CN105224870B - The method and apparatus that suspected virus application uploads - Google Patents

The method and apparatus that suspected virus application uploads Download PDF

Info

Publication number
CN105224870B
CN105224870B CN201510587415.8A CN201510587415A CN105224870B CN 105224870 B CN105224870 B CN 105224870B CN 201510587415 A CN201510587415 A CN 201510587415A CN 105224870 B CN105224870 B CN 105224870B
Authority
CN
China
Prior art keywords
suspected virus
virus
suspected
code
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510587415.8A
Other languages
Chinese (zh)
Other versions
CN105224870A (en
Inventor
周志勇
周远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201510587415.8A priority Critical patent/CN105224870B/en
Publication of CN105224870A publication Critical patent/CN105224870A/en
Application granted granted Critical
Publication of CN105224870B publication Critical patent/CN105224870B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

This application discloses the method and apparatus that a kind of application of suspected virus uploads.One specific embodiment of the method includes: to obtain at least one section of suspected virus condition code, wherein the suspected virus condition code includes the code of the embodiment virus characteristic obtained from virus applications sample;The code of terminal applies is matched with the suspected virus condition code, if the terminal applies include the code for being higher than similarity threshold with the similarity of either segment suspected virus condition code at least one section of suspected virus condition code, terminal applies are determined as suspected virus application;The predetermined operation that detection user applies the suspected virus;In response to predetermined operation, suspected virus application is uploaded.The validity of detection virus applications can be improved in the embodiment.

Description

The method and apparatus that suspected virus application uploads
Technical field
This application involves field of computer technology, and in particular to technical field of virus detection more particularly to suspected virus are answered With the method and apparatus of upload.
Background technique
With the development of Internet technology and terminal device, the classification and quantity of terminal applies are also more and more, such as hand over Friendly class application, the application of shopping class, financing application etc..In these applications, there is virus characteristic (such as to destroy terminal function or number According to, obtain terminal data or malicious dissemination) application be commonly known as virus applications.Wherein, a variety of virus applications can have There is the same or similar virus characteristic.In order to protect terminal function or data not to be destroyed or malice acquisition, need to retrieve end Virus applications on end.
The method of current detection virus applications generally comprises: feature code method, verification and method, behavior monitoring method, software Simulation.Wherein feature code method often through extract virus characteristic virus pattern code, by the code of detected application with Virus pattern code is compared, and when completely the same, determines that application is virus applications.This detection method can not detect to wrap The virus applications of the feature containing unknown virus are easy to produce wrong report or fail to report, reduce the validity of detection virus applications.
Summary of the invention
The purpose of the application is to propose a kind of method and apparatus that improved suspected virus application uploads, more than solving The technical issues of background technology part is mentioned.
On the one hand, this application provides the methods that a kind of application of suspected virus uploads, which comprises obtains at least one Section suspected virus condition code, wherein the suspected virus condition code includes the embodiment virus spy obtained from virus applications sample The code of sign;The code of terminal applies is matched with the suspected virus condition code, if the terminal applies include with The similarity of either segment suspected virus condition code is higher than the code of similarity threshold at least one section of suspected virus condition code, Terminal applies are determined as suspected virus application;The predetermined operation that detection user applies the suspected virus;In response to predetermined Operation uploads suspected virus application.
In some embodiments, the predetermined operation includes at least one of the following: the behaviour for unloading the suspected virus application Make, determine the operation for uploading suspected virus application.
In some embodiments, every section of suspected virus condition code has the suspected virus named according to preset naming rule Feature name;And the method also includes: obtain suspected virus application matched suspected virus condition code can hypochondriasis Malicious feature name;The suspected virus feature name is uploaded, so that receiving end is by the suspected virus feature name and feature list of file names Match, and send the feature list of file names whether include the suspected virus feature name response message.
Second aspect, this application provides a kind of methods that suspected virus condition code obtains, which is characterized in that the method It include: the suspected virus application for obtaining terminal and uploading, wherein the suspected virus is applied true by following steps by the terminal Fixed: obtaining suspected virus condition code described at least one section of suspected virus condition code includes the embodiment obtained from virus applications sample The code of virus characteristic;The code of terminal applies is matched at least one section of suspected virus condition code, if terminal Using comprising being higher than similarity with the similarity of either segment suspected virus condition code at least one section of suspected virus condition code The terminal applies are determined as suspected virus application by the code of threshold value;Decompiling is carried out to suspected virus application, is obtained The source code of the suspected virus application;The code for embodying virus characteristic is obtained as suspected virus feature from the source code Code.
In some embodiments, the method also includes: receive the suspected virus feature name that the terminal sends, In, it is that suspected virus condition code is named that the suspected virus feature name, which is according to preset naming rule, the feature List of file names is used to record the suspected virus feature name for the virus signature for having obtained suspected virus application sample;It can hypochondriasis by described in Malicious feature name matches with feature list of file names;According to matching result to the terminal send feature list of file names whether include it is described can Doubt the response message of virus characteristic name.
In some embodiments, if determining that the feature list of file names can hypochondriasis described in not including according to the response message Malicious feature name, the method also includes: the suspected virus application in response to receiving terminal upload, by the suspected virus feature The feature list of file names is added in name.
The third aspect, this application provides the device that a kind of application of suspected virus uploads, described device includes: to obtain list Member is configured to obtain at least one section of suspected virus condition code, wherein the suspected virus condition code includes from virus applications sample The code of the embodiment virus characteristic obtained in this;Determination unit is configured to the code of terminal applies and the suspected virus Condition code is matched, if the terminal applies include can hypochondriasis with either segment at least one section of suspected virus condition code The similarity of malicious condition code is higher than the code of similarity threshold, and terminal applies are determined as suspected virus application;Detection unit is matched Set the predetermined operation applied for detecting user to the suspected virus;Uploading unit is configured in response to predetermined operation, will The suspected virus application uploads.
In some embodiments, the predetermined operation includes at least one of the following: the behaviour for unloading the suspected virus application Make, determine the operation for uploading suspected virus application.
In some embodiments, every section of suspected virus condition code has the suspected virus named according to preset naming rule Feature name;And described device further include: feature name acquiring unit is configured to obtain the suspected virus application and is matched Suspected virus condition code suspected virus feature name;Feature name uploading unit is configured to the suspected virus feature name It uploads, so that receiving end matches the suspected virus feature name with feature list of file names, and sends the feature list of file names and be The no response message including the suspected virus feature name.
Fourth aspect, this application provides the devices that a kind of suspected virus condition code obtains, and described device includes: that sample obtains Unit is taken, is configured to obtain the suspected virus application that terminal uploads, wherein the suspected virus is applied to be passed through by the terminal Following steps determine: obtaining at least one section of suspected virus condition code, the suspected virus condition code includes from virus applications sample The code of the embodiment virus characteristic of middle acquisition;By the code of terminal applies and at least one section of suspected virus condition code progress Match, if terminal applies include the similarity with either segment suspected virus condition code at least one section of suspected virus condition code Higher than the code of similarity threshold, the terminal applies are determined as suspected virus application;Decompiling unit is configured to institute It states suspected virus application and carries out decompiling, obtain the source code of the suspected virus application;Condition code acquiring unit, is configured to The code for embodying virus characteristic is obtained as suspected virus condition code from the source code.
In some embodiments, described device further include: feature name receiving unit is configured to receive the terminal transmission The suspected virus feature name come, wherein it is suspected virus feature that the suspected virus feature name, which is according to preset naming rule, Code name obtains, and what the feature list of file names was used to record the virus signature that has obtained suspected virus application sample can hypochondriasis Malicious feature name;Feature name matching unit is configured to match the suspected virus feature name with feature list of file names;It sends single Member, be configured to according to matching result send feature list of file names whether include the suspected virus feature name response message.
In some embodiments, described device further includes adding unit, if determining the spy according to the response message Name-assemblying list does not include the suspected virus feature name, and the adding unit is configured to can in response to receive terminal upload Virus applications are doubted, the feature list of file names is added in the suspected virus feature name.
5th aspect, present invention also provides a kind of systems of detection suspected virus application, and the system comprises terminals to set Standby and background server, the terminal device include the dress of any suspected virus application upload of the third aspect or the third aspect It sets, the background server includes the device of any suspected virus condition code acquisition of fourth aspect or fourth aspect.
Method that the method and apparatus and suspected virus condition code that suspected virus provided by the present application application uploads obtain and Device is then carried out the code of terminal applies and suspected virus condition code by obtaining at least one section of suspected virus condition code Matching, if terminal applies include high with the similarity of either segment suspected virus condition code at least one section of suspected virus condition code In the code of similarity threshold, terminal applies are determined as suspected virus application, then detect what user applied suspected virus Predetermined operation uploads suspected virus application, in response to detecting the predetermined operation of user then to the suspected virus uploaded Using decompiling is carried out, the source code of suspected virus application is obtained, and the code conduct for embodying virus characteristic is obtained from source code Suspected virus condition code, circulation execute above scheme, can by comprising with not quite identical suspicious of former suspected virus condition code Virus applications detected, to enrich constantly and update suspected virus condition code, improve the validity of detection virus applications.
Detailed description of the invention
By reading the detailed description referring to made by the following drawings to non-limiting embodiment, other spies of the application Sign, objects and advantages will become more apparent upon:
Fig. 1 shows the exemplary system architecture that can apply the embodiment of the present application;
Fig. 2 is the flow chart of one embodiment of the method uploaded according to the application of the suspected virus of the application;
Fig. 3 is the flow chart of an application scenarios of the method obtained according to the suspected virus condition code of the application;
Fig. 4 is the flow chart of the embodiment of the method obtained according to the suspected virus condition code of the application;
Fig. 5 is the embodiment for showing the terminal device using the method for Fig. 2 embodiment provided and being provided using Fig. 4 The interaction flow schematic diagram of the background server of method;
Fig. 6 is the structural schematic diagram of one embodiment of the device uploaded according to the application of the suspected virus of the application;
Fig. 7 is the structural schematic diagram of one embodiment of the device obtained according to the suspected virus condition code of the application;
Fig. 8 shows the structural schematic diagram for being suitable for the computer system for each device for being used to realize the embodiment of the present application.
Specific embodiment
The application is described in further detail with reference to the accompanying drawings and examples.It is understood that this place is retouched The specific embodiment stated is used only for explaining related invention, rather than the restriction to the invention.It also should be noted that in order to Convenient for description, part relevant to related invention is illustrated only in attached drawing.
It should be noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can phase Mutually combination.The application is described in detail below with reference to the accompanying drawings and in conjunction with the embodiments.
Fig. 1 shows the exemplary system architecture 100 that can apply the embodiment of the present application.
As shown in Figure 1, system architecture 100 may include terminal device 101,102, network 103 and server 104.Network 103 between terminal device 101,102 and server 104 to provide the medium of communication link.Network 103 may include various Connection type, such as wired, wireless communication link or fiber optic cables etc..
Terminal device 101,102 can be interacted by network 103 with server 104, to receive or send message etc..Terminal Various telecommunication customer end applications, such as the application of antivirus class, searching class application, social platform can be installed in equipment 101,102 Using, mailbox client, instant messaging tools etc..
Terminal device 101,102 can be the various electronics for supporting the application of antivirus class, searching class application etc. to be mounted thereon Equipment, including but not limited to smart phone, smartwatch, tablet computer, personal digital assistant, E-book reader, MP3 are played Device (Moving Picture Experts Group Audio Layer III, dynamic image expert's compression standard audio level 3), MP4 (Moving Picture Experts Group Audio Layer IV, dynamic image expert's compression standard audio layer Face 4) player, pocket computer on knee and desktop computer etc..
Server 104 can be to provide the server of various services.Such as the antivirus class of terminal device 101,102 is answered The background server etc. supported with offers such as, searching class applications.Server can store the data received, be generated Processing, and processing result is fed back into terminal device.
It should be noted that the method that the application of suspected virus provided by the embodiment of the present application uploads can be by terminal device 101, it 102 executes, the method that virus signature provided by the embodiment of the present application obtains can be executed by server 104, suspicious The device that virus applications upload can be set in terminal device 101,102, and the device that virus signature obtains can be set In server 104.
It should be understood that the number of terminal device, network and server in Fig. 1 is only schematical.According to realization need It wants, can have any number of terminal device, network and server.
Referring to FIG. 2, it illustrates the processes 200 of one embodiment of the method for suspected virus application upload.In order to just In understanding, the present embodiment, it is applied particularly to that there is operation terminal applies ability in conjunction with the method that suspected virus application uploads Terminal device (such as terminal device shown in FIG. 1 101,102) in.The process 200 the following steps are included:
Step 201, at least one section of suspected virus condition code is obtained.
In the present embodiment, terminal device can be from locally or remotely obtaining at least one section of suspected virus condition code.Tool It, can be with when at least one section of suspected virus condition code is stored in antivirus class application operation terminal device thereon for body Directly at least one section of suspected virus condition code is obtained from local;And ought at least one section of suspected virus condition code be stored in antivirus class It, can be by wired connection mode or radio connection from background server when using the background server being supported Obtain at least one section of suspected virus condition code.Above-mentioned radio connection includes but is not limited to 3G/4G connection, WiFi connection, indigo plant Tooth connection, WiMAX connection, Zigbee connection, UWB (ultra wideband) connection and other currently known or future open The radio connection of hair.
Suspected virus condition code may include the code of the embodiment virus characteristic obtained from virus applications sample.Here, Virus characteristic for example may include destroying terminal function or data (as deleted terminal internal storage data), obtaining terminal data (as read Take the address book data of terminal) or malicious dissemination (as the contact person actively into the address list of terminal sends fallacious message) Deng.It may simultaneously include multiple virus characteristics for a virus applications, such as a virus applications can have virus simultaneously Feature " address book datas of reading terminals " and " actively the contact person into the address list of terminal sends fallacious message ".This field What technical staff was appreciated that the code comprising embodiment virus characteristic is virus applications using different establish a capital, for example, a include The application of friend recommendation function obtains after user information recommended to the user from network, can be with the communication of reading terminals Data are recorded, will be compared to user information recommended to the user with the address book data of terminal, to use recommended to the user The user information being present in terminal contact is screened out in the information of family.Therefore, the code for embodying a certain virus characteristic can be made For one section of suspected virus condition code, for example, reading terminals address book data code.In some implementations, suspected virus feature Code can be the binary code being converted by source code.
Suspected virus condition code can obtain through a variety of ways, for example, by being compiled to known virus applications are counter It translates, obtains the source code of virus applications, then interception embodies the code of some virus characteristic of the virus applications;Alternatively, known Some virus characteristic of virus applications obtains the code, etc. for realizing function corresponding with the virus characteristic from other application.
It is appreciated that in some implementations, the negligible amounts of suspected virus condition code, can be individual one section can hypochondriasis The set of malicious condition code or multistage suspicious characteristic code.In other realizations, the quantity of suspected virus condition code is more, can To store these suspected virus condition code data in a manner of property data base.For example, when be applied to antivirus class in application, these Suspected virus condition code can store in virus characteristic library.
Step 202, the code of terminal applies is matched with suspected virus condition code, if terminal applies include with extremely The similarity of either segment suspected virus condition code is higher than the code of similarity threshold in few one section of suspected virus condition code, by terminal Using being determined as suspected virus application;
In the present embodiment, the code of the available terminal applies being mounted thereon of terminal device, then answers terminal Code is matched with suspected virus condition code, if being matched to can hypochondriasis with either segment in the code of terminal applies The similarity of malicious condition code is higher than one section of code of similarity threshold, it may be considered that the code of terminal applies and suspected virus are special Sign code matches, and the terminal applies are determined as suspected virus application.
The executable code of the available terminal applies of terminal device (can be executed by what object code connection formed by machine Code, generally formed by machine code or close to the code of machine language, such as binary code), and by executable generation Code is matched with suspected virus condition code.The matching executed between code and suspected virus condition code can be in several ways It realizes, such as whole section of suspected virus condition code matching, the executable code of terminal applies is pressed into paragraph and one section of suspected virus spy Sign code is matched, or is matched by the keyword of suspected virus condition code, is looked into the executable code of terminal applies The keyword for looking for suspected virus condition code obtains the keyword context in executable code when finding the keyword Code (as number respectively equal to can be with the code in the range of virus signature character number hereinbefore or hereinafter).
Terminal device can be with the similarity of the computing terminal executable code applied and suspected virus condition code, the similarity It can be measured by the matching degree of character string.Terminal device can also use cosine similarity (cosine Similarity) the well known Text similarity computing method of algorithm, Jaccard coefficient etc carries out similarity calculation.With For Jaccard coefficient method, terminal device can calculate one section of code A in executable code using following formula and can Doubt the similarity between virus signature B: similarity between this section of code A and suspected virus condition code B=this section of code A with The character that suspected virus condition code B has in total in the digit with identical characters/this section of code A and suspected virus condition code B Digit.
When this method for kill virus class in application, step 202 can be antivirus applications client to terminal carry out virus sweep The process retouched.
Step 203, the predetermined operation that detection user applies suspected virus.
In the present embodiment, after terminal applies to be determined as to suspected virus application, terminal device then can will be true Fixed suspected virus application message is presented to the user, and is detected to the interactive operation of user and terminal device, then root Subsequent processes are carried out according to the operation detected.Herein, the predetermined operation that user applies suspected virus can be single friendship Mutual property operation, such as the operation of display suspected virus application message;It is also possible to the combination of several interactive operations, such as shows Suspected virus application message, later to the combination operation deleted etc. can be carried out with virus applications.
As an example, when the method for the present embodiment is used to kill virus class in application, if carrying out disease to terminal by step 202 Poison scanning is matched to after suspected virus application, the information that suspected virus is applied can be presented to user, and provide interactive behaviour The option of work, such as the choice box of " unloading application " and " ignoring information ".Assuming that the choice box of user click " unloading application " Operation is predetermined operation, then predetermined operation can also be described as unloading the operation of suspicious application.In some implementations, make a reservation for behaviour It can also be the operation for allowing to upload suspected virus application, such as the selection operation etc. to " upload and apply " choice box.
Step 204, in response to predetermined operation, suspected virus application is uploaded.
In the present embodiment, (such as unloading can detecting predetermined operation that user applies suspected virus for terminal device Doubt the operation of application) after, suspected virus application can be uploaded to local or server in response to the operation.Here, server It can be local server or remote server (for example, the application of antivirus class provides the background server supported).For example, one In a little realizations, suspected virus application directly can be uploaded most antivirus class application and provide the background service of support by terminal device Device;In other realizations, suspected virus application can be uploaded to local or local server by terminal device, and every predetermined The suspected virus application obtained in the period is uploaded to remote server by the period.
In some optional implementations of the present embodiment, terminal device can be in the unloading suspected virus for detecting user When the operation of application, suspected virus application is uploaded.In other optional implementations, terminal device be can be by by stream The mobile terminal that the network of amount payment is interacted with server uploads suspected virus application and needs to expend flow;It is also possible to configure Lower terminal, uploading suspected virus application meeting occupied terminal data processing resources causes cessation reaction slack-off;It can also be net The lower terminal of network bandwidth, upload suspected virus application, which can occupy Internet resources, leads to the application of other access networks of terminal (such as Video playing application) data upload or downloading is not smooth, etc..At this point, terminal device can also examined according to the wish of user When measuring the operation that user allows to upload suspected virus application, suspected virus application is uploaded.Optionally, predetermined operation can also It include the combination operation for unloading the operation and the operation for allowing to upload suspected virus application of suspected virus application, then terminal to be Equipment uploads suspected virus application after detecting the combination operation.
In some optional implementations of the present embodiment, every section of suspected virus condition code has advises according to preset name The suspected virus feature name then named.At this point, terminal device is before step 203, can obtain first and suspected virus application The suspected virus feature name of matched suspected virus condition code;Then by suspected virus feature name upload, for receiving end (such as The background server of support is provided for antivirus class application) suspected virus feature name and feature list of file names are matched, and send spy Name-assemblying list whether include suspected virus feature name response message.If the response message be characterized list of file names include can hypochondriasis Malicious feature name, then terminal device no longer executes step 203, step 204, if the response message be characterized list of file names do not include can Virus characteristic name is doubted, then terminal device then executes step 203, step 204.
Wherein, suspected virus condition code can be named by various naming methods, to ensure every section of suspected virus condition code One and only one suspected virus feature name is corresponding.For example, suspected virus condition code can be named in the following way: right Multiple virus characteristics that virus applications A has, corresponding virus signature are respectively designated as: virus applications A. feature a, virus are answered With A. feature b, virus applications A. feature c ....
In some optional implementations of the present embodiment, the receiving end for the suspected virus application that terminal device uploads can be with It will be more than that user's selection upload of predetermined number or the suspected virus application deleted are determined as virus applications, can also will be more than pre- If the suspected virus application for deleting rate threshold or upload rate threshold is determined as virus applications.Wherein, ratio or upload are deleted The calculation method of ratio are as follows: terminal applies are confirmed as the number/terminal for being deleted or being uploaded after suspected virus application Using be confirmed as can be with the total degree of virus applications.
As the example of an application scenarios, what the suspected virus application that Fig. 3 shows the above embodiments of the present application uploaded Method, a process 300 of the terminal device applied to operation antivirus class application.As shown in figure 3, in step 301, terminal is set It is standby virus scan or killing to be carried out to the terminal applies being mounted thereon according to virus characteristic library, wherein virus characteristic library It can be obtained in advance from the background server for providing support for antivirus class application by terminal device, virus characteristic library may include more Section suspected virus condition code;Then, in step 302, if suspected virus application is arrived in scanning, e.g. include and virus characteristic The similarity of either segment suspected virus condition code is higher than the terminal applies of the code of similarity threshold in library, and terminal device can be with The forms such as pop-up ask the user whether processing (as deleted or unloading) suspected virus application, if user does not handle suspected virus and answers With, then as shown at step 306, the process that end suspected virus application uploads, if user handles suspected virus application, terminal Equipment can then execute step 303;In step 303, terminal device can send inquiry request, inquiry to background server Whether need to acquire suspected virus application institute it is matched can be with the suspected virus application sample of virus signature, if desired, continuation Step 304, otherwise, step 306 is executed, process 300 is terminated;In step 304, terminal device can be ask by forms such as pop-ups It asks whether user agrees to upload suspected virus application, if so, executing step 305, uploads suspected virus and be applied to background server, Otherwise, step 306 is executed, process 300 is terminated.Here, the predetermined operation of user is to agree to upload suspected virus application, or place Manage the combination that suspected virus is applied with agrees to upload suspected virus application.
The method that the suspected virus application of the present embodiment uploads, by asking the user whether processing suspected virus application, knot The judgement of the user of using terminal equipment is closed, so as to answer from terminal device acquisition with the suspected virus of virus signature With sample, so make background server can be more abundant and accurate with virus signature.Therefore, the above embodiments of the present application The validity of detection suspected virus application can be improved in the method that suspicious application uploads.
Referring next to Fig. 4, it illustrates the processes of one embodiment of the method for suspected virus condition code acquisition 400.In order to make it easy to understand, the method obtained in conjunction with the suspected virus condition code is applied to for antivirus class application in the present embodiment It provides in the background server (such as server 104 shown in FIG. 1) supported and illustrates.The process 400 the following steps are included:
Step 401, the suspected virus application that terminal uploads is obtained.
In the present embodiment, background server can from the local server of terminal device or terminal device obtain can hypochondriasis Poison application.Herein, background server can send at least one section to the local server of terminal device or terminal device first Suspected virus condition code, suspected virus condition code include the code of the embodiment virus characteristic obtained from virus applications sample, so Afterwards, terminal device can be according at least one section of suspected virus condition code obtained from local server or background server, will At least one section of suspected virus condition code is matched the code for the terminal applies being mounted thereon with this, if in terminal applies In code, it is matched to one section of code for being higher than similarity threshold with the similarity of either segment suspected virus condition code, by the terminal Using suspected virus application is determined as, later, terminal device can be in response to the predetermined operation of user, by suspected virus using upper It passes.Wherein, suspected virus application directly can be uploaded to background server by terminal device, can also be first by suspected virus application It saves to local, and is sent to background server by predetermined period, multiple terminal devices can also be collected by local server The suspected virus of upload, which is applied, is uploaded to background server by preset quantity or period, and the application does not limit this.
In some optional implementations of the present embodiment, background server can first sentence suspected virus condition code Disconnected, the virus signature of the suspected virus application sample for being transmitted through pre-determined number (such as 1 time) on does not need to repeat upload Suspected virus application.For example, send to the local server of terminal device or terminal device at least one section of background server can It doubts in virus signature, every section of suspected virus condition code can be named by preset naming method, such as virus applications A. Feature a.Terminal device first will can apply matched virus signature corresponding before uploading suspected virus application with suspected virus Suspected virus feature name be uploaded to background server.Background server, which has, has obtained suspected virus application sample for recording Virus signature suspected virus feature name feature list of file names, background server can by terminal device upload can hypochondriasis Malicious feature name matches with feature list of file names, if feature list of file names has had recorded the suspected virus feature of terminal device upload Name, then illustrate that the corresponding virus signature of suspected virus feature name has obtained corresponding suspected virus application sample, eventually End equipment no longer needs to the suspected virus application that uploading detection arrives, whereas if feature list of file names does not record terminal device upload Suspected virus feature name, then illustrate the corresponding virus signature of suspected virus feature name not yet obtain accordingly can hypochondriasis Poison applies sample, and terminal device can detecte the predetermined operation of user, so determine whether uploading detection to suspected virus answer With.Optionally, the suspected virus application uploaded in response to receiving terminal, background server can add suspected virus feature name Enter in feature list of file names, in case other terminal devices repeat to upload the corresponding suspected virus condition code of suspected virus feature name Virus applications sample.
Step 402, decompiling is carried out to suspected virus application, obtains the source code of suspected virus application.
In the present embodiment, background server can take various means to take to from terminal device or the local of terminal device The suspected virus application that business device obtains carries out decompiling, to obtain the source code of suspected virus application.
Wherein, decompiling is computer software reverse engineering (Reverse engineering), also referred to as computer application Engineering is restored, is to carry out the research such as conversed analysis by the target program (such as assembler language code of executable file) to application Work, to derive using the design elements such as used thinking, principle, structure, algorithm, treatment process, operation method, even Derive all or part of source code of application.Decompilation can by manually carrying out, can also by currently known or Decompiling software (such as the relevant decompiling software of VB " VB decompiling smart ", the relevant decompiling software of C++ of future exploitation " eXeScope " etc.) it carries out, the application does not limit this.
Step 403, the code for embodying virus characteristic is obtained as suspected virus condition code from above-mentioned source code.
In the present embodiment, background server can then be obtained from the source code that the suspected virus Jing Guo decompiling is applied Take the code for embodying virus characteristic as suspected virus condition code.Here, virus characteristic for example may include destroying terminal function Or data (as deleted terminal internal storage data), acquisition terminal data (address book datas of such as reading terminals) or malicious dissemination (such as actively the contact person into the address list of terminal sends fallacious message).Suspected virus application may include one or more Virus characteristic, the code for embodying a certain virus characteristic can be used as one section of suspected virus condition code, such as the communication of reading terminals Record the code of data.In some implementations, suspected virus condition code can be the binary code being converted by source code.
The method that the suspected virus condition code of the present embodiment obtains, by obtaining suspected virus application, then to can hypochondriasis Poison application carries out decompiling, obtains the source code of suspected virus application, then obtains from above-mentioned source code and embodies virus characteristic Code is as suspected virus condition code.The code for embodying virus characteristic can be obtained by rule of thumb by manually, can also be by default Testing conditions (such as viral keyword) detected, the different code sections that can be applied with trial operation suspected virus obtain Reach the code segment of expectation function etc. of virus characteristic, the application does not limit this.Wherein, suspected virus application can be by Terminal device is by obtaining at least one section of suspected virus condition code, by the code of terminal applies and the progress of suspected virus condition code Match, it, will be whole if terminal applies include the code for being higher than similarity threshold with the similarity of either segment suspected virus condition code End application is determined as suspected virus application.Therefore, this method can by with suspected virus condition code it is not quite identical can hypochondriasis Poison application detected, and obtain suspected virus application sample after consulting user and agreeing to, and then provide background server Suspected virus condition code is more abundant and accurate, improves the validity of detection virus applications.
Referring to FIG. 5, for a clearer understanding of the present invention, Fig. 5 shows the method using Fig. 2 embodiment provided Terminal device 501 and using Fig. 4 embodiment provided method background server 502 interaction flow 500.
Firstly, by step 5001, known suspected virus condition code can be supplied to terminal and set by background server 502 Standby 501.Background server 502 can provide more by the period or when having the update of suspected virus condition code to terminal device 501 Suspected virus condition code after new, background server 502 provides suspected virus condition code to terminal device 501 can be by a variety of Form, such as the form in virus characteristic library.Terminal device 501 can store the suspected virus feature of the offer of background server 502 Code.Then, by step 5002, step 5003, terminal device obtains at least one section of suspected virus condition code, and by suspected virus Condition code is matched with the terminal applies for being installed on terminal device 501, and by can be with the similar of virus signature to either segment The terminal applies that degree is greater than similarity threshold are determined as suspected virus application.Then, by step 5004, terminal device 501 is examined Survey the predetermined operation (such as the operation for allowing to upload suspected virus application) of user.In response to detecting predetermined operation, in step In rapid 5005, suspected virus application is uploaded to background server 502 by terminal device 501.Later, pass through step 5006, step 5007, step 5008, background server 502 obtain suspected virus application, carry out decompiling to suspected virus application, obtain suspicious All or part of source code of virus applications, and the code for embodying virus characteristic is obtained as suspected virus feature from source code Code.After background server 502 obtains suspected virus condition code, it can be updated by step 5001 and be sent out to terminal device 501 The suspected virus condition code sent, such as update virus characteristic library.Wherein, the operation of above-mentioned update can obtain it is new can hypochondriasis It executes, can also be executed by the period when malicious condition code, preset quantity can also be reached in the new suspected virus condition code of acquisition Shi Zhihang, the application do not limit this.
In some implementations, between step 5003 and step 5004, can also include step 50031, step 50032 and Step 50033, whether inquiry needs to upload suspected virus application sample, determines after needing to upload suspected virus application sample, Execute step 5004.Specifically, in step 50031, terminal device 501 sends suspected virus application to background server 502 Matched suspected virus condition code inquiry request, such as inquired by the feature name of suspected virus condition code.Then, In step 50032, background server 502 by query characteristics list of file names, judge suspected virus condition code feature name whether Included in feature list of file names, if so, determination needs to acquire suspected virus application sample.Then, background server 502 is to end End equipment 501 sends the response message for needing to acquire suspected virus application sample.Later, terminal device 501 is believed according to the response Breath executes step 5004, detects the predetermined operation of user.It, can be to avoid by step 50031, step 50032 and step 50033 To a suspected virus condition code repeated acquisition suspected virus application sample.
Please further refer to Fig. 6, it illustrates the suspected virus of one embodiment according to the application to apply the dress uploaded Set 600.As shown in fig. 6, the device 600 that suspected virus application uploads includes: acquiring unit 601, determination unit 602, detection list Member 603 and uploading unit 604.Wherein, acquiring unit 601 may be configured to obtain at least one section of suspected virus condition code, In, suspected virus condition code includes the code of the embodiment virus characteristic obtained from virus applications sample;Determination unit 602 can be with It is configured to match the code of terminal applies with suspected virus condition code, if terminal applies include can at least one section The similarity for doubting either segment suspected virus condition code in virus signature is higher than the code of similarity threshold, and terminal applies are determined For suspected virus application;Detection unit 603 may be configured to the predetermined operation that detection user applies suspected virus;Upper leaflet Member 604 may be configured to upload suspected virus application in response to predetermined operation.
Each step in the method for all units and reference Fig. 2 description recorded in the device 600 that suspected virus application uploads It is rapid corresponding.It is same above in association with the operation and feature that are directed to the method description that suspected virus application uploads described in Fig. 2 as a result, Sample is suitable for the device 600 and unit wherein included that suspected virus application uploads, and details are not described herein.
Please further refer to Fig. 7, obtained it illustrates the suspected virus condition code according to one embodiment of the application Device 700.As shown in fig. 7, the device 700 that suspected virus condition code obtains includes: sample acquisition unit 701, decompiling unit 702 and condition code acquiring unit 703.Wherein, sample acquisition unit 701 may be configured to obtain the suspected virus that terminal uploads Using;Decompiling unit 702 may be configured to carry out decompiling to suspected virus application, obtain the source generation of suspected virus application Code;Condition code acquiring unit 703 is configured to obtain the code for embodying virus characteristic as suspected virus condition code from source code. Wherein, suspected virus application can be by including that the terminal for the device (device 600 as shown in FIG. 6) that suspected virus application uploads is led to It crosses following steps to determine: obtaining at least one section of suspected virus condition code;By the code of terminal applies and at least one section of suspected virus Condition code is matched, if terminal applies include and either segment suspected virus condition code at least one section of suspected virus condition code Similarity be higher than similarity threshold code, terminal applies are determined as suspected virus application.
It is each in the method that all units recorded in the device 700 that suspected virus condition code obtains are described with reference Fig. 4 Step is corresponding.As a result, above in association with the operation and spy for being directed to the method description that suspected virus condition code obtains described in Fig. 4 Sign is equally applicable to the device 700 and unit wherein included of suspected virus condition code acquisition, and details are not described herein.
It will be understood by those skilled in the art that device 600 and suspected virus condition code that above-mentioned suspected virus application uploads The device 700 of acquisition further includes some other known features, such as processor, memory etc., in order to unnecessarily obscure this public affairs The embodiment opened, these well known structures are not shown in Fig. 6, Fig. 7.
In addition, may include terminal device and backstage present invention also provides a kind of system of detection suspected virus application Server.Wherein, terminal device may include the device 600 that the suspected virus application shown in Fig. 6 uploads, and background server can be with The device 700 obtained including the suspected virus condition code shown in Fig. 7.The architectural form of the system can refer to example shown in fig. 1 Type frame structure 100.Wherein, in the embodiment for the system that the detection suspected virus of the application is applied, suspected virus application is uploaded Device 600 can be adapted for the terminal device 101,102 in framework 100, and the device 700 that suspected virus condition code obtains can fit For the server 104 in framework 100, details are not described herein.
Below with reference to Fig. 8, it illustrates the computer systems 800 for each device for being suitable for being used to realize the embodiment of the present application Structural schematic diagram.
As shown in figure 8, computer system 800 includes central processing unit (CPU) 801, it can be read-only according to being stored in Program in memory (ROM) 802 or be loaded into the program in random access storage device (RAM) 803 from storage section 808 and Execute various movements appropriate and processing.In RAM 803, also it is stored with system 800 and operates required various programs and data. CPU 801, ROM 802 and RAM 803 are connected with each other by bus 804.Input/output (I/O) interface 805 is also connected to always Line 804.
I/O interface 805 is connected to lower component: the importation 806 including keyboard, mouse etc.;It is penetrated including such as cathode The output par, c 807 of spool (CRT), liquid crystal display (LCD) etc. and loudspeaker etc.;Storage section 808 including hard disk etc.; And the communications portion 809 of the network interface card including LAN card, modem etc..Communications portion 809 via such as because The network of spy's net executes communication process.Driver 810 is also connected to I/O interface 805 as needed.Detachable media 811, such as Disk, CD, magneto-optic disk, semiconductor memory etc. are mounted on as needed on driver 810, in order to read from thereon Computer program be mounted into storage section 808 as needed.
Particularly, according to an embodiment of the present application, it may be implemented as computer above with reference to the process of flow chart description Software program.For example, embodiments herein includes a kind of computer program product comprising be tangibly embodied in machine readable Computer program on medium, the computer program include the program code for method shown in execution flow chart.At this In the embodiment of sample, which can be downloaded and installed from network by communications portion 809, and/or from removable Medium 811 is unloaded to be mounted.
Involved unit can be realized by way of software in the embodiment of the present application, can also pass through the side of hardware Formula is realized.Described unit also can be set in the processor, for example, can be described as: a kind of processor includes obtaining Unit, determination unit, detection unit and uploading unit.Wherein, the title of these modules is not constituted to this under certain conditions The restriction of module itself is also described as " being configured to obtain at least one section of suspected virus condition code for example, obtaining module Unit ".
As on the other hand, present invention also provides a kind of nonvolatile computer storage media, the non-volatile calculating Machine storage medium can be nonvolatile computer storage media included in device described in above-described embodiment;It is also possible to Individualism, without the nonvolatile computer storage media in supplying terminal or server.
Above-mentioned nonvolatile computer storage media is stored with one or more program, when one or more of journeys When sequence is executed by an equipment, so that the equipment: obtaining at least one section of suspected virus condition code, wherein the suspected virus Condition code includes the code of the embodiment virus characteristic obtained from virus applications sample;By the code of terminal applies with it is described suspicious Virus signature is matched, if the terminal applies include can with either segment at least one section of suspected virus condition code The similarity for doubting virus signature is higher than the code of similarity threshold, and terminal applies are determined as suspected virus application;Detection is used The predetermined operation that the suspected virus is applied at family;In response to predetermined operation, suspected virus application is uploaded.
Alternatively, above-mentioned nonvolatile computer storage media is stored with one or more program, when one or When multiple programs are executed by an equipment, so that the equipment: obtain terminal upload suspected virus application, wherein it is described can It doubts virus applications to be determined by the terminal by following steps: obtaining at least one section of suspected virus condition code, the suspected virus Condition code includes the code of the embodiment virus characteristic obtained from virus applications sample;By the code of terminal applies and it is described at least One section of suspected virus condition code is matched, if terminal applies include with it is any at least one section of suspected virus condition code The similarity of section suspected virus condition code is higher than the code of similarity threshold, and the terminal applies are determined as suspected virus and are answered With;Decompiling is carried out to suspected virus application, obtains the source code of the suspected virus application;It is obtained from the source code The code of virus characteristic is embodied as suspected virus condition code.
Above description is only the preferred embodiment of the application and the explanation to institute's application technology principle.Those skilled in the art Member is it should be appreciated that invention scope involved in the application, however it is not limited to technology made of the specific combination of above-mentioned technical characteristic Scheme, while should also cover in the case where not departing from the inventive concept, it is carried out by above-mentioned technical characteristic or its equivalent feature Any combination and the other technical solutions formed.Such as features described above has similar function with (but being not limited to) disclosed herein Can technical characteristic replaced mutually and the technical solution that is formed.

Claims (7)

1. a kind of method that suspected virus application uploads, which is characterized in that the described method includes:
Obtain at least one section of suspected virus condition code, wherein the suspected virus condition code includes obtaining from virus applications sample The code of the embodiment virus characteristic taken, every section of suspected virus condition code have the suspected virus named according to preset naming rule Feature name;
The code of terminal applies is matched with the suspected virus condition code, if the terminal applies include with it is described extremely The similarity of either segment suspected virus condition code is higher than the code of similarity threshold in few one section of suspected virus condition code, by terminal Using being determined as suspected virus application;
The predetermined operation that detection user applies the suspected virus, wherein the predetermined operation, which includes at least one of the following:, unloads It carries the operation of the suspected virus application, determine the operation for uploading suspected virus application;
In response to predetermined operation, suspected virus application is uploaded;
Obtain suspected virus application matched suspected virus condition code suspected virus feature name;
The suspected virus feature name is uploaded, so that receiving end is by the suspected virus feature name and feature list of file names phase Match, and send the feature list of file names whether include the suspected virus feature name response message.
2. a kind of method that suspected virus condition code obtains, which is characterized in that the described method includes:
Obtain the suspected virus application uploaded after the predetermined operation that terminal applies suspected virus in response to detection user, wherein The predetermined operation, which includes at least one of the following:, to be unloaded the operation of the suspected virus application, determines suspected virus using upper The operation of biography, the suspected virus are applied and are determined by the terminal by following steps: obtaining at least one section of suspected virus feature Code, the suspected virus condition code include the code of the embodiment virus characteristic obtained from virus applications sample;By terminal applies Code matched at least one section of suspected virus condition code, if terminal applies include with described at least one section it is suspicious The similarity of either segment suspected virus condition code is higher than the code of similarity threshold in virus signature, and the terminal applies are true It is set to suspected virus application;
Decompiling is carried out to suspected virus application, obtains the source code of the suspected virus application;
The code for embodying virus characteristic is obtained as suspected virus condition code from the source code;
Receive the suspected virus feature name that the terminal is sent, wherein the suspected virus feature name is according to preset life Name rule is what suspected virus condition code was named, and feature list of file names is for recording the disease for having obtained suspected virus application sample The suspected virus feature name of malicious condition code;
The suspected virus feature name is matched with feature list of file names;
According to matching result to the terminal send feature list of file names whether include the suspected virus feature name response message.
3. according to the method described in claim 2, it is characterized in that, if determining that the feature ranks according to the response message Table does not include the suspected virus feature name, the method also includes:
In response to receiving the suspected virus application of terminal upload, the feature is added in the suspected virus feature name and is ranked Table.
4. the device that a kind of application of suspected virus uploads, which is characterized in that described device includes:
Acquiring unit, be configured to obtain at least one section of suspected virus condition code, wherein the suspected virus condition code include from The code of the embodiment virus characteristic obtained in virus applications sample, every section of suspected virus condition code has advises according to preset name The suspected virus feature name then named;
Determination unit was configured to match the code of terminal applies with the suspected virus condition code, if the end End application is similar comprising being higher than to the similarity of either segment suspected virus condition code at least one section of suspected virus condition code Terminal applies are determined as suspected virus application by the code for spending threshold value;
Detection unit is configured to the predetermined operation that detection user applies the suspected virus, wherein the predetermined operation packet It includes at least one of following: unloading the operation of the suspected virus application, determines the operation for uploading suspected virus application;
Uploading unit is configured to upload suspected virus application in response to predetermined operation;
Feature name acquiring unit, be configured to obtain the suspected virus application matched suspected virus condition code can hypochondriasis Malicious feature name;
Feature name uploading unit is configured to upload the suspected virus feature name, so that receiving end is by the suspected virus Feature name matches with feature list of file names, and send the feature list of file names whether include the suspected virus feature name response Information.
5. the device that a kind of suspected virus condition code obtains, which is characterized in that described device includes:
Sample acquisition unit is configured to upload after obtaining the predetermined operation that terminal applies suspected virus in response to detection user Suspected virus application, wherein the predetermined operation include at least one of the following: unload suspected virus application operation, Determine the operation for uploading suspected virus application, the suspected virus is applied and determined by the terminal by following steps: being obtained At least one section of suspected virus condition code, the suspected virus condition code include the embodiment virus spy obtained from virus applications sample The code of sign;The code of terminal applies is matched at least one section of suspected virus condition code, if terminal applies packet Containing being higher than similarity threshold with the similarity of either segment suspected virus condition code at least one section of suspected virus condition code The terminal applies are determined as suspected virus application by code;
Decompiling unit is configured to carry out decompiling to suspected virus application, obtains the source of the suspected virus application Code;
Condition code acquiring unit is configured to obtain the code for embodying virus characteristic as suspected virus feature from the source code Code;
Feature name matching unit is configured to match the suspected virus feature name with feature list of file names;
Feature name receiving unit is configured to receive the suspected virus feature name that the terminal is sent, wherein it is described can hypochondriasis It is that suspected virus condition code is named that malicious feature name, which is according to preset naming rule, and feature list of file names has been obtained for recording Take the suspected virus feature name of the virus signature of suspected virus application sample;
Transmission unit, be configured to according to matching result send feature list of file names whether include the suspected virus feature name sound Answer information.
6. device according to claim 5, which is characterized in that described device further includes adding unit;
If determining that the feature list of file names does not include the suspected virus feature name according to the response message, the addition is single Member is configured to the suspected virus application in response to receiving terminal upload, and the feature is added in the suspected virus feature name List of file names.
7. a kind of system of detection suspected virus application, the system comprises terminal devices and background server, which is characterized in that The terminal device includes the device that suspected virus application as claimed in claim 4 uploads, and the background server includes right It is required that the device that suspected virus condition code described in any one of 5-6 obtains.
CN201510587415.8A 2015-09-15 2015-09-15 The method and apparatus that suspected virus application uploads Active CN105224870B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510587415.8A CN105224870B (en) 2015-09-15 2015-09-15 The method and apparatus that suspected virus application uploads

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510587415.8A CN105224870B (en) 2015-09-15 2015-09-15 The method and apparatus that suspected virus application uploads

Publications (2)

Publication Number Publication Date
CN105224870A CN105224870A (en) 2016-01-06
CN105224870B true CN105224870B (en) 2019-04-26

Family

ID=54993832

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510587415.8A Active CN105224870B (en) 2015-09-15 2015-09-15 The method and apparatus that suspected virus application uploads

Country Status (1)

Country Link
CN (1) CN105224870B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107220546B (en) * 2017-06-27 2020-01-10 Oppo广东移动通信有限公司 Application running method and device and terminal equipment
CN108334778B (en) * 2017-12-20 2021-12-31 北京金山安全管理***技术有限公司 Virus detection method, device, storage medium and processor
CN109922044B (en) * 2019-01-25 2021-07-13 努比亚技术有限公司 Application marking method, application downloading method, electronic equipment and storage medium
CN112149115A (en) * 2020-08-28 2020-12-29 杭州安恒信息技术股份有限公司 Method and device for updating virus library, electronic device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101901321A (en) * 2010-06-04 2010-12-01 华为终端有限公司 Method, device and system for defending malicious program for terminal
CN102542201A (en) * 2011-12-26 2012-07-04 北京奇虎科技有限公司 Detection method and system for malicious codes in web pages
CN102592080A (en) * 2011-12-26 2012-07-18 北京奇虎科技有限公司 Flash malicious file detection method and flash malicious file detection device
CN103761483A (en) * 2014-01-27 2014-04-30 百度在线网络技术(北京)有限公司 Method and device for detecting malicious codes
CN104834857A (en) * 2015-03-27 2015-08-12 清华大学深圳研究生院 Method and device for detecting Android malicious software in batch

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101901321A (en) * 2010-06-04 2010-12-01 华为终端有限公司 Method, device and system for defending malicious program for terminal
CN102542201A (en) * 2011-12-26 2012-07-04 北京奇虎科技有限公司 Detection method and system for malicious codes in web pages
CN102592080A (en) * 2011-12-26 2012-07-18 北京奇虎科技有限公司 Flash malicious file detection method and flash malicious file detection device
CN103761483A (en) * 2014-01-27 2014-04-30 百度在线网络技术(北京)有限公司 Method and device for detecting malicious codes
CN104834857A (en) * 2015-03-27 2015-08-12 清华大学深圳研究生院 Method and device for detecting Android malicious software in batch

Also Published As

Publication number Publication date
CN105224870A (en) 2016-01-06

Similar Documents

Publication Publication Date Title
CN107004024B (en) Context-driven multi-user communication
CN104660620B (en) Two dimensional code processing method, client, electronic equipment, server end and server
CN109002842A (en) Image-recognizing method and device
CN105224870B (en) The method and apparatus that suspected virus application uploads
CN105630977B (en) Application program recommended method, apparatus and system
CN106528432A (en) Construction method and apparatus for test scene data, and buried point test method
CN102948129B (en) For the method and apparatus of bridge communications session
CN105210343B (en) Set up communication
CN102859967A (en) Method and apparatus for estimating user characteristics based on user interaction data
CN111488995B (en) Method, device and system for evaluating joint training model
CN111783810B (en) Method and device for determining attribute information of user
CN103678446B (en) Improved mode map based on Data View and database table
CN106874471A (en) Information-pushing method and device
CN107911449A (en) Method and apparatus for pushed information
US20200042694A1 (en) Increasing security of a password-protected resource based on publicly available data
Rocha et al. Respondent-driven sampling bias induced by community structure and response rates in social networks
CN107391277A (en) Information processing method and device
CN108182472A (en) For generating the method and apparatus of information
CN104978667A (en) Advertisement interaction method and advertisement interaction system
CN109376534A (en) Method and apparatus for detecting application
CN115034836B (en) Model training method and related device
CN107632971A (en) Method and apparatus for generating multidimensional form
US20190139432A1 (en) Methods and systems for animated walkthroughs in an online educational platform
WO2021163292A1 (en) Electronic infrastructure for digital content delivery and/or online assessment management
CN111199421B (en) Social relationship-based user recommendation method and device and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant