CN110135153A - The credible detection method and device of software - Google Patents
The credible detection method and device of software Download PDFInfo
- Publication number
- CN110135153A CN110135153A CN201811295818.5A CN201811295818A CN110135153A CN 110135153 A CN110135153 A CN 110135153A CN 201811295818 A CN201811295818 A CN 201811295818A CN 110135153 A CN110135153 A CN 110135153A
- Authority
- CN
- China
- Prior art keywords
- software
- credible
- beacon
- trusted software
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of credible detection method and device of software, wherein whether method is the following steps are included: to detect trusted software to be measured credible;If software under testing is credible, multiple beacons in the PE file of trusted software to be measured are extracted;It detects whether multiple beacons belong to credible beacon library, and when any one beacon is not belonging to credible beacon library in multiple beacons, determines trusted software to be measured by counterfeit or distort.This method can effectively be detected to the counterfeit of trusted software or be distorted, it especially can accurately detect embedded malice beacon and realize the behavior of malicious intent, the accuracy and reliability for improving detection, effectively avoids user from attacking by malicious code, improves the user experience.
Description
Technical field
The present invention relates to field of communication technology, the in particular to credible detection method and device of a kind of software.
Background technique
Currently, malicious user is carried out counterfeit or is distorted by the trusted software (such as Adobe) of right pop, thus reach allow by
The purpose that evil person trusts, clicks and execute malicious act.Wherein, in order to hide killing, the counterfeit or trusted software distorted is often
As downloader, the behavior however downloader itself is born no ill will, but can be by embedding malice URL (Uniform Resource
Locator, uniform resource locator) realize the purpose for downloading real malicious code.
Specifically, executing process by modification trusted software, reach embedded malice URL (such as to trusted software installation kit
After being decompressed, distort installation script, embed malice URL, then repack) purpose so that normally being held in trusted software
Before row or after executing, embedded malice URL is executed, realizes the purpose for downloading real malicious code.
However, in the related technology, often can not effectively detect the row for reaching downloading malicious code by embedding malice URL
For, so that trusted software can not effectively be detected whether by counterfeit or distort, the accuracy of detection is substantially reduced, it can not be effective
It avoids user from attacking by malicious code, reduces user experience, it would be highly desirable to solve.
Summary of the invention
The present invention is directed to solve at least some of the technical problems in related technologies.
For this purpose, the first purpose of this invention is to propose that a kind of credible detection method of software, this method effectively detect
It to the counterfeit of trusted software or distorts, especially can accurately detect embedded malice beacon and realizes the behavior of malicious intent, mention
The accuracy and reliability of high detection, effectively avoids user from attacking by malicious code, improves the user experience.
The second object of the present invention is to propose a kind of credible detection device of software.
Third object of the present invention is to propose a kind of computer equipment.
Fourth object of the present invention is to propose a kind of non-transitorycomputer readable storage medium.
5th purpose of the invention is to propose a kind of computer program product.
In order to achieve the above objectives, first aspect present invention embodiment proposes a kind of credible detection method of software, including
Following steps: the whether credible of trusted software to be measured detected;If the software under testing is credible, extract described to be measured credible soft
Multiple beacons in PE (Portable Executable, portable file) file of part;Detect whether the multiple beacon belongs to
In credible beacon library, and when any one beacon is not belonging to the credible beacon library in the multiple beacon, determine it is described to
Trusted software is surveyed by counterfeit or distort.
The credible detection method of the software of the embodiment of the present invention is appointed in multiple beacons in the PE file of trusted software to be measured
Meaning one is when being not belonging to credible beacon library, determines that trusted software to be measured is tampered or counterfeit, so that effectively detection is to trusted software
It is counterfeit or distort, especially can accurately detect embedded malice beacon and realize the behavior of malicious intent, improve the standard of detection
True property and reliability, effectively avoid user from attacking by malicious code, improve the user experience.
In addition, the credible detection method of software according to the above embodiment of the present invention can also have following additional technology
Feature:
Further, in one embodiment of the invention, further includes: acquisition trusted software manufacturer list, it can with generation
Believe software company's name information library;Crawl all letters of all trusted software manufacturers of the trusted software Business Name information bank
Mark, to construct the credible beacon library.
Further, in one embodiment of the invention, whether the detection software under testing is credible, further comprises:
Static parsing is carried out to the PE file according to PE structure, to obtain the identification information of the PE file, wherein the mark letter
Breath includes PE attribute and digital signature, the PE attribute include one in raw filename, copyright, name of product and trade mark or
Multinomial, digital signature includes signer information;The trusted software of the PE file is identified according to the identification information of the PE file
Business Name, and detect whether to belong to trusted software manufacturer.
Further, in one embodiment of the invention, more in the PE file for extracting the trusted software to be measured
A beacon further comprises: if belonging to the trusted software manufacturer, the PE file either statically or dynamically analyzed,
To extract, the PE file is embedded or the multiple beacon of dynamic access.
Further, in one embodiment of the invention, the multiple beacon include URL beacon, IP beacon and
Domain beacon.
In order to achieve the above objectives, second aspect of the present invention embodiment proposes a kind of credible detection device of software, comprising:
First detection module, it is whether credible for detecting trusted software to be measured;Extraction module is used for when the software under testing is credible,
Extract multiple beacons in the PE file of the trusted software to be measured;Second detection module, for whether detecting the multiple beacon
Credible beacon library is belonged to, and when any one beacon is not belonging to the credible beacon library in the multiple beacon, determines institute
Trusted software to be measured is stated by counterfeit or distort.
The credible detection device of the software of the embodiment of the present invention is appointed in multiple beacons in the PE file of trusted software to be measured
Meaning one is when being not belonging to credible beacon library, determines that trusted software to be measured is tampered or counterfeit, so that effectively detection is to trusted software
It is counterfeit or distort, especially can accurately detect embedded malice beacon and realize the behavior of malicious intent, improve the standard of detection
True property and reliability, effectively avoid user from attacking by malicious code, improve the user experience.
In addition, the credible detection device of software according to the above embodiment of the present invention can also have following additional technology
Feature:
Further, in one embodiment of the invention, further includes: acquisition module, for acquiring trusted software manufacturer
List, to generate trusted software Business Name information bank;Module is crawled, for crawling the trusted software Business Name information bank
All trusted software manufacturers all beacons, to construct the credible beacon library.
Further, in one embodiment of the invention, the extraction module is further used for according to PE structure to institute
It states PE file and carries out static parsing, to obtain the identification information of the PE file, identified according to the identification information of the PE file
The trusted software Business Name of the PE file, and detect whether to belong to trusted software manufacturer, and belonging to the trusted software
Manufacturer either statically or dynamically analyzes the PE file, with extract that the PE file is embedded or dynamic access it is the multiple
Beacon.
Further, in one embodiment of the invention, the identification information includes PE attribute and digital signature,
In, the PE attribute include it is one or more in raw filename, copyright, name of product and trade mark, digital signature include label
Name person's information.
Further, in one embodiment of the invention, the multiple beacon include URL beacon, IP beacon and
Domain beacon.
In order to achieve the above objectives, third aspect present invention embodiment also proposed a kind of computer equipment, including memory,
Processor and storage on a memory and the computer program that can run on a processor, the processor execution described program
When, realize the credible detection method of software described in above-described embodiment.
In order to achieve the above objectives, fourth aspect present invention embodiment also proposed a kind of computer-readable storage of non-transitory
Medium is stored thereon with computer program, and software of the realization as described in above-described embodiment can when which is executed by processor
Believe detection method.
In order to achieve the above objectives, fifth aspect present invention embodiment also proposed a kind of computer program product, when described
When instruction in computer program product is executed by processor, the credible detection method of software described in above-described embodiment is executed.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partially become from the following description
Obviously, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments
Obviously and it is readily appreciated that, in which:
Fig. 1 is the flow chart according to the credible detection method of the software of one embodiment of the invention;
Fig. 2 is the flow chart according to the credible detection method of the software of a specific embodiment of the invention;
Fig. 3 is according to the counterfeit to determine whether using the embedded untrusted beacon of trusted software of one embodiment of the invention
With distort exemplary diagram;
Fig. 4 is the structural schematic diagram according to the credible detection device of the software of one embodiment of the invention.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end
Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached
The embodiment of figure description is exemplary, it is intended to is used to explain the present invention, and is not considered as limiting the invention.
The credible detection method and device of the software proposed according to embodiments of the present invention are described with reference to the accompanying drawings, first will
Describe the credible detection method of the software proposed according to embodiments of the present invention with reference to the accompanying drawings.
Fig. 1 is the flow chart of the credible detection method of the software of one embodiment of the invention.
As shown in Figure 1, detection method includes the following steps for the software credible:
In step s101, whether credible trusted software to be measured is detected.
It is understood that trusted conditions can be the PE attribute of the PE file in trusted software to be measured and digital signature etc.
From popular trusted software company.The embodiment of the present invention by PE attribute and digital signature for judging PE file etc. whether come
From in popular trusted software company, so that whether detect trusted software to be measured credible.Wherein, trusted software is regular software factory
Quotient's establishment, the software with normal digital signature;PE file is transplantable executable file, is Microsoft Windows operation
Program file in system, such as EXE, DLL, OCX, SYS, COM can be PE files.
Further, in one embodiment of the invention, whether the detection software under testing is credible, further comprises:
Static parsing is carried out to the PE file according to PE structure, to obtain the identification information of the PE file, wherein the mark letter
Breath includes PE attribute and digital signature, the PE attribute include one in raw filename, copyright, name of product and trade mark or
Multinomial, digital signature includes signer information;The trusted software of the PE file is identified according to the identification information of the PE file
Business Name, and detect whether to belong to trusted software manufacturer.
It is understood that the embodiment of the present invention constructs the list of off-the-shelf software trade name, it is (including original by PE attribute
Filename, copyright, name of product, LegalTrademark etc.), digital signature (signer information) identification software belong to manufacturer.
Specifically, the embodiment of the present invention passes through PE attribute (the including but not limited to filename, public affairs for judging PE file first
Take charge of title etc.), whether digital signature etc. from popular trusted software company.
In step s 102, if software under testing is credible, multiple beacons in the PE file of trusted software to be measured are extracted.
It is understood that the embodiment of the present invention is extracted when confirming PE file from popular trusted software company
Multiple beacons in the PE file of trusted software to be measured.Wherein, in one embodiment of the invention, multiple beacons include URL letter
Mark, IP beacon and Domain beacon.
Further, in one embodiment of the invention, multiple beacons in the PE file of trusted software to be measured are extracted, into
If a step includes: to belong to trusted software manufacturer, PE file is either statically or dynamically analyzed, with extract PE file it is embedded or
Multiple beacons of dynamic access.
It is understood that if, by carrying out static and dynamic analysis to PE file, being extracted from trusted software company
PE file embeds or all URL, IP, Domain of dynamic access.
In step s 103, detect whether multiple beacons belong to credible beacon library, and in multiple beacons any one
When beacon is not belonging to credible beacon library, determine trusted software to be measured by counterfeit or distort.
It is understood that the embodiment of the present invention can embed beacon by analysis PE structure extraction, and with itself and collection
The credible beacon of the off-the-shelf software company of foundation compares, and to detect, whether program is counterfeit, distorts trusted software.Namely
It says, the embodiment of the present invention passes through the beacon (URL, IP, Domain) for obtaining static and dynamic analysis PE structure and off-the-shelf software manufacturer
Credible beacon library compares, to determine whether software is counterfeit or distorts from trusted software, and in trusted software to be measured
PE file in any one in multiple beacons when being not belonging to credible beacon library, determine that trusted software to be measured is tampered or counterfeit,
To which effectively detection to the counterfeit of trusted software or is distorted, it especially can accurately detect embedded malice beacon and realize malice mesh
Behavior, improve the accuracy and reliability of detection.
It should be noted that counterfeit trusted software: icon, attribute, the filename that Malware passes through camouflage trusted software
Etc. information come counterfeit trusted software;Distort trusted software: Malware distorts trusted software by modifying to trusted software
Execution process, embed malicious code or malice URL.In addition, the embodiment of the present invention constructs the credible beacon library of off-the-shelf software manufacturer,
And periodically right pop software vendor carries out beacon and crawls, and updates credible beacon library, so as to effectively avoid because of beacon library not and
Shi Gengxin causes trusted software to be measured to be erroneously detected as distorting or counterfeit, and the regularly updating of credible beacon library can be effectively ensured soft
The accuracy and reliability of the credible detection of part.
The embodiment of the present invention determines trusted software to be measured by principle that is counterfeit or distorting are as follows: trusted software company issues soft
URL, IP, Domain that part accesses in the process of implementation are the related services of our company or other trusted software companies, if
The service of non-our company or un-trusted software company is had accessed, then this visit has suspicious actions.Therefore it can pass through detection
Whether url, ip and domain accessed in trusted software etc. sentences from the service of our company or other trusted software companies
Whether the software break by counterfeit or distort.
According to above-mentioned principle, the embodiment of the present invention is by all beacons extracted and the credible letter of software company that in advance constructs
Mark library carries out matching search, finds out suspicious beacon URL, IP, Domain not in the credible beacon library of software company, i.e., suspicious letter
The mark non-belonging software company of URL, IP, Domain is registered, then can determine that the software is software that is counterfeit or distorting.
Specifically, (1) constructs the credible beacon library of software company, by official website, the domain of collecting each trusted software company
All associated Beacons such as name, IDC.
(2) all beacons (URL, IP, Domain) extracted and the credible beacon library of software company are subjected to matching search,
Find out suspicious beacon URL, IP, Domain not in the credible beacon library of software company.
(3) if it find that the suspicious non-belonging software company of beacon URL, IP, Domain registered, then can determine that the software
For software that is counterfeit or distorting.
It is further elaborated, specifically includes below in conjunction with credible detection method of the Fig. 2 to software:
S01: the list of off-the-shelf software trade name is obtained
Off-the-shelf software manufacturer List name is compiled, forms trusted software Business Name information bank, including but not limited to
Microsoft, google, Adobe, Ali, Tencent, Baidu etc..
S02: all beacons (URL, IP, domain name) that off-the-shelf software manufacturer includes are crawled
All Main Domains, subdomain name, IP, the URL for being included to main software manufacturer are crawled, according to certain depth into
Row crawls, and can periodically be crawled again, so as to the bootstrap information that timely updates.
S03: the building credible beacon library of off-the-shelf software manufacturer
All beacons (URL, IP, domain name) for including to the off-the-shelf software manufacturer that S02 is crawled form feature database, facilitate subsequent
Inquiry, while result can be crawled again according to S02 and be updated.
S04: PE file to be detected is parsed
Static parsing carried out according to PE structure to PE file to be detected, including but not limited to PE attribute (including original document
Name, copyright, name of product, LegalTrademark etc.), digital signature (signer information) etc. can be used for identifying the affiliated company of PE file
Information.
S05: identification PE file belongs to company
According to S01 analysis as a result, the affiliated Business Name of PE file is identified, as copyright is RealVNC in PE attribute
Ltd.2002-2008, then the PE file belongs to RealVNC company.
S06: ownership company's popularity, reliability discriminant
Popularity, Credibility judgement are carried out to software company's title for identifying in S02, mainly with compiled in S06
Prevalence (credible) software company's list carry out fuzzy matching lookup, PE file belongs to popular companies if successful match, jump
To S07, otherwise whether malice is unknown for this document.
S07: static, dynamic analysis extract embedded beacon (URL, IP, Domain)
Static and dynamic analysis is carried out to PE file, extract that PE file is embedded or all beacons of dynamic access (URL, IP,
Domain)。
S08~S09: it is compared with off-the-shelf software manufacturer credible beacon library.
All beacons (URL, IP, Domain) that will be extracted in S07, in the credible beacon of off-the-shelf software manufacturer of S03 building
It is searched in library, if all beacons extracted in S07 can be found in the credible beacon library of off-the-shelf software manufacturer, this is soft
Part is credible, and otherwise the software is counterfeit or distorts from trusted software.
Further, it will be illustrated by credible detection method of the specific example to software.
As shown in figure 3, embedding untrusted beacon using trusted software to determine whether by counterfeit and distort example: unknown PE
File A, the information such as attribute, digital signature are shown as the exploitation of adobe company, analyze A file, extract all beacons,
Wherein there is a URL is http://xx.xx.com/virus.exe, handles URL, extracts domain name
Then URL, the domain name credible beacon all with the adobe company that compiles in advance are compared, are found by xx.xx.com
The URL and Domain is not present in credible beacon library, then A file is very likely trusted software that is counterfeit or distorting.
To sum up, trusted software beacon library (URL, IP, Domain) of the embodiment of the present invention based on foundation, to network, terminal
On the confidence level of software assessed, the rogue program for quickly finding counterfeit trusted software, distorting trusted software.The present invention is real
The method for applying example has the advantages that
(1) matching detection is carried out independent of malicious code feature, it is only whether credible by the embedded beacon of detection
Decision procedure malice, can substantially reduce virus base characteristic quantity.
(2) on the one hand the embodiment of the present invention heuristic can detect rogue program that is counterfeit, distort trusted software, another party
Face in time can also handle URL, can also download the corresponding malicious file of URL for suspicious URL is embedded in the PE of discovery
It is handled.
The credible detection method of the software proposed according to embodiments of the present invention, it is multiple in the PE file of trusted software to be measured
When any one in beacon is not belonging to credible beacon library, determine that trusted software to be measured is tampered or counterfeit, thus effectively detection pair
Trusted software counterfeit is distorted, and especially can accurately be detected embedded malice beacon and be realized the behavior of malicious intent, improve
The accuracy and reliability of detection, effectively avoids user from attacking by malicious code, improves the user experience.
Referring next to the credible detection device for the software that attached drawing description proposes according to embodiments of the present invention.
Fig. 4 is the structural schematic diagram of the credible detection device of the software of one embodiment of the invention.
As shown in figure 4, the credible detection device 10 of the software includes: first detection module 100, extraction module 200 and
Two detection modules 300.
Wherein, whether first detection module 100 is credible for detecting trusted software to be measured.Extraction module 200 is used in PE
When file software under testing is credible, multiple beacons in the PE file of trusted software to be measured are extracted.Second detection module 300 is for detecting
Whether multiple beacons belong to credible beacon library, and when any one beacon is not belonging to credible beacon library in multiple beacons, sentence
Fixed trusted software to be measured is by counterfeit or distort.The device 10 of the embodiment of the present invention can effectively detect to the counterfeit of trusted software or
Distort, especially can accurately detect embedded malice beacon and realize the behavior of malicious intent, improve detection accuracy and can
By property, effectively user is avoided to attack by malicious code, improved the user experience.
Further, in one embodiment of the invention, the device 10 of the embodiment of the present invention further include: acquisition module and
Crawl module.
Wherein, acquisition module is for acquiring the list of trusted software manufacturer, to generate trusted software Business Name information bank.It climbs
Modulus block is used to crawl all beacons of all trusted software manufacturers of trusted software Business Name information bank, to construct credible letter
Mark library.
Further, in one embodiment of the invention, extraction module 200 is further used for according to PE structure to PE text
Part carries out static parsing, to obtain the identification information of PE file, identifies the credible soft of PE file according to the identification information of PE file
Part Business Name, and detect whether to belong to trusted software manufacturer, and belonging to trusted software manufacturer, to PE file carry out it is static or
Dynamic analysis, to extract, PE file is embedded or multiple beacons of dynamic access.
Further, in one embodiment of the invention, identification information includes PE attribute and digital signature, wherein PE
Attribute include it is one or more in raw filename, copyright, name of product and trade mark, digital signature includes signer information.
Further, in one embodiment of the invention, multiple beacons include URL beacon, IP beacon and Domain letter
Mark.
It should be noted that the explanation of the aforementioned credible detection method embodiment to software is also applied for the embodiment
Software credible detection device, details are not described herein again.
The credible detection device of the software proposed according to embodiments of the present invention, it is multiple in the PE file of trusted software to be measured
When any one in beacon is not belonging to credible beacon library, determine that trusted software to be measured is tampered or counterfeit, thus effectively detection pair
Trusted software counterfeit is distorted, and especially can accurately be detected embedded malice beacon and be realized the behavior of malicious intent, improve
The accuracy and reliability of detection, effectively avoids user from attacking by malicious code, improves the user experience.
In order to realize above-described embodiment, the embodiment of the present invention also proposed a kind of computer equipment, including memory, processing
Device and storage on a memory and the computer program that can run on a processor, when processor executes program, are realized such as above-mentioned
The credible detection method of the software of embodiment description.
In order to realize above-described embodiment, the embodiment of the present invention also proposed a kind of non-transitory computer-readable storage medium
Matter realizes the credible detection method of the software as described in above-described embodiment when the program is executed by processor.
In order to realize above-described embodiment, the embodiment of the present invention also proposed a kind of computer program product, when computer journey
When instruction in sequence product is executed by processor, the credible detection method of the software as described in above-described embodiment is executed.
In addition, term " first ", " second " are used for descriptive purposes only and cannot be understood as indicating or suggesting relative importance
Or implicitly indicate the quantity of indicated technical characteristic.Define " first " as a result, the feature of " second " can be expressed or
Implicitly include at least one this feature.In the description of the present invention, the meaning of " plurality " is at least two, such as two, three
It is a etc., unless otherwise specifically defined.
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not
It must be directed to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be in office
It can be combined in any suitable manner in one or more embodiment or examples.In addition, without conflicting with each other, the skill of this field
Art personnel can tie the feature of different embodiments or examples described in this specification and different embodiments or examples
It closes and combines.
Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example
Property, it is not considered as limiting the invention, those skilled in the art within the scope of the invention can be to above-mentioned
Embodiment is changed, modifies, replacement and variant.
Claims (10)
1. a kind of credible detection method of software, which comprises the following steps:
Whether credible detect software under testing;
If the software under testing is credible, multiple beacons in the PE file of the trusted software to be measured are extracted;And
Detect whether the multiple beacon belongs to credible beacon library, and any one beacon is not belonging in the multiple beacon
When the credible beacon library, determine the trusted software to be measured by counterfeit or distort.
2. the credible detection method of software according to claim 1, which is characterized in that further include:
The list of trusted software manufacturer is acquired, to generate trusted software Business Name information bank;
All beacons of all trusted software manufacturers of the trusted software Business Name information bank are crawled, it is described credible to construct
Beacon library.
3. the credible detection method of software according to claim 1, which is characterized in that whether the detection software under testing may be used
Letter further comprises:
Static parsing is carried out to the PE file according to PE structure, to obtain the identification information of the PE file, wherein the mark
Knowing information includes PE attribute and digital signature, and the PE attribute includes one in raw filename, copyright, name of product and trade mark
Item is multinomial, and digital signature includes signer information;
The trusted software Business Name of the PE file is identified according to the identification information of the PE file, and detecting whether to belong to can
Believe software vendor.
4. the credible detection method of software according to claim 3, which is characterized in that the extraction is described to be measured credible soft
Multiple beacons in the PE file of part further comprise:
If belonging to the trusted software manufacturer, the PE file is either statically or dynamically analyzed, to extract the PE text
Part embeds or the multiple beacon of dynamic access.
5. the credible detection method of software according to claim 1-4, which is characterized in that the multiple beacon packet
Include URL beacon, IP beacon and Domain beacon.
6. a kind of credible detection device of software characterized by comprising
First detection module, it is whether credible for detecting trusted software to be measured;
Extraction module, for extracting multiple beacons in the PE file of the trusted software to be measured when the software under testing is credible;
And
Second detection module, for detecting whether the multiple beacon belongs to credible beacon library, and in the multiple beacon
When any one beacon is not belonging to the credible beacon library, determine the trusted software to be measured by counterfeit or distort.
7. the credible detection device of software according to claim 6, which is characterized in that further include:
Acquisition module, for acquiring the list of trusted software manufacturer, to generate trusted software Business Name information bank;
Module is crawled, all beacons of all trusted software manufacturers for crawling the trusted software Business Name information bank,
To construct the credible beacon library.
8. a kind of computer equipment, which is characterized in that on a memory and can be in processor including memory, processor and storage
The computer program of upper operation when the processor executes described program, realizes such as software as claimed in any one of claims 1 to 5
Credible detection method.
9. a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, which is characterized in that the program quilt
The credible detection method such as software as claimed in any one of claims 1 to 5 is realized when processor executes.
10. a kind of computer program product, which is characterized in that when the instruction in the computer program product is executed by processor
When, execute the credible detection method such as software as claimed in any one of claims 1 to 5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811295818.5A CN110135153A (en) | 2018-11-01 | 2018-11-01 | The credible detection method and device of software |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811295818.5A CN110135153A (en) | 2018-11-01 | 2018-11-01 | The credible detection method and device of software |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110135153A true CN110135153A (en) | 2019-08-16 |
Family
ID=67568235
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811295818.5A Pending CN110135153A (en) | 2018-11-01 | 2018-11-01 | The credible detection method and device of software |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110135153A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110648118A (en) * | 2019-09-27 | 2020-01-03 | 深信服科技股份有限公司 | Fish fork mail detection method and device, electronic equipment and readable storage medium |
CN110661795A (en) * | 2019-09-20 | 2020-01-07 | 哈尔滨安天科技集团股份有限公司 | Vector-level threat information automatic production and distribution system and method |
CN114363060A (en) * | 2021-12-31 | 2022-04-15 | 深信服科技股份有限公司 | Domain name detection method, system, equipment and computer readable storage medium |
CN115277112A (en) * | 2022-07-07 | 2022-11-01 | 海南视联通信技术有限公司 | Data processing method and device, electronic equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101067859A (en) * | 2007-02-02 | 2007-11-07 | 张文 | Antipirating method for network software |
CN105119938A (en) * | 2015-09-14 | 2015-12-02 | 电子科技大学 | Method for defending against innerport recall trojan |
CN105354493A (en) * | 2015-10-22 | 2016-02-24 | 中国人民解放军装备学院 | Virtualization technology based terminal trust enhancement method and system |
CN106650439A (en) * | 2016-09-30 | 2017-05-10 | 北京奇虎科技有限公司 | Suspicious application program detection method and device |
CN108256328A (en) * | 2017-12-29 | 2018-07-06 | 北京奇虎科技有限公司 | Identify the method and device of counterfeit application |
-
2018
- 2018-11-01 CN CN201811295818.5A patent/CN110135153A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101067859A (en) * | 2007-02-02 | 2007-11-07 | 张文 | Antipirating method for network software |
CN105119938A (en) * | 2015-09-14 | 2015-12-02 | 电子科技大学 | Method for defending against innerport recall trojan |
CN105354493A (en) * | 2015-10-22 | 2016-02-24 | 中国人民解放军装备学院 | Virtualization technology based terminal trust enhancement method and system |
CN106650439A (en) * | 2016-09-30 | 2017-05-10 | 北京奇虎科技有限公司 | Suspicious application program detection method and device |
CN108256328A (en) * | 2017-12-29 | 2018-07-06 | 北京奇虎科技有限公司 | Identify the method and device of counterfeit application |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110661795A (en) * | 2019-09-20 | 2020-01-07 | 哈尔滨安天科技集团股份有限公司 | Vector-level threat information automatic production and distribution system and method |
CN110648118A (en) * | 2019-09-27 | 2020-01-03 | 深信服科技股份有限公司 | Fish fork mail detection method and device, electronic equipment and readable storage medium |
CN114363060A (en) * | 2021-12-31 | 2022-04-15 | 深信服科技股份有限公司 | Domain name detection method, system, equipment and computer readable storage medium |
CN115277112A (en) * | 2022-07-07 | 2022-11-01 | 海南视联通信技术有限公司 | Data processing method and device, electronic equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10885190B2 (en) | Identifying web pages in malware distribution networks | |
US8726387B2 (en) | Detecting a trojan horse | |
US9734332B2 (en) | Behavior profiling for malware detection | |
CN110135153A (en) | The credible detection method and device of software | |
US20140298460A1 (en) | Malicious uniform resource locator detection | |
US8448245B2 (en) | Automated identification of phishing, phony and malicious web sites | |
US9135443B2 (en) | Identifying malicious threads | |
US8844039B2 (en) | Malware image recognition | |
Kim et al. | Detecting fake anti-virus software distribution webpages | |
US20120158626A1 (en) | Detection and categorization of malicious urls | |
CN107688743B (en) | Malicious program detection and analysis method and system | |
Zhang et al. | SaaS: A situational awareness and analysis system for massive android malware detection | |
CN111460445B (en) | Sample program malicious degree automatic identification method and device | |
RU2726032C2 (en) | Systems and methods for detecting malicious programs with a domain generation algorithm (dga) | |
US20180082061A1 (en) | Scanning device, cloud management device, method and system for checking and killing malicious programs | |
CN111104579A (en) | Identification method and device for public network assets and storage medium | |
Wang et al. | Beyond the virus: A first look at coronavirus-themed mobile malware | |
US20190114418A1 (en) | System, method, and computer program product for identifying a file used to automatically launch content as unwanted | |
CN113190838A (en) | Web attack behavior detection method and system based on expression | |
Wang et al. | Beyond the virus: a first look at coronavirus-themed Android malware | |
US20120117648A1 (en) | Malware Determination | |
KR101372906B1 (en) | Method and system to prevent malware code | |
JP6169497B2 (en) | Connection destination information determination device, connection destination information determination method, and program | |
US20210168172A1 (en) | Information processing device, information processing method and information processing program | |
JP2017224150A (en) | Analyzer, analysis method, and analysis program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin Hi-tech Industrial Development Zone, Harbin, Heilongjiang Province (838 Shikun Road) Applicant after: Harbin antiy Technology Group Limited by Share Ltd Address before: Room 506, Room 162, Hongqi Street, No. 17 Building, Nangang, High-tech Venture Center, Harbin High-tech Industrial Development Zone, Heilongjiang Province, 150000 Applicant before: Harbin Antiy Technology Co., Ltd. |
|
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190816 |