and can by described testing result information displaying to user's reference.
Fig. 5 shows the flow process of the detection method of Malware of the present invention, described detection method by as shown in Figure 1, Figure 2, the detection system of the Malware shown in Fig. 3 or Fig. 4 or communication terminal realize, and comprises step as follows:
Step S501, software under testing calculates the theoretical dangerous values of software under testing after being triggered and detecting.
Step S502, obtains user's evaluation of estimate of software under testing.
Step S503, according to theoretical dangerous values and user's evaluation of estimate generation testing result information of software under testing.
Fig. 6 is the process flow diagram of the detection method of Malware in first embodiment of the invention, and described detection method realizes by the detection system of Malware as shown in Figure 2, comprises step as follows:
Step S601, after software under testing is triggered and detects, communication terminal 50 extracts the behavioural characteristic of software under testing with generating feature array, and this step can be realized by the characteristic extracting module 51 of communication terminal 50.
Step S602, the feature array of software under testing is uploaded to server 60 by communication terminal 50, and this step can be realized by transmission module 52 in the feature of communication terminal 50.
Step S603, server 60 analyzes the feature array of software under testing by automatic detection model, and calculate the theoretical dangerous values of software under testing, this step can be realized by the first dangerous values computing module 61 of server 60.
Step S604, server 60 is analyzed according to the feature array of software under testing and the feature array of known software, from known software, draw similar sofware and the similarity of software under testing, this step can be realized by the analysis submodule 621 of the first evaluation of estimate acquisition module 62 of server 60.
Step S605, obtain user's evaluation of estimate of similar sofware, this step can be realized by the acquisition submodule 622 of the first evaluation of estimate acquisition module 62 of server 60.
Step S606, according to user's evaluation of estimate of similar sofware and user's evaluation of estimate of Similarity Measure software under testing, this step can be realized by the calculating sub module 623 of the first evaluation of estimate acquisition module 62 of server 60.
Step S607, server 60 generates testing result information according to according to the theoretical dangerous values of software under testing and user's evaluation of estimate, and this step can be realized by the first testing result generation module 63 of server 60.
Step S608, server 60 by described testing result information feed back to communication terminal 50.Communication terminal 50 is by described testing result information displaying to user's reference, and user can judge whether to install, run or delete according to testing result informix.If user selects to delete, the user's evaluation of estimate to this software under testing can be provided, this user's evaluation of estimate is uploaded to server 60.If user installs in selection or runs, user also in use can feed back user's evaluation of estimate of this software under testing to server 60.
Fig. 7 is the process flow diagram of the detection method of Malware in second embodiment of the invention, and described detection method realizes by the detection system of Malware as shown in Figure 3, comprises step as follows:
Step S701, communication terminal 70 calculates the theoretical dangerous values of software under testing by automatic detection model, and described theoretical dangerous values is uploaded to server 80, and this step can be realized by the first dangerous values computing module 71 of communication terminal 70.
Step S702, server 80 obtains user's evaluation of estimate of software under testing, and this step can be realized by the first evaluation of estimate acquisition module 81 of server 80.
Step S703, server 80 generates testing result information according to the theoretical dangerous values of software under testing and user's evaluation of estimate, and this step can be realized by the first testing result generation module 82.The generating algorithm of testing result information can comprise a variety of, preferably, the theoretical dangerous values of described software under testing and user's evaluation of estimate are evaluated threshold values with the theoretical hazard threshold prestored and user and are compared by the first testing result generation module 82 respectively, if the theoretical dangerous values of described software under testing or user's evaluation of estimate are greater than described theoretical hazard threshold and user evaluates threshold values, generate Malware information and feed back to communication terminal 50, namely provide significantly negative prompting suggestion user and do not install or run; Or be added after the theoretical dangerous values of described software under testing and user's evaluation of estimate are multiplied by respective weight by the first testing result generation module 82 respectively and obtain integrated value, and described integrated value is compared with the comprehensive threshold values prestored, if described integrated value is greater than the comprehensive threshold values prestored, generate Malware information and feed back to communication terminal 50, namely provide significantly negative prompting suggestion user and do not install or run.
Step S704, server 80 by described testing result information feed back to communication terminal 70.
Fig. 8 is the process flow diagram of the detection method of Malware in third embodiment of the invention, and described detection method can be realized by communication terminal 200 as shown in Figure 4, comprises step as follows:
Step S801, after software under testing is triggered detection, communication terminal 200 calculates the theoretical dangerous values of software under testing by automatic detection model, and this step can be realized by the second dangerous values computing module 210.
Step S802, communication terminal 200 obtains user's evaluation of estimate of software under testing from server 300, and this step can be realized by the second evaluation of estimate acquisition module 220.
Step S803, communication terminal 200 generates testing result information according to the theoretical dangerous values of software under testing and user's evaluation of estimate, and this step can be realized by the second testing result generation module 230.
In sum, the present invention is after software under testing is triggered detection, obtain theoretical dangerous values and user's evaluation of estimate of software under testing respectively, this theoretical dangerous values can be drawn by automatic detection model analysis, this user's evaluation of estimate can by users according to use experience provide and be stored in server; Testing result is generated again according to described theoretical dangerous values and user's evaluation of estimate, user judges whether install or use this software under testing according to this testing result, due to the testing result that draws in conjunction with objective theoretical dangerous values and subjective user's evaluation of estimate more comprehensively and accuracy rate is higher, even if hidden malicious act also can detect, therefore, it is possible to more effectively avoid Malware to the infringement of communication terminal.Be more preferably, the behavioural characteristic generating feature array that communication terminal extracts software under testing is uploaded to server, server calculates the theoretical dangerous values of software under testing according to feature array on the one hand, on the other hand, the feature array of server to software under testing and known software is carried out analysis and is drawn similar sofware and similarity, according to user's evaluation of estimate of similar sofware and user's evaluation of estimate of Similarity Measure software under testing, finally draw testing result according to theoretical dangerous values and user's evaluation of estimate, thus the detection in advance realized the software under testing harmfulness of the unknown, and software under testing need not be uploaded onto the server by user, a large amount of flows can be saved.
Certainly; the present invention also can have other various embodiments; when not deviating from the present invention's spirit and essence thereof; those of ordinary skill in the art are when making various corresponding change and distortion according to the present invention, but these change accordingly and are out of shape the protection domain that all should belong to the claim appended by the present invention.
Claims (4)
1. a detection method for Malware, is characterized in that, comprises step as follows:
Software under testing calculates the theoretical dangerous values of described software under testing after being triggered and detecting;
Obtain user's evaluation of estimate of described software under testing;
According to theoretical dangerous values and user's evaluation of estimate generation testing result information of described software under testing;
The step of the theoretical dangerous values of the described software under testing of described calculating comprises:
Communication terminal extracts the behavioural characteristic of described software under testing with generating feature array;
The feature array of described software under testing is uploaded to server;
Server analyzes the feature array of described software under testing by automatic detection model, calculates the theoretical dangerous values of described software under testing; Or
The step of the theoretical dangerous values of the described software under testing of described calculating comprises:
Communication terminal calculates the theoretical dangerous values of described software under testing by automatic detection model, and is uploaded to server;
The step obtaining user's evaluation of estimate of described software under testing comprises:
Server obtains user's evaluation of estimate of described software under testing;
The step that the described theoretical dangerous values according to software under testing and user's evaluation of estimate generate testing result information comprises:
Server generates testing result information according to the theoretical dangerous values of described software under testing and user's evaluation of estimate and feeds back to communication terminal; Or
The step of the theoretical dangerous values of the described software under testing of described calculating comprises:
Communication terminal calculates the theoretical dangerous values of described software under testing by automatic detection model;
The step obtaining user's evaluation of estimate of described software under testing comprises:
Communication terminal obtains user's evaluation of estimate of described software under testing from server;
The step that the described theoretical dangerous values according to software under testing and user's evaluation of estimate generate testing result information comprises:
Communication terminal generates testing result information according to the theoretical dangerous values of software under testing and user's evaluation of estimate.
2. detection method according to claim 1, is characterized in that, the step of user's evaluation of estimate of described acquisition software under testing comprises:
Server is analyzed according to the feature array of described software under testing and the feature array of known software, draws similar sofware and the similarity of described software under testing from described known software;
Obtain user's evaluation of estimate of described similar sofware;
User's evaluation of estimate of software under testing according to user's evaluation of estimate of described similar sofware and Similarity Measure.
3. a detection system for Malware, is characterized in that, comprising:
First dangerous values computing module, after detecting, calculates the theoretical dangerous values of described software under testing for being triggered at software under testing;
First evaluation of estimate acquisition module, for obtaining user's evaluation of estimate of described software under testing;
First testing result generation module, for generating testing result information according to the theoretical dangerous values of described software under testing and user's evaluation of estimate;
Described detection system comprises communication terminal and server, and described first dangerous values computing module, the first evaluation of estimate acquisition module and the first testing result generation module are located in described server;
Described communication terminal comprises further:
Characteristic extracting module, for extracting the behavioural characteristic of described software under testing with generating feature array;
Transmission module in feature, for being uploaded to server by the feature array of described software under testing;
First dangerous values computing module of described server analyzes the feature array of described software under testing by automatic detection model, calculate the theoretical dangerous values of described software under testing; Or
Described detection system comprises communication terminal and server, and described first dangerous values computing module is located in described communication terminal, and described first evaluation of estimate acquisition module and the first testing result generation module are located in described server;
First dangerous values computing module of described communication terminal is used for the theoretical dangerous values being calculated described software under testing by automatic detection model, and is uploaded to server;
First evaluation of estimate acquisition module of described server is for obtaining user's evaluation of estimate of described software under testing;
First testing result generation module of described server is used for generating testing result information according to the theoretical dangerous values of described software under testing and user's evaluation of estimate and feeding back to communication terminal; Or
Described detection system comprises communication terminal and server, described first dangerous values computing module is provided with in described communication terminal, described first dangerous values computing module is used for the theoretical dangerous values being calculated software under testing by automatic detection model, and is uploaded to described server;
Described first evaluation of estimate acquisition module and described first testing result generation module is provided with in described server;
Described first evaluation of estimate acquisition module, for obtaining user's evaluation of estimate of software under testing;
Described first testing result generation module, for generating testing result information according to the theoretical dangerous values of software under testing and user's evaluation of estimate.
4. detection system according to claim 3, is characterized in that, the first evaluation of estimate acquisition module of described server comprises further:
Analyzing submodule, for analyzing according to the feature array of described software under testing and the feature array of known software, from described known software, drawing similar sofware and the similarity of described software under testing;
Obtain submodule, obtain user's evaluation of estimate of described similar sofware;
Calculating sub module, for user's evaluation of estimate of software under testing according to user's evaluation of estimate of described similar sofware and Similarity Measure.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110439584.9A CN103177214B (en) | 2011-12-23 | 2011-12-23 | The detection method of Malware, system and communication terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110439584.9A CN103177214B (en) | 2011-12-23 | 2011-12-23 | The detection method of Malware, system and communication terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103177214A CN103177214A (en) | 2013-06-26 |
| CN103177214B true CN103177214B (en) | 2016-02-10 |
Family
ID=48637061
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110439584.9A Expired - Fee Related CN103177214B (en) | 2011-12-23 | 2011-12-23 | The detection method of Malware, system and communication terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103177214B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104636914B (en) * | 2013-11-06 | 2019-05-10 | ***股份有限公司 | A kind of method and apparatus that the applicating evaluating based on communication equipment is paid |
| CN103593614B (en) * | 2013-11-29 | 2017-01-11 | 成都科来软件有限公司 | Unknown virus retrieval method |
| CN103886255B (en) * | 2014-03-12 | 2017-11-10 | 可牛网络技术(北京)有限公司 | The privacy authority management method and device of application program |
| US9357397B2 (en) * | 2014-07-23 | 2016-05-31 | Qualcomm Incorporated | Methods and systems for detecting malware and attacks that target behavioral security mechanisms of a mobile device |
| CN105631338A (en) * | 2014-10-31 | 2016-06-01 | 重庆重邮信科通信技术有限公司 | Application security authentication method and terminal |
| CN106897617A (en) * | 2015-12-18 | 2017-06-27 | 北京奇虎科技有限公司 | A kind of method and device for recognizing bundled software |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101140611A (en) * | 2007-09-18 | 2008-03-12 | 北京大学 | Malevolence code automatic recognition method |
| CN101183414A (en) * | 2007-12-07 | 2008-05-21 | 白杰 | Program detection method, device and program analyzing method |
| CN101339596A (en) * | 2008-08-26 | 2009-01-07 | 腾讯科技(深圳)有限公司 | Method and device for protecting computer software system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100493904B1 (en) * | 2003-09-18 | 2005-06-10 | 삼성전자주식회사 | Method for DRM license supporting plural devices |
-
2011
- 2011-12-23 CN CN201110439584.9A patent/CN103177214B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101140611A (en) * | 2007-09-18 | 2008-03-12 | 北京大学 | Malevolence code automatic recognition method |
| CN101183414A (en) * | 2007-12-07 | 2008-05-21 | 白杰 | Program detection method, device and program analyzing method |
| CN101339596A (en) * | 2008-08-26 | 2009-01-07 | 腾讯科技(深圳)有限公司 | Method and device for protecting computer software system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103177214A (en) | 2013-06-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103177214B (en) | The detection method of Malware, system and communication terminal | |
| TWI461952B (en) | Method and system for detecting malware applications | |
| CN106445796B (en) | Automatic detection method and device for cheating channel | |
| CN103577658B (en) | The appraisal procedure and assessment system of intelligent terminal hardware | |
| CN103093363B (en) | Method and device of bill generation | |
| CN106294508B (en) | Brushing amount tool detection method and device | |
| CN102981619B (en) | A kind of method and system of the color replacement theme based on mobile phone users clothes | |
| CN107368856B (en) | Malicious software clustering method and device, computer device and readable storage medium | |
| CN201477598U (en) | Terminal Trojan monitoring device | |
| CN104539514A (en) | Information filtering method and device | |
| CN104661244A (en) | Method and device for evaluating PCI (physical cell identifier) mod3 interference | |
| CN103838754A (en) | Information searching device and method | |
| CN104572123B (en) | A kind of scenario generation method and device | |
| CN106599688A (en) | Application category-based Android malicious software detection method | |
| JP2015191458A (en) | File risk determination device, file risk determination method, and program | |
| CN110851834A (en) | Android malicious application detection method integrating multi-feature classification | |
| CN103135903A (en) | Chart gallery display method and device | |
| CN108966340B (en) | Equipment positioning method and device | |
| CN106301975B (en) | Data detection method and device | |
| CN102982048A (en) | Method and device for assessing junk information mining rule | |
| CN105955732A (en) | Classification method and device of desktop icons | |
| CN105488409A (en) | Method and system for detecting malicious code family variety and new family | |
| CN109408659B (en) | Image retrieval method, device, computing equipment and medium based on small world network | |
| CN103886868A (en) | Impact sound detection method and detection system | |
| CN106254007B (en) | A kind of frequency spectrum sensing method and device applied to LTE230 system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160210 Termination date: 20211223 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |