CN110135153A - The credible detection method and device of software - Google Patents

The credible detection method and device of software Download PDF

Info

Publication number
CN110135153A
CN110135153A CN201811295818.5A CN201811295818A CN110135153A CN 110135153 A CN110135153 A CN 110135153A CN 201811295818 A CN201811295818 A CN 201811295818A CN 110135153 A CN110135153 A CN 110135153A
Authority
CN
China
Prior art keywords
software
credible
beacon
trusted software
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811295818.5A
Other languages
Chinese (zh)
Inventor
黄磊
童志明
何公道
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Antiy Technology Co Ltd
Original Assignee
Harbin Antiy Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Antiy Technology Co Ltd filed Critical Harbin Antiy Technology Co Ltd
Priority to CN201811295818.5A priority Critical patent/CN110135153A/en
Publication of CN110135153A publication Critical patent/CN110135153A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of credible detection method and device of software, wherein whether method is the following steps are included: to detect trusted software to be measured credible;If software under testing is credible, multiple beacons in the PE file of trusted software to be measured are extracted;It detects whether multiple beacons belong to credible beacon library, and when any one beacon is not belonging to credible beacon library in multiple beacons, determines trusted software to be measured by counterfeit or distort.This method can effectively be detected to the counterfeit of trusted software or be distorted, it especially can accurately detect embedded malice beacon and realize the behavior of malicious intent, the accuracy and reliability for improving detection, effectively avoids user from attacking by malicious code, improves the user experience.

Description

The credible detection method and device of software
Technical field
The present invention relates to field of communication technology, the in particular to credible detection method and device of a kind of software.
Background technique
Currently, malicious user is carried out counterfeit or is distorted by the trusted software (such as Adobe) of right pop, thus reach allow by The purpose that evil person trusts, clicks and execute malicious act.Wherein, in order to hide killing, the counterfeit or trusted software distorted is often As downloader, the behavior however downloader itself is born no ill will, but can be by embedding malice URL (Uniform Resource Locator, uniform resource locator) realize the purpose for downloading real malicious code.
Specifically, executing process by modification trusted software, reach embedded malice URL (such as to trusted software installation kit After being decompressed, distort installation script, embed malice URL, then repack) purpose so that normally being held in trusted software Before row or after executing, embedded malice URL is executed, realizes the purpose for downloading real malicious code.
However, in the related technology, often can not effectively detect the row for reaching downloading malicious code by embedding malice URL For, so that trusted software can not effectively be detected whether by counterfeit or distort, the accuracy of detection is substantially reduced, it can not be effective It avoids user from attacking by malicious code, reduces user experience, it would be highly desirable to solve.
Summary of the invention
The present invention is directed to solve at least some of the technical problems in related technologies.
For this purpose, the first purpose of this invention is to propose that a kind of credible detection method of software, this method effectively detect It to the counterfeit of trusted software or distorts, especially can accurately detect embedded malice beacon and realizes the behavior of malicious intent, mention The accuracy and reliability of high detection, effectively avoids user from attacking by malicious code, improves the user experience.
The second object of the present invention is to propose a kind of credible detection device of software.
Third object of the present invention is to propose a kind of computer equipment.
Fourth object of the present invention is to propose a kind of non-transitorycomputer readable storage medium.
5th purpose of the invention is to propose a kind of computer program product.
In order to achieve the above objectives, first aspect present invention embodiment proposes a kind of credible detection method of software, including Following steps: the whether credible of trusted software to be measured detected;If the software under testing is credible, extract described to be measured credible soft Multiple beacons in PE (Portable Executable, portable file) file of part;Detect whether the multiple beacon belongs to In credible beacon library, and when any one beacon is not belonging to the credible beacon library in the multiple beacon, determine it is described to Trusted software is surveyed by counterfeit or distort.
The credible detection method of the software of the embodiment of the present invention is appointed in multiple beacons in the PE file of trusted software to be measured Meaning one is when being not belonging to credible beacon library, determines that trusted software to be measured is tampered or counterfeit, so that effectively detection is to trusted software It is counterfeit or distort, especially can accurately detect embedded malice beacon and realize the behavior of malicious intent, improve the standard of detection True property and reliability, effectively avoid user from attacking by malicious code, improve the user experience.
In addition, the credible detection method of software according to the above embodiment of the present invention can also have following additional technology Feature:
Further, in one embodiment of the invention, further includes: acquisition trusted software manufacturer list, it can with generation Believe software company's name information library;Crawl all letters of all trusted software manufacturers of the trusted software Business Name information bank Mark, to construct the credible beacon library.
Further, in one embodiment of the invention, whether the detection software under testing is credible, further comprises: Static parsing is carried out to the PE file according to PE structure, to obtain the identification information of the PE file, wherein the mark letter Breath includes PE attribute and digital signature, the PE attribute include one in raw filename, copyright, name of product and trade mark or Multinomial, digital signature includes signer information;The trusted software of the PE file is identified according to the identification information of the PE file Business Name, and detect whether to belong to trusted software manufacturer.
Further, in one embodiment of the invention, more in the PE file for extracting the trusted software to be measured A beacon further comprises: if belonging to the trusted software manufacturer, the PE file either statically or dynamically analyzed, To extract, the PE file is embedded or the multiple beacon of dynamic access.
Further, in one embodiment of the invention, the multiple beacon include URL beacon, IP beacon and Domain beacon.
In order to achieve the above objectives, second aspect of the present invention embodiment proposes a kind of credible detection device of software, comprising: First detection module, it is whether credible for detecting trusted software to be measured;Extraction module is used for when the software under testing is credible, Extract multiple beacons in the PE file of the trusted software to be measured;Second detection module, for whether detecting the multiple beacon Credible beacon library is belonged to, and when any one beacon is not belonging to the credible beacon library in the multiple beacon, determines institute Trusted software to be measured is stated by counterfeit or distort.
The credible detection device of the software of the embodiment of the present invention is appointed in multiple beacons in the PE file of trusted software to be measured Meaning one is when being not belonging to credible beacon library, determines that trusted software to be measured is tampered or counterfeit, so that effectively detection is to trusted software It is counterfeit or distort, especially can accurately detect embedded malice beacon and realize the behavior of malicious intent, improve the standard of detection True property and reliability, effectively avoid user from attacking by malicious code, improve the user experience.
In addition, the credible detection device of software according to the above embodiment of the present invention can also have following additional technology Feature:
Further, in one embodiment of the invention, further includes: acquisition module, for acquiring trusted software manufacturer List, to generate trusted software Business Name information bank;Module is crawled, for crawling the trusted software Business Name information bank All trusted software manufacturers all beacons, to construct the credible beacon library.
Further, in one embodiment of the invention, the extraction module is further used for according to PE structure to institute It states PE file and carries out static parsing, to obtain the identification information of the PE file, identified according to the identification information of the PE file The trusted software Business Name of the PE file, and detect whether to belong to trusted software manufacturer, and belonging to the trusted software Manufacturer either statically or dynamically analyzes the PE file, with extract that the PE file is embedded or dynamic access it is the multiple Beacon.
Further, in one embodiment of the invention, the identification information includes PE attribute and digital signature, In, the PE attribute include it is one or more in raw filename, copyright, name of product and trade mark, digital signature include label Name person's information.
Further, in one embodiment of the invention, the multiple beacon include URL beacon, IP beacon and Domain beacon.
In order to achieve the above objectives, third aspect present invention embodiment also proposed a kind of computer equipment, including memory, Processor and storage on a memory and the computer program that can run on a processor, the processor execution described program When, realize the credible detection method of software described in above-described embodiment.
In order to achieve the above objectives, fourth aspect present invention embodiment also proposed a kind of computer-readable storage of non-transitory Medium is stored thereon with computer program, and software of the realization as described in above-described embodiment can when which is executed by processor Believe detection method.
In order to achieve the above objectives, fifth aspect present invention embodiment also proposed a kind of computer program product, when described When instruction in computer program product is executed by processor, the credible detection method of software described in above-described embodiment is executed.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partially become from the following description Obviously, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments Obviously and it is readily appreciated that, in which:
Fig. 1 is the flow chart according to the credible detection method of the software of one embodiment of the invention;
Fig. 2 is the flow chart according to the credible detection method of the software of a specific embodiment of the invention;
Fig. 3 is according to the counterfeit to determine whether using the embedded untrusted beacon of trusted software of one embodiment of the invention With distort exemplary diagram;
Fig. 4 is the structural schematic diagram according to the credible detection device of the software of one embodiment of the invention.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached The embodiment of figure description is exemplary, it is intended to is used to explain the present invention, and is not considered as limiting the invention.
The credible detection method and device of the software proposed according to embodiments of the present invention are described with reference to the accompanying drawings, first will Describe the credible detection method of the software proposed according to embodiments of the present invention with reference to the accompanying drawings.
Fig. 1 is the flow chart of the credible detection method of the software of one embodiment of the invention.
As shown in Figure 1, detection method includes the following steps for the software credible:
In step s101, whether credible trusted software to be measured is detected.
It is understood that trusted conditions can be the PE attribute of the PE file in trusted software to be measured and digital signature etc. From popular trusted software company.The embodiment of the present invention by PE attribute and digital signature for judging PE file etc. whether come From in popular trusted software company, so that whether detect trusted software to be measured credible.Wherein, trusted software is regular software factory Quotient's establishment, the software with normal digital signature;PE file is transplantable executable file, is Microsoft Windows operation Program file in system, such as EXE, DLL, OCX, SYS, COM can be PE files.
Further, in one embodiment of the invention, whether the detection software under testing is credible, further comprises: Static parsing is carried out to the PE file according to PE structure, to obtain the identification information of the PE file, wherein the mark letter Breath includes PE attribute and digital signature, the PE attribute include one in raw filename, copyright, name of product and trade mark or Multinomial, digital signature includes signer information;The trusted software of the PE file is identified according to the identification information of the PE file Business Name, and detect whether to belong to trusted software manufacturer.
It is understood that the embodiment of the present invention constructs the list of off-the-shelf software trade name, it is (including original by PE attribute Filename, copyright, name of product, LegalTrademark etc.), digital signature (signer information) identification software belong to manufacturer.
Specifically, the embodiment of the present invention passes through PE attribute (the including but not limited to filename, public affairs for judging PE file first Take charge of title etc.), whether digital signature etc. from popular trusted software company.
In step s 102, if software under testing is credible, multiple beacons in the PE file of trusted software to be measured are extracted.
It is understood that the embodiment of the present invention is extracted when confirming PE file from popular trusted software company Multiple beacons in the PE file of trusted software to be measured.Wherein, in one embodiment of the invention, multiple beacons include URL letter Mark, IP beacon and Domain beacon.
Further, in one embodiment of the invention, multiple beacons in the PE file of trusted software to be measured are extracted, into If a step includes: to belong to trusted software manufacturer, PE file is either statically or dynamically analyzed, with extract PE file it is embedded or Multiple beacons of dynamic access.
It is understood that if, by carrying out static and dynamic analysis to PE file, being extracted from trusted software company PE file embeds or all URL, IP, Domain of dynamic access.
In step s 103, detect whether multiple beacons belong to credible beacon library, and in multiple beacons any one When beacon is not belonging to credible beacon library, determine trusted software to be measured by counterfeit or distort.
It is understood that the embodiment of the present invention can embed beacon by analysis PE structure extraction, and with itself and collection The credible beacon of the off-the-shelf software company of foundation compares, and to detect, whether program is counterfeit, distorts trusted software.Namely It says, the embodiment of the present invention passes through the beacon (URL, IP, Domain) for obtaining static and dynamic analysis PE structure and off-the-shelf software manufacturer Credible beacon library compares, to determine whether software is counterfeit or distorts from trusted software, and in trusted software to be measured PE file in any one in multiple beacons when being not belonging to credible beacon library, determine that trusted software to be measured is tampered or counterfeit, To which effectively detection to the counterfeit of trusted software or is distorted, it especially can accurately detect embedded malice beacon and realize malice mesh Behavior, improve the accuracy and reliability of detection.
It should be noted that counterfeit trusted software: icon, attribute, the filename that Malware passes through camouflage trusted software Etc. information come counterfeit trusted software;Distort trusted software: Malware distorts trusted software by modifying to trusted software Execution process, embed malicious code or malice URL.In addition, the embodiment of the present invention constructs the credible beacon library of off-the-shelf software manufacturer, And periodically right pop software vendor carries out beacon and crawls, and updates credible beacon library, so as to effectively avoid because of beacon library not and Shi Gengxin causes trusted software to be measured to be erroneously detected as distorting or counterfeit, and the regularly updating of credible beacon library can be effectively ensured soft The accuracy and reliability of the credible detection of part.
The embodiment of the present invention determines trusted software to be measured by principle that is counterfeit or distorting are as follows: trusted software company issues soft URL, IP, Domain that part accesses in the process of implementation are the related services of our company or other trusted software companies, if The service of non-our company or un-trusted software company is had accessed, then this visit has suspicious actions.Therefore it can pass through detection Whether url, ip and domain accessed in trusted software etc. sentences from the service of our company or other trusted software companies Whether the software break by counterfeit or distort.
According to above-mentioned principle, the embodiment of the present invention is by all beacons extracted and the credible letter of software company that in advance constructs Mark library carries out matching search, finds out suspicious beacon URL, IP, Domain not in the credible beacon library of software company, i.e., suspicious letter The mark non-belonging software company of URL, IP, Domain is registered, then can determine that the software is software that is counterfeit or distorting.
Specifically, (1) constructs the credible beacon library of software company, by official website, the domain of collecting each trusted software company All associated Beacons such as name, IDC.
(2) all beacons (URL, IP, Domain) extracted and the credible beacon library of software company are subjected to matching search, Find out suspicious beacon URL, IP, Domain not in the credible beacon library of software company.
(3) if it find that the suspicious non-belonging software company of beacon URL, IP, Domain registered, then can determine that the software For software that is counterfeit or distorting.
It is further elaborated, specifically includes below in conjunction with credible detection method of the Fig. 2 to software:
S01: the list of off-the-shelf software trade name is obtained
Off-the-shelf software manufacturer List name is compiled, forms trusted software Business Name information bank, including but not limited to Microsoft, google, Adobe, Ali, Tencent, Baidu etc..
S02: all beacons (URL, IP, domain name) that off-the-shelf software manufacturer includes are crawled
All Main Domains, subdomain name, IP, the URL for being included to main software manufacturer are crawled, according to certain depth into Row crawls, and can periodically be crawled again, so as to the bootstrap information that timely updates.
S03: the building credible beacon library of off-the-shelf software manufacturer
All beacons (URL, IP, domain name) for including to the off-the-shelf software manufacturer that S02 is crawled form feature database, facilitate subsequent Inquiry, while result can be crawled again according to S02 and be updated.
S04: PE file to be detected is parsed
Static parsing carried out according to PE structure to PE file to be detected, including but not limited to PE attribute (including original document Name, copyright, name of product, LegalTrademark etc.), digital signature (signer information) etc. can be used for identifying the affiliated company of PE file Information.
S05: identification PE file belongs to company
According to S01 analysis as a result, the affiliated Business Name of PE file is identified, as copyright is RealVNC in PE attribute Ltd.2002-2008, then the PE file belongs to RealVNC company.
S06: ownership company's popularity, reliability discriminant
Popularity, Credibility judgement are carried out to software company's title for identifying in S02, mainly with compiled in S06 Prevalence (credible) software company's list carry out fuzzy matching lookup, PE file belongs to popular companies if successful match, jump To S07, otherwise whether malice is unknown for this document.
S07: static, dynamic analysis extract embedded beacon (URL, IP, Domain)
Static and dynamic analysis is carried out to PE file, extract that PE file is embedded or all beacons of dynamic access (URL, IP, Domain)。
S08~S09: it is compared with off-the-shelf software manufacturer credible beacon library.
All beacons (URL, IP, Domain) that will be extracted in S07, in the credible beacon of off-the-shelf software manufacturer of S03 building It is searched in library, if all beacons extracted in S07 can be found in the credible beacon library of off-the-shelf software manufacturer, this is soft Part is credible, and otherwise the software is counterfeit or distorts from trusted software.
Further, it will be illustrated by credible detection method of the specific example to software.
As shown in figure 3, embedding untrusted beacon using trusted software to determine whether by counterfeit and distort example: unknown PE File A, the information such as attribute, digital signature are shown as the exploitation of adobe company, analyze A file, extract all beacons, Wherein there is a URL is http://xx.xx.com/virus.exe, handles URL, extracts domain name Then URL, the domain name credible beacon all with the adobe company that compiles in advance are compared, are found by xx.xx.com The URL and Domain is not present in credible beacon library, then A file is very likely trusted software that is counterfeit or distorting.
To sum up, trusted software beacon library (URL, IP, Domain) of the embodiment of the present invention based on foundation, to network, terminal On the confidence level of software assessed, the rogue program for quickly finding counterfeit trusted software, distorting trusted software.The present invention is real The method for applying example has the advantages that
(1) matching detection is carried out independent of malicious code feature, it is only whether credible by the embedded beacon of detection Decision procedure malice, can substantially reduce virus base characteristic quantity.
(2) on the one hand the embodiment of the present invention heuristic can detect rogue program that is counterfeit, distort trusted software, another party Face in time can also handle URL, can also download the corresponding malicious file of URL for suspicious URL is embedded in the PE of discovery It is handled.
The credible detection method of the software proposed according to embodiments of the present invention, it is multiple in the PE file of trusted software to be measured When any one in beacon is not belonging to credible beacon library, determine that trusted software to be measured is tampered or counterfeit, thus effectively detection pair Trusted software counterfeit is distorted, and especially can accurately be detected embedded malice beacon and be realized the behavior of malicious intent, improve The accuracy and reliability of detection, effectively avoids user from attacking by malicious code, improves the user experience.
Referring next to the credible detection device for the software that attached drawing description proposes according to embodiments of the present invention.
Fig. 4 is the structural schematic diagram of the credible detection device of the software of one embodiment of the invention.
As shown in figure 4, the credible detection device 10 of the software includes: first detection module 100, extraction module 200 and Two detection modules 300.
Wherein, whether first detection module 100 is credible for detecting trusted software to be measured.Extraction module 200 is used in PE When file software under testing is credible, multiple beacons in the PE file of trusted software to be measured are extracted.Second detection module 300 is for detecting Whether multiple beacons belong to credible beacon library, and when any one beacon is not belonging to credible beacon library in multiple beacons, sentence Fixed trusted software to be measured is by counterfeit or distort.The device 10 of the embodiment of the present invention can effectively detect to the counterfeit of trusted software or Distort, especially can accurately detect embedded malice beacon and realize the behavior of malicious intent, improve detection accuracy and can By property, effectively user is avoided to attack by malicious code, improved the user experience.
Further, in one embodiment of the invention, the device 10 of the embodiment of the present invention further include: acquisition module and Crawl module.
Wherein, acquisition module is for acquiring the list of trusted software manufacturer, to generate trusted software Business Name information bank.It climbs Modulus block is used to crawl all beacons of all trusted software manufacturers of trusted software Business Name information bank, to construct credible letter Mark library.
Further, in one embodiment of the invention, extraction module 200 is further used for according to PE structure to PE text Part carries out static parsing, to obtain the identification information of PE file, identifies the credible soft of PE file according to the identification information of PE file Part Business Name, and detect whether to belong to trusted software manufacturer, and belonging to trusted software manufacturer, to PE file carry out it is static or Dynamic analysis, to extract, PE file is embedded or multiple beacons of dynamic access.
Further, in one embodiment of the invention, identification information includes PE attribute and digital signature, wherein PE Attribute include it is one or more in raw filename, copyright, name of product and trade mark, digital signature includes signer information.
Further, in one embodiment of the invention, multiple beacons include URL beacon, IP beacon and Domain letter Mark.
It should be noted that the explanation of the aforementioned credible detection method embodiment to software is also applied for the embodiment Software credible detection device, details are not described herein again.
The credible detection device of the software proposed according to embodiments of the present invention, it is multiple in the PE file of trusted software to be measured When any one in beacon is not belonging to credible beacon library, determine that trusted software to be measured is tampered or counterfeit, thus effectively detection pair Trusted software counterfeit is distorted, and especially can accurately be detected embedded malice beacon and be realized the behavior of malicious intent, improve The accuracy and reliability of detection, effectively avoids user from attacking by malicious code, improves the user experience.
In order to realize above-described embodiment, the embodiment of the present invention also proposed a kind of computer equipment, including memory, processing Device and storage on a memory and the computer program that can run on a processor, when processor executes program, are realized such as above-mentioned The credible detection method of the software of embodiment description.
In order to realize above-described embodiment, the embodiment of the present invention also proposed a kind of non-transitory computer-readable storage medium Matter realizes the credible detection method of the software as described in above-described embodiment when the program is executed by processor.
In order to realize above-described embodiment, the embodiment of the present invention also proposed a kind of computer program product, when computer journey When instruction in sequence product is executed by processor, the credible detection method of the software as described in above-described embodiment is executed.
In addition, term " first ", " second " are used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance Or implicitly indicate the quantity of indicated technical characteristic.Define " first " as a result, the feature of " second " can be expressed or Implicitly include at least one this feature.In the description of the present invention, the meaning of " plurality " is at least two, such as two, three It is a etc., unless otherwise specifically defined.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office It can be combined in any suitable manner in one or more embodiment or examples.In addition, without conflicting with each other, the skill of this field Art personnel can tie the feature of different embodiments or examples described in this specification and different embodiments or examples It closes and combines.
Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example Property, it is not considered as limiting the invention, those skilled in the art within the scope of the invention can be to above-mentioned Embodiment is changed, modifies, replacement and variant.

Claims (10)

1. a kind of credible detection method of software, which comprises the following steps:
Whether credible detect software under testing;
If the software under testing is credible, multiple beacons in the PE file of the trusted software to be measured are extracted;And
Detect whether the multiple beacon belongs to credible beacon library, and any one beacon is not belonging in the multiple beacon When the credible beacon library, determine the trusted software to be measured by counterfeit or distort.
2. the credible detection method of software according to claim 1, which is characterized in that further include:
The list of trusted software manufacturer is acquired, to generate trusted software Business Name information bank;
All beacons of all trusted software manufacturers of the trusted software Business Name information bank are crawled, it is described credible to construct Beacon library.
3. the credible detection method of software according to claim 1, which is characterized in that whether the detection software under testing may be used Letter further comprises:
Static parsing is carried out to the PE file according to PE structure, to obtain the identification information of the PE file, wherein the mark Knowing information includes PE attribute and digital signature, and the PE attribute includes one in raw filename, copyright, name of product and trade mark Item is multinomial, and digital signature includes signer information;
The trusted software Business Name of the PE file is identified according to the identification information of the PE file, and detecting whether to belong to can Believe software vendor.
4. the credible detection method of software according to claim 3, which is characterized in that the extraction is described to be measured credible soft Multiple beacons in the PE file of part further comprise:
If belonging to the trusted software manufacturer, the PE file is either statically or dynamically analyzed, to extract the PE text Part embeds or the multiple beacon of dynamic access.
5. the credible detection method of software according to claim 1-4, which is characterized in that the multiple beacon packet Include URL beacon, IP beacon and Domain beacon.
6. a kind of credible detection device of software characterized by comprising
First detection module, it is whether credible for detecting trusted software to be measured;
Extraction module, for extracting multiple beacons in the PE file of the trusted software to be measured when the software under testing is credible; And
Second detection module, for detecting whether the multiple beacon belongs to credible beacon library, and in the multiple beacon When any one beacon is not belonging to the credible beacon library, determine the trusted software to be measured by counterfeit or distort.
7. the credible detection device of software according to claim 6, which is characterized in that further include:
Acquisition module, for acquiring the list of trusted software manufacturer, to generate trusted software Business Name information bank;
Module is crawled, all beacons of all trusted software manufacturers for crawling the trusted software Business Name information bank, To construct the credible beacon library.
8. a kind of computer equipment, which is characterized in that on a memory and can be in processor including memory, processor and storage The computer program of upper operation when the processor executes described program, realizes such as software as claimed in any one of claims 1 to 5 Credible detection method.
9. a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, which is characterized in that the program quilt The credible detection method such as software as claimed in any one of claims 1 to 5 is realized when processor executes.
10. a kind of computer program product, which is characterized in that when the instruction in the computer program product is executed by processor When, execute the credible detection method such as software as claimed in any one of claims 1 to 5.
CN201811295818.5A 2018-11-01 2018-11-01 The credible detection method and device of software Pending CN110135153A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811295818.5A CN110135153A (en) 2018-11-01 2018-11-01 The credible detection method and device of software

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811295818.5A CN110135153A (en) 2018-11-01 2018-11-01 The credible detection method and device of software

Publications (1)

Publication Number Publication Date
CN110135153A true CN110135153A (en) 2019-08-16

Family

ID=67568235

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811295818.5A Pending CN110135153A (en) 2018-11-01 2018-11-01 The credible detection method and device of software

Country Status (1)

Country Link
CN (1) CN110135153A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110648118A (en) * 2019-09-27 2020-01-03 深信服科技股份有限公司 Fish fork mail detection method and device, electronic equipment and readable storage medium
CN110661795A (en) * 2019-09-20 2020-01-07 哈尔滨安天科技集团股份有限公司 Vector-level threat information automatic production and distribution system and method
CN114363060A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Domain name detection method, system, equipment and computer readable storage medium
CN115277112A (en) * 2022-07-07 2022-11-01 海南视联通信技术有限公司 Data processing method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101067859A (en) * 2007-02-02 2007-11-07 张文 Antipirating method for network software
CN105119938A (en) * 2015-09-14 2015-12-02 电子科技大学 Method for defending against innerport recall trojan
CN105354493A (en) * 2015-10-22 2016-02-24 中国人民解放军装备学院 Virtualization technology based terminal trust enhancement method and system
CN106650439A (en) * 2016-09-30 2017-05-10 北京奇虎科技有限公司 Suspicious application program detection method and device
CN108256328A (en) * 2017-12-29 2018-07-06 北京奇虎科技有限公司 Identify the method and device of counterfeit application

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101067859A (en) * 2007-02-02 2007-11-07 张文 Antipirating method for network software
CN105119938A (en) * 2015-09-14 2015-12-02 电子科技大学 Method for defending against innerport recall trojan
CN105354493A (en) * 2015-10-22 2016-02-24 中国人民解放军装备学院 Virtualization technology based terminal trust enhancement method and system
CN106650439A (en) * 2016-09-30 2017-05-10 北京奇虎科技有限公司 Suspicious application program detection method and device
CN108256328A (en) * 2017-12-29 2018-07-06 北京奇虎科技有限公司 Identify the method and device of counterfeit application

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110661795A (en) * 2019-09-20 2020-01-07 哈尔滨安天科技集团股份有限公司 Vector-level threat information automatic production and distribution system and method
CN110648118A (en) * 2019-09-27 2020-01-03 深信服科技股份有限公司 Fish fork mail detection method and device, electronic equipment and readable storage medium
CN114363060A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Domain name detection method, system, equipment and computer readable storage medium
CN115277112A (en) * 2022-07-07 2022-11-01 海南视联通信技术有限公司 Data processing method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US10885190B2 (en) Identifying web pages in malware distribution networks
US8726387B2 (en) Detecting a trojan horse
US9734332B2 (en) Behavior profiling for malware detection
CN110135153A (en) The credible detection method and device of software
US20140298460A1 (en) Malicious uniform resource locator detection
US8448245B2 (en) Automated identification of phishing, phony and malicious web sites
US9135443B2 (en) Identifying malicious threads
US8844039B2 (en) Malware image recognition
Kim et al. Detecting fake anti-virus software distribution webpages
US20120158626A1 (en) Detection and categorization of malicious urls
CN107688743B (en) Malicious program detection and analysis method and system
Zhang et al. SaaS: A situational awareness and analysis system for massive android malware detection
CN111460445B (en) Sample program malicious degree automatic identification method and device
RU2726032C2 (en) Systems and methods for detecting malicious programs with a domain generation algorithm (dga)
US20180082061A1 (en) Scanning device, cloud management device, method and system for checking and killing malicious programs
CN111104579A (en) Identification method and device for public network assets and storage medium
Wang et al. Beyond the virus: A first look at coronavirus-themed mobile malware
US20190114418A1 (en) System, method, and computer program product for identifying a file used to automatically launch content as unwanted
CN113190838A (en) Web attack behavior detection method and system based on expression
Wang et al. Beyond the virus: a first look at coronavirus-themed Android malware
US20120117648A1 (en) Malware Determination
KR101372906B1 (en) Method and system to prevent malware code
JP6169497B2 (en) Connection destination information determination device, connection destination information determination method, and program
US20210168172A1 (en) Information processing device, information processing method and information processing program
JP2017224150A (en) Analyzer, analysis method, and analysis program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin Hi-tech Industrial Development Zone, Harbin, Heilongjiang Province (838 Shikun Road)

Applicant after: Harbin antiy Technology Group Limited by Share Ltd

Address before: Room 506, Room 162, Hongqi Street, No. 17 Building, Nangang, High-tech Venture Center, Harbin High-tech Industrial Development Zone, Heilongjiang Province, 150000

Applicant before: Harbin Antiy Technology Co., Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190816