CN108256328A - Identify the method and device of counterfeit application - Google Patents

Identify the method and device of counterfeit application Download PDF

Info

Publication number
CN108256328A
CN108256328A CN201711476647.1A CN201711476647A CN108256328A CN 108256328 A CN108256328 A CN 108256328A CN 201711476647 A CN201711476647 A CN 201711476647A CN 108256328 A CN108256328 A CN 108256328A
Authority
CN
China
Prior art keywords
application
measured
counterfeit
url
feature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711476647.1A
Other languages
Chinese (zh)
Inventor
蔡水波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201711476647.1A priority Critical patent/CN108256328A/en
Publication of CN108256328A publication Critical patent/CN108256328A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of method and devices for identifying counterfeit application, are related to security technology area, can recognize that counterfeit application.The method of the present invention mainly includes:Extract the application feature of application to be measured;It is compared described using feature with the application feature of legal application each in legal application library, determines target legal copy application only identical with the certain applications feature of the application to be measured;The uniform resource position mark URL asked when intercepting and capturing using the application to be measured;By the way that the URL is matched with the domain name that the target legal copy is applied, whether the identification application to be measured is counterfeit application.The present invention is mainly suitable in the scene for identifying true and false application.

Description

Identify the method and device of counterfeit application
Technical field
The present invention relates to security technology area, more particularly to a kind of method and device for identifying counterfeit application.
Background technology
With the fast development of mobile terminal, the type and quantity of application software all greatly increase.At present, not only there is the video soft The various softwares such as part, chat software, Games Software, shopping software, and for each software, different vendor also develops Oneself unique specific software, such as shopping software just have a day cat, Jingdone district, only product that can wait various specific softwares.
However, but there is appearance and its similar counterfeit application is applied to legal copy in the application software of magnanimity, no Method molecule is made profit by inveigling user using counterfeit application, and the fraudulent act is rampant always more than at present.Therefore, how efficiently Accurately identify whether application is that counterfeit application becomes more important.
Invention content
In view of this, the method and device of the counterfeit application of identification provided by the invention, it is counterfeit its object is to identify Using.
The purpose of the present invention is what is realized using following technical scheme:
In a first aspect, the present invention provides a kind of method for identifying counterfeit application, the method includes:
Extract the application feature of application to be measured;
Be compared described using feature with the application feature of legal application each in legal application library, it is determining only with institute State the identical target legal copy application of the certain applications feature of application to be measured;
The uniform resource position mark URL asked when intercepting and capturing using the application to be measured;
By the way that the URL is matched with the domain name that the target legal copy is applied, the identification application to be measured whether be Counterfeit application.
Optionally, described by the way that the URL is matched with the domain name that the target legal copy is applied, identification is described to be measured Using whether being that counterfeit application includes:
Domain names of all URL of intercepting and capturing respectively with target legal copy application is matched;
If the number with the URL of domain name successful match is greater than or equal to predetermined threshold value, it is determined that the application to be measured It is not counterfeit application;
If the predetermined threshold value is respectively less than with the number of the URL of the domain name successful match of each target legal copy application, really The fixed application to be measured is counterfeit application.
Optionally, after determining that the application to be measured is counterfeit application, the method further includes:
When the application of target legal copy only there are one when, by the target legal copy application be determined as it is described it is to be measured using it is counterfeit should With;
When target legal copy application has multiple, the application name of application to be measured and answering for target legal copy application are calculated respectively The similarity of application icon applied with the application icon of the similarity of name, application to be measured with the target legal copy;And by two The target legal copy application of the sum of similarity maximum is determined as described to be measured using counterfeit application.
Optionally, the application feature includes application name, using unique mark, application icon and installation certificate.
Optionally, the uniform resource position mark URL asked includes when the intercepting and capturing are using the application to be measured:
It intercepts and captures in sandbox environment using described to be measured in application, the URL of the application request to be measured.
Optionally, the method further includes:
When determining that the application to be measured is counterfeit in application, output is for showing that the application to be measured is the announcement of counterfeit application Alert prompt message.
Second aspect, the present invention provides a kind of device for identifying counterfeit application, described device includes:
Extraction unit, for extracting the application feature of application to be measured;
Determination unit, for comparing described using feature and the application feature of legal application each in legal application library It is right, determine target legal copy application only identical with the certain applications feature of the application to be measured;
Unit is intercepted and captured, for the uniform resource position mark URL asked when intercepting and capturing using the application to be measured;
Recognition unit, for by the way that the URL is matched with the domain name that the target legal copy is applied, being treated described in identification Survey whether application is counterfeit application.
Optionally, the recognition unit includes:
Matching module, for domain names of all URL intercepted and captured respectively with target legal copy application to be matched;
Determining module, for when the number of the URL with domain name successful match is greater than or equal to predetermined threshold value, determining The application to be measured is not counterfeit application;When the number of the URL for the domain name successful match applied with each target legal copy is respectively less than During the predetermined threshold value, it is counterfeit application to determine the application to be measured.
Optionally, the determination unit is additionally operable to after determining that the application to be measured is counterfeit application, when target legal copy Using only there are one when, the target legal copy application is determined as described to be measured using counterfeit application;
Described device further includes:
Computing unit, for when target legal copy application has multiple, calculating the application name of application to be measured and the mesh respectively The phase of application icon that the similarity of application name of the legal application of mark, the application icon of application to be measured are applied with the target legal copy Like degree;
The determination unit, be additionally operable to by the target legal copy application of the sum of two similarities maximum be determined as it is described it is to be measured should With counterfeit application.
Optionally, the application feature includes application name, using unique mark, application icon and installation certificate.
Optionally, the intercepting and capturing unit, for intercept and capture in sandbox environment using it is described to be measured in application, it is described it is to be measured should With the URL of request.
The third aspect, the present invention provides a kind of storage medium, the storage medium is stored with a plurality of instruction, described instruction Method suitable for being loaded by processor and being performed the counterfeit application of identification as described in relation to the first aspect.
Fourth aspect, the present invention provides a kind of electronic equipment, the electronic equipment includes storage medium and processor;
The processor is adapted for carrying out each instruction;
The storage medium, suitable for storing a plurality of instruction;
Described instruction is suitable for being loaded by the processor and being performed the method for the counterfeit application of identification as described in relation to the first aspect.
By above-mentioned technical proposal, the method and device of the counterfeit application of identification provided by the invention can be extracted first to be measured Then these are applied feature by the application feature of application using feature is corresponding with legal application each in legal application library respectively It is compared, the target legal copy application that application to be measured may be counterfeit is quickly filtered out from a large amount of legal applications, is then passed through again Match the URL (Uniform Resource Locator, uniform resource locator) of application request to be measured and target legal copy application Domain name, accurately identify it is to be measured application whether be counterfeit application.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, below the special specific embodiment for lifting the present invention.
Description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this field Technical staff will become clear.Attached drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of method for identifying counterfeit application provided in an embodiment of the present invention;
Fig. 2 shows the flow charts of another method for identifying counterfeit application provided in an embodiment of the present invention;
Fig. 3 shows a kind of composition frame chart of device for identifying counterfeit application provided in an embodiment of the present invention;
Fig. 4 shows the composition frame chart of another device for identifying counterfeit application provided in an embodiment of the present invention.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.
An embodiment of the present invention provides a kind of method for identifying counterfeit application, as shown in Figure 1, the method mainly includes:
101st, the application feature of application to be measured is extracted.
Wherein, the application feature includes but not limited to:Application name, using unique mark, application icon and installation certificate. In practical applications, it is main to carry out one application of unique mark using using packet name.In addition, application to be measured can be installed in terminal Application or downloaded installation kit but in uninstalled application or application shop or application house keeper Using or webpage in application.
102nd, it is compared, determines only with the application feature of legal application each in legal application library using feature by described The target legal copy application identical with the certain applications feature of the application to be measured.
Before application to be measured is identified, each application that each legal application can be obtained by official channel is special Sign, is then stored in legal application library.It, can be by each application feature of application to be measured point when needing to identify unknown applications It is not compared accordingly using feature with legal application each in legal application library, determines whether respective application feature is identical; It, can be with when each each application feature using feature and some legal copy application for determining application to be measured all corresponds identical It is exactly legal copy application to determine the application to be measured;It is applied when each application feature for determining application to be measured is corresponding with legal library When feature differs, it may be determined that the application to be measured is unexistent application in legal application library;When determining application to be measured It is each using in feature only have certain applications feature with some legal copy application application feature it is identical when, it may be determined that this it is to be measured answer With may be counterfeit application that the legal copy is applied, thus can by the application to be measured may be counterfeit legal application record, To be accurately identified subsequently through step 103 is performed to the application to be measured.
For example, the application name of application to be measured be APP1, using unique mark be com.abc.www, application icon is icon 1st, installation certificate is certificate 1, and the application name of certain legal copy application is APP1, is com.efg.www, application icon using unique mark Be icon 2, installation certificate it is certificate 2, understands that application name and legal copy of application to be measured applied answers using feature by comparison It is identical with name, and other features are different, may thereby determine that the application to be measured is likely to be the piracy that the legal copy is pretended to be to apply Using, so can by the legal copy application record, so as to subsequently based on legal copy application other information to this it is to be measured answer With accurately identify in detail.
The URL asked when the 103rd, intercepting and capturing using the application to be measured.
Since counterfeit application is usually to be submitted in a manner of by changing the calling interface in legal application to obtain user Information, and the change of calling interface mean that access network address change, it is possible to by identifying whether URL changes Method come accurate judgement it is to be measured application whether be counterfeit application.
It, can be by the application to be measured so as to extract the URL in request in order to obtain the request that may be sent out in application to be measured It is positioned in sandbox environment, then constantly using the application to be measured in sandbox environment, as soon as when application to be measured sends out request, Request is intercepted and captured, and therefrom extracts URL, until extracting all URL that the application to be measured may access.
104th, by the way that the URL is matched with the domain name that the target legal copy is applied, identify that the application to be measured is No is counterfeit application.
It, can be respectively by each URL and the domain of target legal copy application after all URL that application to be measured may access are obtained Name is matched, when the domain name is included in some URL, it may be determined that the URL and the domain name successful match;When the domain name does not have When having included in the URL, it may be determined that it fails to match with the domain name by the URL.Respectively by each URL and target legal copy application Domain name matching after the completion of, according to successful match rate come judge this it is to be measured application whether be counterfeit application.Wherein, legal copy is applied Domain name can be obtained from the official website of software application quotient.
The method of the counterfeit application of identification provided in an embodiment of the present invention can first extract the application feature of application to be measured, so These are compared using feature using feature accordingly with legal application each in legal application library respectively afterwards, quickly from big The target legal copy application that application to be measured may be counterfeit is filtered out in the legal application of amount, then again by matching application request to be measured URL and the domain name of target legal copy application accurately identify whether application to be measured is counterfeit application.
Further, according to method shown in FIG. 1, an alternative embodiment of the invention additionally provides a kind of counterfeit application of identification Method, as shown in Fig. 2, the method mainly includes:
201st, the application feature of application to be measured is extracted.
The specific implementation of this step is identical with the specific implementation of above-mentioned steps 101, and details are not described herein.
202nd, it is compared, determines only with the application feature of legal application each in legal application library using feature by described The target legal copy application identical with the certain applications feature of the application to be measured.
The specific implementation of this step is identical with the specific implementation of above-mentioned steps 102, and details are not described herein.
The URL asked when the 203rd, intercepting and capturing using the application to be measured.
The specific implementation of this step is identical with the specific implementation of above-mentioned steps 103, and details are not described herein.
204th, by the way that the URL is matched with the domain name that the target legal copy is applied, identify that the application to be measured is No is counterfeit application.
It refers in the above-described embodiments, of domain name that can be applied by all URL of application to be measured with target legal copy With success rate come determine this it is to be measured application whether be counterfeit application, therefore the specific implementation of this step can be:It will intercept and capture All URL respectively with the target legal copy application domain name matched;If the number with the URL of domain name successful match More than or equal to predetermined threshold value, it is determined that the application to be measured is not counterfeit application;If the domain name with the application of each target legal copy The number of the URL of successful match is respectively less than the predetermined threshold value, it is determined that the application to be measured is counterfeit application.Wherein, due to It may cause the application that may access the network address under other domain names because of operations such as embedded advertisements in one application, Successful match rate is not necessarily set in 100%, is set on some threshold value, and predetermined threshold value can be according to practical warp It tests statistics and obtains.
In addition, after determining that the application to be measured is counterfeit application, it can also determine that the application to be measured is specific imitative Which legal application is emitted, so that user is reminded to be vigilant the download and use of the application.Specifically, when target legal copy application only has At one, directly the target legal copy application can be determined as described to be measured using counterfeit application;When target legal copy application When having multiple, application name and application icon generally by counterfeit legal application is applied visually to cheat use due to counterfeit Family is downloaded and installs, it is possible to first calculate the application name of application to be measured and the application name of target legal copy application respectively Similarity, the application of application icon and the target legal copy of application to be measured application icon similarity, then by two phases It is determined as like the maximum target legal copy application of the sum of degree described to be measured using counterfeit application.
205th, when determining that the application to be measured is counterfeit in application, output is for showing that the application to be measured is counterfeit application Alarm prompt.
When determining that the application to be measured is counterfeit in application, this can have been installed to remind with outputting alarm prompt information The user of counterfeit application can unload the counterfeit application in time, the user for not installing the counterfeit application be reminded not install this counterfeit Using.In addition, after it is which is applied to determine the counterfeit legal application of the application to be measured, can add in alarm prompt The application feature and domain name for the legal application for adding the application to be measured counterfeit, user to be reminded subsequently to need download installation legal It is downloaded in application, can arrive under the domain name.
The method of the counterfeit application of identification provided in an embodiment of the present invention, can not only efficiently and accurately identify unknown applications Whether it is counterfeit application, additionally it is possible to similarity comparison be carried out by the application name and application icon with legal copy application, determine this Unknown applications it is counterfeit be which legal application and when determining that the unknown applications are counterfeit in application, also being able to award user Alarm prompt, to prevent user from continuing to be deceived.
Further, according to above method embodiment, it is counterfeit that an alternative embodiment of the invention additionally provides a kind of identification The device of application, as shown in figure 3, described device mainly includes:Extraction unit 31, intercepts and captures unit 33 and identification at determination unit 32 Unit 34.Wherein,
Extraction unit 31, for extracting the application feature of application to be measured;
Determination unit 32, for being carried out described using feature and the application feature of legal application each in legal application library It compares, determines target legal copy application only identical with the certain applications feature of the application to be measured;
Unit 33 is intercepted and captured, for the uniform resource position mark URL asked when intercepting and capturing using the application to be measured;
Recognition unit 34, for by the way that the URL is matched with the domain name that the target legal copy is applied, described in identification Whether application to be measured is counterfeit application.
Optionally, as shown in figure 4, the recognition unit 34 includes:
Matching module 341, for domain names of all URL intercepted and captured respectively with target legal copy application to be matched;
Determining module 342, for when the number of the URL with domain name successful match be greater than or equal to predetermined threshold value when, Determine that the application to be measured is not counterfeit application;When the number of the URL for the domain name successful match applied with each target legal copy is equal During less than the predetermined threshold value, it is counterfeit application to determine the application to be measured.
Optionally, the determination unit 32 is additionally operable to after determining that the application to be measured is counterfeit application, when target just When there are one version applications only, the target legal copy application is determined as described to be measured using counterfeit application;
As shown in figure 4, described device further includes:
Computing unit 35, for when target legal copy application has multiple, calculate respectively the application name of application to be measured with it is described The similarity of application name, the application icon of application to be measured and the application icon of target legal copy application of target legal copy application Similarity;
The determination unit 32 is additionally operable to the target legal copy application of the sum of two similarities maximum being determined as described to be measured Using counterfeit application.
Optionally, the application feature includes application name, using unique mark, application icon and installation certificate.
Optionally, the intercepting and capturing unit 33, for intercepting and capturing in sandbox environment using described to be measured in application, described to be measured The URL of application request.
Optionally, as shown in figure 4, described device further includes:
Output unit 36, for when determine the application to be measured be it is counterfeit in application, output for show it is described it is to be measured should With the alarm prompt for being counterfeit application.
The device of the counterfeit application of identification provided in an embodiment of the present invention can first extract the application feature of application to be measured, so These are compared using feature using feature accordingly with legal application each in legal application library respectively afterwards, quickly from big The target legal copy application that application to be measured may be counterfeit is filtered out in the legal application of amount, then again by matching application request to be measured URL and the domain name of target legal copy application accurately identify whether application to be measured is counterfeit application.Additionally it is possible to by with The application name and application icon of legal copy application carry out similarity comparison, determine the unknown applications it is counterfeit be which it is legal should With and when determining that the unknown applications are counterfeit in application, also being able to award user's alarm prompt, to prevent user from continuing It is deceived.
Further, according to above method embodiment, an alternative embodiment of the invention additionally provides a kind of storage medium, The storage medium is stored with a plurality of instruction, described instruction be suitable for being loaded by processor and perform identify as described above it is counterfeit The method of application.
The instruction stored in storage medium provided in an embodiment of the present invention can first extract the application feature of application to be measured, Then these are compared using feature using feature accordingly with legal application each in legal application library respectively, quickly from The target legal copy application that application to be measured may be counterfeit is filtered out in a large amount of legal applications, then again by matching application request to be measured The application of URL and target legal copy domain name, accurately identify whether application to be measured is counterfeit application.Additionally it is possible to pass through Carry out similarity comparison with the application name and application icon of legal copy application, determine the unknown applications it is counterfeit be which it is legal should With and when determining that the unknown applications are counterfeit in application, also being able to award user's alarm prompt, to prevent user from continuing It is deceived.
Further, according to above method embodiment, an alternative embodiment of the invention additionally provides a kind of electronic equipment, The electronic equipment includes storage medium and processor;
The processor is adapted for carrying out each instruction;
The storage medium, suitable for storing a plurality of instruction;
Described instruction is suitable for the method for being loaded by the processor and being performed the upper counterfeit application of identification.
Electronic equipment provided in an embodiment of the present invention can first extract the application feature of application to be measured, then should by these It is compared accordingly using feature with legal application each in legal application library respectively with feature, quickly from a large amount of legal applications In filter out the target legal copy application that application to be measured may be counterfeit, then again by matching the URL and target of application request to be measured The domain name of legal copy application accurately identifies whether application to be measured is counterfeit application.Additionally it is possible to by with legal copy application Application name and application icon carry out similarity comparison, determine the unknown applications it is counterfeit be which legal application and when true The fixed unknown applications are counterfeit in application, also being able to award user's alarm prompt, to prevent user from continuing to be deceived.
The embodiment of the present invention additionally provides:
A1, a kind of method for identifying counterfeit application, the method includes:
Extract the application feature of application to be measured;
Be compared described using feature with the application feature of legal application each in legal application library, it is determining only with institute State the identical target legal copy application of the certain applications feature of application to be measured;
The uniform resource position mark URL asked when intercepting and capturing using the application to be measured;
By the way that the URL is matched with the domain name that the target legal copy is applied, the identification application to be measured whether be Counterfeit application.
A2, the method according to A1, the domain name progress by the way that the URL and the target legal copy are applied Match, whether the identification application to be measured is that counterfeit application includes:
Domain names of all URL of intercepting and capturing respectively with target legal copy application is matched;
If the number with the URL of domain name successful match is greater than or equal to predetermined threshold value, it is determined that the application to be measured It is not counterfeit application;
If the predetermined threshold value is respectively less than with the number of the URL of the domain name successful match of each target legal copy application, really The fixed application to be measured is counterfeit application.
A3, the method according to A2, after determining that the application to be measured is counterfeit application, the method further includes:
When the application of target legal copy only there are one when, by the target legal copy application be determined as it is described it is to be measured using it is counterfeit should With;
When target legal copy application has multiple, the application name of application to be measured and answering for target legal copy application are calculated respectively The similarity of application icon applied with the application icon of the similarity of name, application to be measured with the target legal copy;And by two The target legal copy application of the sum of similarity maximum is determined as described to be measured using counterfeit application.
A4, the method according to A1, the application feature include application name, using unique mark, application icon and peace Fill certificate.
A5, the method according to A1, the uniform resource position mark URL asked when the intercepting and capturing are using the application to be measured Including:
It intercepts and captures in sandbox environment using described to be measured in application, the URL of the application request to be measured.
A6, the method according to any one of A1 to A5, the method further include:
When determining that the application to be measured is counterfeit in application, output is for showing that the application to be measured is the announcement of counterfeit application Alert prompt message.
B7, a kind of device for identifying counterfeit application, described device include:
Extraction unit, for extracting the application feature of application to be measured;
Determination unit, for comparing described using feature and the application feature of legal application each in legal application library It is right, determine target legal copy application only identical with the certain applications feature of the application to be measured;
Unit is intercepted and captured, for the uniform resource position mark URL asked when intercepting and capturing using the application to be measured;
Recognition unit, for by the way that the URL is matched with the domain name that the target legal copy is applied, being treated described in identification Survey whether application is counterfeit application.
B8, the device according to B7, the recognition unit include:
Matching module, for domain names of all URL intercepted and captured respectively with target legal copy application to be matched;
Determining module, for when the number of the URL with domain name successful match is greater than or equal to predetermined threshold value, determining The application to be measured is not counterfeit application;When the number of the URL for the domain name successful match applied with each target legal copy is respectively less than During the predetermined threshold value, it is counterfeit application to determine the application to be measured.
B9, the device according to B8, the determination unit, be additionally operable to determine the application to be measured be it is counterfeit using it Afterwards, when target legal copy application only there are one when, the target legal copy application is determined as described to be measured using counterfeit application;
Described device further includes:
Computing unit, for when target legal copy application has multiple, calculating the application name of application to be measured and the mesh respectively The phase of application icon that the similarity of application name of the legal application of mark, the application icon of application to be measured are applied with the target legal copy Like degree;
The determination unit, be additionally operable to by the target legal copy application of the sum of two similarities maximum be determined as it is described it is to be measured should With counterfeit application.
B10, the device according to B7, the application feature include application name, using unique mark, application icon and peace Fill certificate.
B11, the device according to B7, the intercepting and capturing unit, for intercept and capture in sandbox environment using it is described it is to be measured should Used time, the URL of the application request to be measured.
B12, the device according to any one of B7 to B11, described device further include:
Output unit, for when the determining application to be measured is counterfeit in application, exporting to show the application to be measured It is the alarm prompt of counterfeit application.
C13, a kind of storage medium, the storage medium are stored with a plurality of instruction, and described instruction is suitable for being added by processor The method for carrying and performing the counterfeit application of identification as described in any one of A1-A6.
D14, a kind of electronic equipment, the electronic equipment include storage medium and processor;
The processor is adapted for carrying out each instruction;
The storage medium, suitable for storing a plurality of instruction;
Described instruction is suitable for being loaded as the processor and being performed the counterfeit application of identification as described in any one of A1-A6 Method.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiment.
It is understood that the correlated characteristic in the above method and device can be referred to mutually.In addition, in above-described embodiment " first ", " second " etc. be for distinguishing each embodiment, and do not represent the quality of each embodiment.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit can refer to the corresponding process in preceding method embodiment, and details are not described herein.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the specification provided in this place, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:It is i.e. required anti- Shield the present invention claims the more features of feature than being expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim is in itself Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.It can be the module or list in embodiment Member or component be combined into a module or unit or component and can be divided into addition multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any Combination is disclosed to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification is (including adjoint power Profit requirement, abstract and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, the embodiment of required protection is appointed One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization or to be run on one or more processor Software module realize or realized with combination thereof.It will be understood by those of skill in the art that it can use in practice Microprocessor or digital signal processor (DSP) realize the method and dress of the counterfeit application of identification according to embodiments of the present invention The some or all functions of some or all components in putting.The present invention is also implemented as described here for performing Some or all equipment of method or program of device (for example, computer program and computer program product).This The program of the realization present invention of sample can may be stored on the computer-readable medium or can have one or more signal Form.Such signal can be downloaded from internet website to be obtained either providing or with any other on carrier signal Form provides.
It should be noted that the present invention will be described rather than limits the invention, and ability for above-described embodiment Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference mark between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any sequence.These words can be explained and run after fame Claim.

Claims (10)

  1. A kind of 1. method for identifying counterfeit application, which is characterized in that the method includes:
    Extract the application feature of application to be measured;
    It is compared described using feature with the application feature of legal application each in legal application library, determines only to treat with described Survey the identical target legal copy application of the certain applications feature of application;
    The uniform resource position mark URL asked when intercepting and capturing using the application to be measured;
    By the way that the URL is matched with the domain name that the target legal copy is applied, whether the identification application to be measured is counterfeit Using.
  2. It is 2. according to the method described in claim 1, it is characterized in that, described by by the URL and the target legal copy application Domain name matched, identification it is described it is to be measured application whether be that counterfeit application includes:
    Domain names of all URL of intercepting and capturing respectively with target legal copy application is matched;
    If it is greater than or equal to predetermined threshold value with the number of the URL of domain name successful match, it is determined that the application to be measured is not Counterfeit application;
    If it is respectively less than the predetermined threshold value with the number of the URL of the domain name successful match of each target legal copy application, it is determined that institute It is counterfeit application to state application to be measured.
  3. 3. according to the method described in claim 2, it is characterized in that, determining that the application to be measured is institute after counterfeit application The method of stating further includes:
    When target legal copy application only there are one when, the target legal copy application is determined as described to be measured using counterfeit application;
    When target legal copy application has multiple, the application name of application to be measured and the application name of target legal copy application are calculated respectively Similarity, the application of application icon and the target legal copy of application to be measured application icon similarity;It is and similar by two The maximum target legal copy application of the sum of degree is determined as described to be measured using counterfeit application.
  4. 4. according to the method described in claim 1, it is characterized in that, it is described application feature include application name, using unique mark, Application icon and installation certificate.
  5. 5. the according to the method described in claim 1, it is characterized in that, unification asked when the intercepting and capturing are using the application to be measured Resource Locator URL includes:
    It intercepts and captures in sandbox environment using described to be measured in application, the URL of the application request to be measured.
  6. 6. the method according to any one of claims 1 to 5, it is characterized in that, the method further includes:
    When determining that the application to be measured is counterfeit in application, output is for showing that the application to be measured is that the alarm of counterfeit application carries Show information.
  7. 7. a kind of device for identifying counterfeit application, which is characterized in that described device includes:
    Extraction unit, for extracting the application feature of application to be measured;
    Determination unit, for being compared described using feature with the application feature of legal application each in legal application library, Determine target legal copy application only identical with the certain applications feature of the application to be measured;
    Unit is intercepted and captured, for the uniform resource position mark URL asked when intercepting and capturing using the application to be measured;
    Recognition unit, for by the way that the URL is matched with the domain name that the target legal copy is applied, identification it is described it is to be measured should With whether being counterfeit application.
  8. 8. device according to claim 7, which is characterized in that the recognition unit includes:
    Matching module, for domain names of all URL intercepted and captured respectively with target legal copy application to be matched;
    Determining module, for when the number of the URL with domain name successful match is greater than or equal to predetermined threshold value, determining described Application to be measured is not counterfeit application;Described in being respectively less than when the number of the URL for the domain name successful match applied with each target legal copy During predetermined threshold value, it is counterfeit application to determine the application to be measured.
  9. 9. a kind of storage medium, which is characterized in that the storage medium is stored with a plurality of instruction, and described instruction is suitable for by handling The method that device loads and performs the counterfeit application of identification as described in any one of claim 1-6.
  10. 10. a kind of electronic equipment, which is characterized in that the electronic equipment includes storage medium and processor;
    The processor is adapted for carrying out each instruction;
    The storage medium, suitable for storing a plurality of instruction;
    Described instruction is suitable for being loaded as the processor and performing the counterfeit application of identification as described in any one of claim 1-6 Method.
CN201711476647.1A 2017-12-29 2017-12-29 Identify the method and device of counterfeit application Pending CN108256328A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711476647.1A CN108256328A (en) 2017-12-29 2017-12-29 Identify the method and device of counterfeit application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711476647.1A CN108256328A (en) 2017-12-29 2017-12-29 Identify the method and device of counterfeit application

Publications (1)

Publication Number Publication Date
CN108256328A true CN108256328A (en) 2018-07-06

Family

ID=62724595

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711476647.1A Pending CN108256328A (en) 2017-12-29 2017-12-29 Identify the method and device of counterfeit application

Country Status (1)

Country Link
CN (1) CN108256328A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109684788A (en) * 2018-12-29 2019-04-26 上海上讯信息技术股份有限公司 A kind of mobile application channel monitoring system and method Internet-based
CN110135153A (en) * 2018-11-01 2019-08-16 哈尔滨安天科技股份有限公司 The credible detection method and device of software
CN113434826A (en) * 2021-07-23 2021-09-24 公安部第三研究所 Detection method and system for counterfeit mobile application and related products

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104657634A (en) * 2015-02-28 2015-05-27 百度在线网络技术(北京)有限公司 Method and device for identifying pirate application
CN104951675A (en) * 2014-03-31 2015-09-30 北京金山网络科技有限公司 Pirate application recognition method and system
CN105426706A (en) * 2015-11-20 2016-03-23 北京奇虎科技有限公司 Pirate application detection method, device and system
CN107038173A (en) * 2016-02-04 2017-08-11 腾讯科技(深圳)有限公司 Application query method and apparatus, similar application detection method and device
CN107222369A (en) * 2017-07-07 2017-09-29 北京小米移动软件有限公司 Recognition methods, device, switch and the storage medium of application program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104951675A (en) * 2014-03-31 2015-09-30 北京金山网络科技有限公司 Pirate application recognition method and system
CN104657634A (en) * 2015-02-28 2015-05-27 百度在线网络技术(北京)有限公司 Method and device for identifying pirate application
CN105426706A (en) * 2015-11-20 2016-03-23 北京奇虎科技有限公司 Pirate application detection method, device and system
CN107038173A (en) * 2016-02-04 2017-08-11 腾讯科技(深圳)有限公司 Application query method and apparatus, similar application detection method and device
CN107222369A (en) * 2017-07-07 2017-09-29 北京小米移动软件有限公司 Recognition methods, device, switch and the storage medium of application program

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110135153A (en) * 2018-11-01 2019-08-16 哈尔滨安天科技股份有限公司 The credible detection method and device of software
CN109684788A (en) * 2018-12-29 2019-04-26 上海上讯信息技术股份有限公司 A kind of mobile application channel monitoring system and method Internet-based
CN113434826A (en) * 2021-07-23 2021-09-24 公安部第三研究所 Detection method and system for counterfeit mobile application and related products

Similar Documents

Publication Publication Date Title
CN103632096B (en) A kind of method and apparatus that safety detection is carried out to equipment
JP5802848B2 (en) Computer-implemented method, non-temporary computer-readable medium and computer system for identifying Trojanized applications (apps) for mobile environments
CN105224869B (en) Assembly test method and device
CN104537308B (en) System and method using security audit function is provided
CN105635178B (en) Ensure the block type Network Access Method and device of safety
CN104317599B (en) Whether detection installation kit is by the method and apparatus of secondary packing
CN106845223B (en) Method and apparatus for detecting malicious code
CN106548076A (en) Method and apparatus of the detection using bug code
CN104143008B (en) The method and device of fishing webpage is detected based on picture match
CN110929264B (en) Vulnerability detection method and device, electronic equipment and readable storage medium
CN104517054A (en) Method, device, client and server for detecting malicious APK
CN108256328A (en) Identify the method and device of counterfeit application
CN105653947B (en) The method and device of data safety risk is applied in a kind of assessment
CN104698919A (en) Method and device for inspecting intelligent terminal
CN106778246A (en) The detection method and detection means of sandbox virtualization
CN109086377A (en) Generation method, device and the calculating equipment of equipment portrait
CN107808096A (en) Method, terminal device and the storage medium of malicious code are injected into during detection APK operations
CN104486312B (en) A kind of recognition methods of application program and device
CN106250761A (en) A kind of unit identifying web automation tools and method
CN108322458A (en) Web Application intrusion detections method, system, computer equipment and storage medium
CN106650439A (en) Suspicious application program detection method and device
CN111859381A (en) File detection method, device, equipment and medium
US11695793B2 (en) Vulnerability scanning of attack surfaces
US8490184B2 (en) Verification for computer programs that include external call references
CN104699619A (en) Online testing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180706