CN109726554A - A kind of detection method of rogue program, device and related application - Google Patents
A kind of detection method of rogue program, device and related application Download PDFInfo
- Publication number
- CN109726554A CN109726554A CN201711037144.4A CN201711037144A CN109726554A CN 109726554 A CN109726554 A CN 109726554A CN 201711037144 A CN201711037144 A CN 201711037144A CN 109726554 A CN109726554 A CN 109726554A
- Authority
- CN
- China
- Prior art keywords
- program
- random value
- detected
- character
- character string
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Stored Programmes (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The embodiment of the present invention provides detection method, device and the related application of rogue program, obtains at least one character string of program predeterminated position to be detected;Randomness calculating is carried out to the character string by predefined rule, generates the random value of program to be detected;When the random value of program to be detected is greater than preset threshold, judge program to be detected for rogue program.Technical solution of the present invention can accurately and effectively identify using random string the malicious code for fighting security software, it can solve feature database extreme expansion problem caused by traditional killing dependence characteristics library, treatment effeciency with higher simultaneously, specific feature is not depended on, the rogue program automatically generated can be effectively detected.
Description
Technical field
The present invention relates to a kind of detection method of rogue program, device and related applications.
Background technique
With the fast development of mobile Internet in recent years, bring is the growing day by day of platform safety problem.Especially with
Android platform is the most prominent, is that hide be the black production driven with huge interests under the presentation of the ecosphere prosperity
Industry chain.The entire ecology of Android is more flourishing, and relevant Dark Industry Link is also more rampant, the virus in Android platform
More and more, almost exponentially grade increases quantity.
Traditional rogue program killing depends on feature database mode.Feature database is the rogue program being collected by manufacturer
The condition code of sample forms, and wherein condition code can be understood as finding the distinguishing characteristics generation with normal software from rogue program
Code.During killing, engine can read file and be matched with all condition codes in feature database, if it find that file journey
Sequence code is hit, so that it may determine this document program for rogue program.
The recognition methods of such as patent of Beijing Qihu Technology Co., Ltd. --- virus APK a kind of and device (application number:
201210076889.2, publication number: 102663286B) use opcode and class name function name as feature, hacker is free to kill
Shi Caiyong obscures method, and corresponding feature will become random character string, therefore will appear a large amount of random character strings and replace original
The function name come, and then the case where lead to the expansion of feature database, feature database volume is bigger, and matching efficiency is lower, leads after final
Traditional feature database is caused to fail.
Summary of the invention
In view of the above problems, the present invention is proposed in order to provide a kind of a kind of detection of rogue program for overcoming the above problem
Method, apparatus and related application.
In a first aspect, the embodiment of the present invention provides a kind of detection method of rogue program, comprising:
Obtain at least one character string of program predeterminated position to be detected;
Randomness calculating is carried out to the character string by predefined rule, generates the random value of program to be detected;
When the random value of program to be detected is greater than preset threshold, judge program to be detected for rogue program.
Further, the method for preset threshold includes:
Two string assembles, including nonrandom string assemble, malice random character set of strings are predefined, according to predetermined
Adopted rule carries out randomness calculating to all character strings in described two string assembles respectively, wherein nonrandom character string
Least random value in set is the first random value, the largest random value in malice random character set of strings is the second random value;
The threshold value when the first random value is less than the second random value are as follows: the second random value;Alternatively, the first random value and the second random value
Average value.
Further, the method for preset threshold further include:
An also predefined normal random character set of strings, according to the predefined rule to all in the string assemble
Character string carry out randomness calculating, wherein largest random value be third random value, when third random value be greater than the first random value and
When less than the second random value, the threshold value is third random value
Further, the method for at least one character string for obtaining program predeterminated position to be detected includes: described
Character is extracted at least one of the packet name of program to be detected, signature, program name, version number, file name, file content
String.
Further, the method for carrying out randomness calculating to the character string according to predefined rule includes: N-
Gram algorithm, comentropy algorithm.
Further, the method for obtaining at least one character string of program predeterminated position to be detected includes: to be with newline
Mark, a line character are a character string.
Further, the character is at least one of English, number, symbol or their mixing.
Further, when judging program to be detected for rogue program, the program predeterminated position to be detected that will acquire is extremely
A few character string is added to malice random character set of strings.
Second aspect, the embodiment of the present invention provide a kind of detection device of rogue program, comprising:
Module is obtained, for obtaining at least one character string of program predeterminated position to be detected;
Random value computing module generates to be detected for carrying out randomness calculating to the character string by predefined rule
The random value of program;
Multilevel iudge module, for judging that program to be detected is when the random value of program to be detected is greater than preset threshold
Rogue program.
The third aspect, the embodiment of the present invention provide a kind of detection device of rogue program, comprising:
Processor;
Memory for storage processor executable instruction;
Wherein, the processor is configured to:
Obtain at least one character string of program predeterminated position to be detected;
Randomness calculating is carried out to the character string by predefined rule, generates the random value of program to be detected;
When the random value of program to be detected is greater than preset threshold, judge program to be detected for rogue program.
Fourth aspect, the embodiment of the present invention provide a kind of non-transitorycomputer readable storage medium, when the storage is situated between
When instruction in matter is executed by the processor of mobile terminal, so that mobile terminal is able to carry out such as a kind of above-mentioned rogue program
Detection method.
The beneficial effect of above-mentioned technical proposal provided in an embodiment of the present invention includes at least:
Detection method, device and the related application of a kind of rogue program provided in an embodiment of the present invention,
At least one character string for obtaining program predeterminated position to be detected, by predefined rule to the character string carry out with
Machine calculates, and generates the random value of program to be detected;When the random value of program to be detected is greater than preset threshold, judge to be detected
Program is rogue program.Technical solution of the present invention, which can accurately and effectively be identified using random string, fights security software
Malicious code can solve feature database extreme expansion problem caused by traditional killing dependence characteristics library, while place with higher
Efficiency is managed, specific feature is not depended on, can effectively detect the rogue program automatically generated.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation
Specifically noted structure is achieved and obtained in book, claims and attached drawing.
Below by drawings and examples, technical scheme of the present invention will be described in further detail.
Detailed description of the invention
Attached drawing is used to provide further understanding of the present invention, and constitutes part of specification, with reality of the invention
It applies example to be used to explain the present invention together, not be construed as limiting the invention.In the accompanying drawings:
Fig. 1 is the flow chart of the detection method of rogue program provided in an embodiment of the present invention;
Fig. 2A is the flow chart that threshold value provided in an embodiment of the present invention generates;
Fig. 2 B is the flow chart that another threshold value provided in an embodiment of the present invention generates;
Fig. 3 is each big logotype of string assemble random value provided in an embodiment of the present invention;
Fig. 4 is the flow chart provided in an embodiment of the present invention that randomness calculating is carried out to character string;
Fig. 5 is the block diagram of the detection device of rogue program provided in an embodiment of the present invention.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistented with the present invention.On the contrary, they be only with it is such as appended
The example of device and method being described in detail in claims, some aspects of the invention are consistent.
Based on practical experience, the signature of normal use, packet name etc. need to stablize, for maintaining normally update and iteration.
And malicious code then tends to using random string, avoids security firm and do feature to sign or wrap name etc. looking into it
It kills.In addition, normal use signature, Bao Mingzhong are often with affiliated author or the personal information of company, this just meets text system
Meter rule.
According to text statistical law (alphabetical frequency analysis theory): different in any written language
Letter or monogram occur frequency it is different.Moreover, all having for any one section of text of this written
There is roughly the same characteristic letter distribution.For example, the frequency that letter e occurs is very high, and X then occurs less in English.Class
As, the frequency that the digrams such as ST, NG, TH and QU occur is very high, and NZ, QJ combination are then few.
Therefore, if it is nonrandom character string, it should be to be able to satisfy this rule, and random string is generally unsatisfactory for this
A rule.So the random value of nonrandom character string should not be high, and the random value of random string can be relatively high.
Based on above-mentioned theory, in this application, malice character string is random string certainly;Non-malicious character string is (i.e. just
It may be Chang Suiji) random, it is also possible to which nonrandom, if it is random, randomness is not above malice character string.
There was only point of random string and nonrandom character string, technical solution of the present invention for random program for detecting
In the course of the description, random string includes that normal random string (such as Eye two a went bar tea) and malice are random
Character string (such as Gffvdyfgghjguyseertdftyfgty), nonrandom character string can be understood as normal semantic character string (such as
I went to a party)。
The embodiment of the invention provides a kind of detection methods of rogue program, shown referring to Fig.1, including step S101~
S103:
S101, at least one character string for obtaining program predeterminated position to be detected.
In order to fight security firm, rogue program or application often using shell adding and the means such as obscure and carry out free to kill, cause
It is general before being lost using fixed characters strings such as such as class name, packet name, method name, character strings as the killing means of condition code
Adaptive and versatility, while in order to cover the characteristic feature of malicious code authors itself such as signature packets name, malicious file is such as
Android installation kit (AndroidPackage, APK) file gradually uses random string, such as random packet name and signature
The killing for evading security software causes security firm extremely passive in face of the feature database sharply expanded.And conventional developer is
The continuity of product is kept, can signed, packet name keeps stablizing on the levels such as code.It is therefore preferable that in program to be detected
Character string is extracted at random in the positions such as packet name, signature, program name, version number, file name or file content.In order to promote inspection
The accuracy of survey mostly can select character string in several positions as far as possible.
Such as including: after an APK (file that zip format can be regarded as) decompression
1.classes.dex is dex format;
2.resources.arsc is arsc format;
3.AndroidManifest.xml is xml format;
4. extended formatting file.
Content in available above-mentioned file, can also obtain the information of APK packet: version number, title, packet name, signature,
Icon etc.;The source code that program or application can also be obtained by decompiling or other modes, obtains character string etc. from source code.This
The character string which kind of mode is open embodiment obtain is without limitation.
In the present embodiment, character can be for English, number, symbol or their mixing: such as:
" abcdefghijklmnopqrstuvwxyz012345679=@- " or " acegikmoqsuwy ", are also possible to by ASCII
The character string etc. that code sorts from small to large, the embodiment of the present disclosure does not limit this.
It is mark with newline, a line character is a character string.For the signature of an APP, it is believed that it includes
One character string:
CN=Jie Lv, OU=Hangzhou Feiniu Science&Technology Co.Ltd., O=Hangzhou
Feiniu Science&Technology Co.Ltd., L=HangZhou, ST=ZheJiang, C=86
For a Duan Wenzhang, there is the length of N row, it is believed that have N number of character string.
S102, randomness calculating is carried out to the character string by predefined rule, generates the random value of program to be detected.
The method for carrying out randomness calculating to the character string includes N-Gram algorithm, comentropy algorithm etc., in this implementation
In example with no restrictions.
S103, when the random value of program to be detected be greater than preset threshold when, judge program to be detected for rogue program.
There are many ways to preset threshold, such as:
The first:
S1031 predefines two string assembles, including nonrandom word according to several character strings of existing known attribute
Accord with set of strings, malice random character set of strings.
S1032 respectively carries out all character strings in described two string assembles according to the rule as S102
Randomness calculates, wherein the least random value in nonrandom string assemble is the first random value, malice random character set of strings
In largest random value be the second random value.Threshold value can be with are as follows: the second random value, this method accuracy rate are high;Alternatively, first with
The average value of machine value and the second random value, this method is high-efficient, can cover most character string random value situation.It calculates flat
The method of mean value includes simple arithmetic mean method, weighted arithmetic average method, moving average method or exponential smoothing average method
Deng, to average, the embodiment of the present disclosure to this also without limitation.
In conjunction with Fig. 3, it is possible to understand that, if the first random value is greater than the second random value, illustrate as the non-of training set
Random character set of strings and random character set of strings do not have representativeness, these set are unavailable.
Second:
S1031 ' predefines three string assembles, including nonrandom word according to several character strings of existing known attribute
Accord with set of strings, malice random character set of strings, normal random character set of strings.
S1032 ' carries out randomness to all character strings in three string assembles according to the predefined rule
Calculate, wherein least random value in nonrandom string assemble be the first random value, in malice random character set of strings most
Big random value is the second random value, and the largest random value in normal random character set of strings is third random value, third random value
As threshold value.
Certainly, in order to improve detection accuracy, other detection means preferably also to be combined in the application above method.
In conjunction with Fig. 3, it is possible to understand that, when third random value is greater than the first random value and when less than the second random value, ability
Using this method, otherwise also illustrate that training set does not have representativeness, should not use.
The above-mentioned string assemble established has good learning functionality, while also treatment effeciency with higher, this hair
Bright technical solution does not use feature database, but according to the random value of calculating program to be detected to reach compared with preset threshold
Effective identification solves feature caused by traditional killing using the purpose of the malicious code of random string confrontation security software
Library extreme expansion problem, while treatment effeciency with higher, do not depend on specific feature, can effectively detect and automatically generate
Rogue program.According to the testing result, may remind the user that killing or unloading, can also directly to the application program carry out every
From.
Technical solution of the present invention can detect installation software on computers, can also be to being mounted on mobile phone
Using being detected, the program that the embodiment of the present disclosure is previously mentioned include but is not limited to the above-mentioned software being installed in various terminals and
Using etc..
In one embodiment, for the character string in Fig. 1 step S101 and in Fig. 2A, Fig. 2 B, N-Gram algorithm is utilized
Randomness calculating is carried out, referring to shown in Fig. 4, is included the following steps:
S201, the character string is segmented, obtains the corresponding all N number of character participles of the character string;The N is
Positive integer;
S202, the frequency that all N number of character participles of matched character string occur in preset feature array, obtain character
Go here and there corresponding frequency array, the frequency array includes that all N number of characters of the character string segment the corresponding frequency;
S203, the average value for calculating the frequency array, seek index to constant e using the average value of the frequency array,
Obtain the corresponding random value of character string;
Wherein preset feature array can be generated by following manner in step S202:
Pattern match calculating is carried out to preset orderly character string, generates feature array;This feature array has comprising above-mentioned
The frequency that N number of character occurs in sequence character string.
The frequency that available two neighboring character occurs is calculated when using N-Gram algorithm, such as using 2-Gram,
By the set of the above-mentioned frequency, feature array is generated;Also 3-Gram can be used and carry out pattern match, theoretically, as long as having enough
Long character string, N are the bigger the better, and the information considered in this way is more, but are easy to generate Sparse, are unsatisfactory for the law of large numbers,
The probability distortion calculated.On the other hand, if N is very big, parameter space is excessive, generates dimension disaster, also can not be practical.Assuming that
The size of character string is 100,000, then the number of parameters of N-Gram model is 100,000N.So more parameter, when calculating
Required memory is just not enough put.In the specific implementation, it can be solved with 2-Gram, not use 3-Gram generally, N takes >=4
The case where it is less.The numerical value that the embodiment of the present disclosure uses N is without limitation.
Such as using comprising the character in " abcdefghijklmnopqrstuvwxyz012345679=@- " as statistics base
Standard, or for using N-Gram, we count 2 adjacent character (i.e. " 2- in an a large amount of normal semantic articles
Gram participle " in 2 meaning) occur number, such as: aa, ab, ac ..., these characters of ba, bb, bc ... etc. occur the frequency,
Referring to following table one, numerical value corresponding to a of the first row and a of first row is 31, it is meant that " aa " is appeared in statistics
The frequency is 31 times, and numerical value corresponding to the b of the second row and tertial c is 168, it is meant that the frequency of " bc " in statistics is
168 times ... as described above, then record and by the set of the frequency, generates feature array;We have just been substantially achieved adjacent in this way
The probability scenarios that should occur in the case where the normal semanteme of two characters.Wherein calculated using 3-Gram participle with 2-Gram class
Seemingly.Word frequency result is segmented referring to shown in table one.
Table one
a | b | c | …… | @ | - | ||
a | 31 | 7910 | 16166 | …… | 10 | 336 | 26888 |
b | 5708 | 429 | 168 | …… | 10 | 55 | 642 |
c | 17916 | 10 | 3090 | …… | 10 | 40 | 3023 |
…… | …… | …… | …… | …… | …… | …… | …… |
@ | 10 | 10 | 10 | …… | 10 | 10 | 10 |
- | 1058 | 468 | 605 | …… | 10 | 6049 | 58 |
119739 | 45051 | 41880 | …… | 10 | 55 | 34700 |
For another example: in " this is a dog " this sentence, " th " occurs 1 time, and " hi occurs 1 time, and " is " occurs
2 times, " _ i " occurs 1 time, and " s_ " occurs 1 time, and " _ a " occurs 1 time, " a_ " occurs 1 time, and " _ d " occurs 1 time,
" do " occurs 1 time, and " og " occurs 1 time, and above-mentioned " _ " (underscore) represents space, and space is also used as at a character in word frequency
Reason;The frequency that above-mentioned double word symbol participle occurs can match corresponding numerical value in above-mentioned such as table one, by resulting numerical value meter
Calculate its average value, index then asked to constant e with the average value, can be obtained " this is a dog " character string it is corresponding with
Machine value.Referring to shown in formula one:
ex=N
(wherein: constant e is about that 2.71828, N indicates that average value, x are index, that is, random value)
Formula one
In order to make the frequency of very little change to obtain clear clearly observation output as a result, the frequency can be used in the present embodiment
Average seeks index to constant e, can also use other modes, for example directly use frequency average as random value, then with
The corresponding numerical value of machine value can compare larger, and thinking and this programme are identical.The embodiment of the present disclosure does not limit this
It is fixed.
In one embodiment, when judging program to be detected for rogue program, the program to be detected that will acquire presets position
At least one character string set is added to malice random character set of strings.Malice sample database can be expanded in this way, it is subsequent to be promoted
The accuracy of rogue program detection.
Based on the same inventive concept, the embodiment of the invention also provides a kind of detection devices of rogue program, due to the dress
The principle for setting solved problem is similar to a kind of detection method of rogue program of previous embodiment, therefore the implementation of the device can be with
Referring to the implementation of preceding method, overlaps will not be repeated.
Following is a kind of detection device of rogue program provided in an embodiment of the present invention, can be used for executing above-mentioned malice journey
The detection method embodiment of sequence.
Referring to Figure 5, above-mentioned apparatus includes:
Module 41 is obtained, for obtaining at least one character string of program predeterminated position to be detected;
Random value computing module 42 generates to be checked for carrying out randomness calculating to the character string by predefined rule
The random value of ranging sequence;
Multilevel iudge module 43, for judging program to be detected when the random value of program to be detected is greater than preset threshold
For rogue program.
In one embodiment, referring to shown in Fig. 4, further includes: threshold calculation module 44, for predefining two character strings
Set, including nonrandom string assemble, malice random character set of strings, according to predefined rule respectively to described two characters
All character strings in set of strings carry out randomness calculating, wherein the least random value in nonrandom string assemble is first
Largest random value in random value, malice random character set of strings is the second random value.Threshold value can be set to the second random value
Or first random value and the second random value average value.
In one embodiment, referring to shown in Fig. 4, threshold calculation module 44 is also used to a predefined normal random character
Set of strings carries out randomness calculating to all character strings in the string assemble according to the predefined rule, wherein maximum
Random value is third random value, as third random value.
In one embodiment, the method that module 41 obtains at least one character string of program predeterminated position to be detected is obtained
It include: the packet name in the program to be detected, signature, program name, version number, file name, at least one in file content
Character string is extracted in kind.Character is at least one of English, number, symbol.It is mark with newline, a line character is one
Character string.
In one embodiment, random value computing module 42 or/and threshold calculation module 44 are according to N-Gram algorithm, information
Entropy algorithm etc. carries out randomness calculating to the character string.
In one embodiment, the random value computing module 42 or the threshold calculation module 44, under passing through
It states mode and randomness calculating is carried out to character string: the character string being segmented, it is corresponding all N number of to obtain the character string
Character participle;The N is positive integer;The frequency that all N number of character participles of matched character string occur in preset feature array
It is secondary, the corresponding frequency array of character string is obtained, the frequency array includes that all N number of character participles of the character string are right respectively
The frequency answered;The average value for calculating the frequency array is sought index to constant e using the average value of the frequency array, is obtained
The corresponding random value of character string;
The preset feature array is generated by following manner:
Pattern match calculating is carried out to preset orderly character string, generates feature array;The feature array includes described
The frequency that N number of character occurs in orderly character string.
In one embodiment, when multilevel iudge module 43 judges program to be detected for rogue program, it will acquire module
At least one character string of the 41 program predeterminated positions to be detected obtained is added to the malice random character of threshold calculation module 44
Set of strings.
According to the third aspect of an embodiment of the present disclosure, the embodiment of the present invention provides a kind of detection device of rogue program, packet
It includes:
Processor;
Memory for storage processor executable instruction;
Wherein, the processor is configured to:
Obtain at least one character string of program predeterminated position to be detected;
Randomness calculating is carried out to the character string by predefined rule, generates the random value of program to be detected;
When the random value of program to be detected is greater than preset threshold, judge program to be detected for rogue program.
Fourth aspect, the embodiment of the present invention provide a kind of non-transitorycomputer readable storage medium, when the storage is situated between
When instruction in matter is executed by the processor of mobile terminal, so that mobile terminal is able to carry out such as a kind of above-mentioned rogue program
Detection method.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The shape for the computer program product implemented in usable storage medium (including but not limited to magnetic disk storage and optical memory etc.)
Formula.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (18)
1. a kind of detection method of rogue program characterized by comprising
Obtain at least one character string of program predeterminated position to be detected;
Randomness calculating is carried out to the character string by predefined rule, generates the random value of program to be detected;
When the random value of program to be detected is greater than preset threshold, judge program to be detected for rogue program.
2. the method as described in claim 1, which is characterized in that the method for preset threshold includes:
Two string assembles, including nonrandom string assemble, malice random character set of strings are predefined, according to predefined rule
Randomness calculating then is carried out to all character strings in described two string assembles respectively, wherein nonrandom string assemble
In least random value be the first random value, the largest random value in malice random character set of strings is the second random value;When
Threshold value when one random value is less than the second random value are as follows: the second random value;Alternatively, the first random value and the second random value is flat
Mean value.
3. method according to claim 2, which is characterized in that the method for preset threshold further include:
An also predefined normal random character set of strings, according to the predefined rule to all characters in the string assemble
String carries out randomness calculating, and wherein largest random value is third random value, when third random value is greater than the first random value and is less than
When the second random value, the threshold value is third random value.
4. the method according to claim 1, which is characterized in that described to obtain program predeterminated position to be detected extremely
The method of a few character string include: the packet name in the program to be detected, signature, program name, version number, file name,
Character string is extracted at least one of file content.
5. the method according to claim 1, which is characterized in that it is described according to predefined rule to the character string
The method for carrying out randomness calculating includes: N-Gram algorithm, comentropy algorithm.
6. the method according to claim 1, which is characterized in that obtain at least the one of program predeterminated position to be detected
The method of a character string includes: with newline for mark, and a line character is a character string.
7. method as claimed in claim 6, which is characterized in that the character be English, number, at least one of symbol or
Their mixing of person.
8. method according to claim 2, which is characterized in that when judging program to be detected for rogue program, will acquire
At least one character string of program predeterminated position to be detected is added to malice random character set of strings.
9. a kind of detection device of rogue program characterized by comprising
Module is obtained, for obtaining at least one character string of program predeterminated position to be detected;
Random value computing module generates program to be detected for carrying out randomness calculating to the character string by predefined rule
Random value;
Multilevel iudge module, for judging program to be detected for malice when the random value of program to be detected is greater than preset threshold
Program.
10. device as claimed in claim 9, which is characterized in that described device further includes threshold calculation module, for predefining
Two string assembles, including nonrandom string assemble, malice random character set of strings, according to predefined rule respectively to institute
State all character strings in two string assembles and carry out randomness calculating, wherein in nonrandom string assemble it is minimum with
Machine value is the first random value, the largest random value in malice random character set of strings is the second random value;When the first random value is small
Threshold value when the second random value are as follows: the second random value;Alternatively, the average value of the first random value and the second random value.
11. device as claimed in claim 10, which is characterized in that it is normal to be also used to predefined one for the threshold calculation module
Random character set of strings carries out randomness calculating to all character strings in the string assemble according to the predefined rule,
Wherein largest random value is third random value;The threshold value are as follows: third random value.
12. such as the described in any item devices of claim 9-11, which is characterized in that it is pre- that the acquisition module obtains program to be detected
If the method for at least one character string of position include: the packet name in the program to be detected, signature, program name, version number,
Character string is extracted at least one of file name, file content.
13. such as the described in any item devices of claim 9-11, which is characterized in that the random value computing module or/and threshold value
Computing module includes: N-Gram algorithm, comentropy according to the method that predefined rule carries out randomness calculating to the character string
Algorithm.
14. such as the described in any item devices of claim 9-11, which is characterized in that it is pre- that the acquisition module obtains program to be detected
If the method for at least one character string of position includes: with newline for mark, a line character is a character string.
15. device as claimed in claim 14, which is characterized in that the character is at least one in English, number, symbol
Kind.
16. device as claimed in claim 10, which is characterized in that when multilevel iudge module judges program to be detected for malice journey
When sequence, at least one character string that will acquire the program predeterminated position to be detected of module acquisition is added to the evil of threshold calculation module
Meaning random character set of strings.
17. a kind of detection device of rogue program characterized by comprising
Processor;
Memory for storage processor executable instruction;
Wherein, the processor is configured to:
Obtain at least one character string of program predeterminated position to be detected;
Randomness calculating is carried out to the character string by predefined rule, generates the random value of program to be detected;
When the random value of program to be detected is greater than preset threshold, judge program to be detected for rogue program.
18. a kind of non-transitorycomputer readable storage medium, when the instruction in the storage medium is by the processing of mobile terminal
When device executes, so that mobile terminal is able to carry out the detection method of rogue program as described in any one of claims 1-3.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711037144.4A CN109726554B (en) | 2017-10-30 | 2017-10-30 | Malicious program detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711037144.4A CN109726554B (en) | 2017-10-30 | 2017-10-30 | Malicious program detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109726554A true CN109726554A (en) | 2019-05-07 |
CN109726554B CN109726554B (en) | 2021-05-18 |
Family
ID=66291896
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711037144.4A Active CN109726554B (en) | 2017-10-30 | 2017-10-30 | Malicious program detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109726554B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112084489A (en) * | 2020-09-11 | 2020-12-15 | 北京天融信网络安全技术有限公司 | Suspicious application detection method and device |
CN112860958A (en) * | 2021-01-15 | 2021-05-28 | 北京百家科技集团有限公司 | Information display method and device |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080184367A1 (en) * | 2007-01-25 | 2008-07-31 | Mandiant, Inc. | System and method for determining data entropy to identify malware |
US20110099635A1 (en) * | 2009-10-27 | 2011-04-28 | Silberman Peter J | System and method for detecting executable machine instructions in a data stream |
CN102779249A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Malicious program detection method and scan engine |
US20130283337A1 (en) * | 2012-04-23 | 2013-10-24 | Microsoft Corporation | Predicting next characters in password generation |
CN103810998A (en) * | 2013-12-05 | 2014-05-21 | 中国农业大学 | Method for off-line speech recognition based on mobile terminal device and achieving method |
CN104376260A (en) * | 2014-11-20 | 2015-02-25 | 东华大学 | Malicious code visualized analyzing method based on Shannon information entropy |
CN104731775A (en) * | 2015-02-26 | 2015-06-24 | 北京捷通华声语音技术有限公司 | Method and device for converting spoken languages to written languages |
CN105809034A (en) * | 2016-03-07 | 2016-07-27 | 成都驭奔科技有限公司 | Malicious software identification method |
US20160321452A1 (en) * | 2012-06-05 | 2016-11-03 | Lookout, Inc. | Determining source of side-loaded software |
CN106599686A (en) * | 2016-10-12 | 2017-04-26 | 四川大学 | Malware clustering method based on TLSH character representation |
CN106709345A (en) * | 2015-11-17 | 2017-05-24 | 武汉安天信息技术有限责任公司 | Deep learning method-based method and system for deducing malicious code rules and equipment |
-
2017
- 2017-10-30 CN CN201711037144.4A patent/CN109726554B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080184367A1 (en) * | 2007-01-25 | 2008-07-31 | Mandiant, Inc. | System and method for determining data entropy to identify malware |
US20110099635A1 (en) * | 2009-10-27 | 2011-04-28 | Silberman Peter J | System and method for detecting executable machine instructions in a data stream |
US20130283337A1 (en) * | 2012-04-23 | 2013-10-24 | Microsoft Corporation | Predicting next characters in password generation |
US20160321452A1 (en) * | 2012-06-05 | 2016-11-03 | Lookout, Inc. | Determining source of side-loaded software |
CN102779249A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Malicious program detection method and scan engine |
CN103810998A (en) * | 2013-12-05 | 2014-05-21 | 中国农业大学 | Method for off-line speech recognition based on mobile terminal device and achieving method |
CN104376260A (en) * | 2014-11-20 | 2015-02-25 | 东华大学 | Malicious code visualized analyzing method based on Shannon information entropy |
CN104731775A (en) * | 2015-02-26 | 2015-06-24 | 北京捷通华声语音技术有限公司 | Method and device for converting spoken languages to written languages |
CN106709345A (en) * | 2015-11-17 | 2017-05-24 | 武汉安天信息技术有限责任公司 | Deep learning method-based method and system for deducing malicious code rules and equipment |
CN105809034A (en) * | 2016-03-07 | 2016-07-27 | 成都驭奔科技有限公司 | Malicious software identification method |
CN106599686A (en) * | 2016-10-12 | 2017-04-26 | 四川大学 | Malware clustering method based on TLSH character representation |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112084489A (en) * | 2020-09-11 | 2020-12-15 | 北京天融信网络安全技术有限公司 | Suspicious application detection method and device |
CN112860958A (en) * | 2021-01-15 | 2021-05-28 | 北京百家科技集团有限公司 | Information display method and device |
CN112860958B (en) * | 2021-01-15 | 2024-01-26 | 北京百家科技集团有限公司 | Information display method and device |
Also Published As
Publication number | Publication date |
---|---|
CN109726554B (en) | 2021-05-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11689561B2 (en) | Detecting unknown malicious content in computer systems | |
CN108959924A (en) | A kind of Android malicious code detecting method of word-based vector sum deep neural network | |
KR101858620B1 (en) | Device and method for analyzing javascript using machine learning | |
US11775749B1 (en) | Content masking attacks against information-based services and defenses thereto | |
Canfora et al. | Metamorphic malware detection using code metrics | |
Markwood et al. | Mirage: Content Masking Attack Against {Information-Based} Online Services | |
CN106599688A (en) | Application category-based Android malicious software detection method | |
CN108961019B (en) | User account detection method and device | |
CN109714356A (en) | A kind of recognition methods of abnormal domain name, device and electronic equipment | |
Yan et al. | Automatic malware classification via PRICoLBP | |
EP3087527B1 (en) | System and method of detecting malicious multimedia files | |
CN109726554A (en) | A kind of detection method of rogue program, device and related application | |
CN110020430B (en) | Malicious information identification method, device, equipment and storage medium | |
CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
US9313219B1 (en) | Detection of repackaged mobile applications | |
CN111488574B (en) | Malicious software classification method, system, computer equipment and storage medium | |
Reddy et al. | Network attack detection and classification using ann algorithm | |
CN108875374B (en) | Malicious PDF detection method and device based on document node type | |
CN111191238A (en) | Webshell detection method, terminal device and storage medium | |
Bakhshinejad et al. | A new compression based method for android malware detection using opcodes | |
CN108960952A (en) | A kind of detection method and device of violated information | |
CN114925367A (en) | Compressed file malicious detection method and device, electronic equipment and storage medium | |
Rezaei et al. | Detecting encrypted metamorphic viruses by hidden Markov Models | |
CN116578979B (en) | Cross-platform binary code matching method and system based on code features | |
Pallippattu Mathai | Malware Detection on Android using Adaboost Algorithm |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |