CN103034810A - Detection method and detection device and electronic device - Google Patents

Detection method and detection device and electronic device Download PDF

Info

Publication number
CN103034810A
CN103034810A CN2011102943463A CN201110294346A CN103034810A CN 103034810 A CN103034810 A CN 103034810A CN 2011102943463 A CN2011102943463 A CN 2011102943463A CN 201110294346 A CN201110294346 A CN 201110294346A CN 103034810 A CN103034810 A CN 103034810A
Authority
CN
China
Prior art keywords
eigenwert
application
eigenvalue
characteristic storehouse
characteristic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011102943463A
Other languages
Chinese (zh)
Other versions
CN103034810B (en
Inventor
刘永锋
阮景春
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN201110294346.3A priority Critical patent/CN103034810B/en
Publication of CN103034810A publication Critical patent/CN103034810A/en
Application granted granted Critical
Publication of CN103034810B publication Critical patent/CN103034810B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a detection method, a detection device and an electronic device. The detection method comprises receiving a detection command, reading at least one first characteristic value from a first characteristic database and at least one second characteristic value from a second characteristic database according to the detection command; comparing each first characteristic value with all the second characteristic values in the second characteristic database sequentially to detect whether the first characteristic values and the second characteristic values are matched to obtain detection results; and when the detection results show that a match exists, the detection results are output. When the detection method is used for killing viruses in an around-the-broad mode, values already stored in the characteristic databases are directly used for comparison, each application does not need to be calculated one by one, and therefore the detection speed is tremendously improved, resources of a central processing unit (CPU) are saved, and more energy can be saved.

Description

A kind of detection method, device and electronic equipment
Technical field
The present invention relates to field of computer technology, particularly a kind of detection method, device and electronic equipment.
Background technology
At present, carry out the method for killing malicious application normally, whether scanning executable file the inside has specific coding such as specific binary string or the cryptographic hash in the malicious application planting modes on sink characteristic.The method both had been applicable to computing machine, also was applicable to the equipment such as smart mobile phone.
But the method killing speed is very slow, and consumes very much cpu resource, and power consumption is large, and is not energy-conservation.
Summary of the invention
The embodiment of the invention provides a kind of detection method, device and electronic equipment, and large to solve testing process consumption cpu resource, power consumption is large, not energy-conservation problem.
The invention provides a kind of detection method, be applied to electronic equipment, described method comprises:
Receive sense command;
Read at least one the First Eigenvalue according to described sense command from the First Characteristic storehouse, read at least one Second Eigenvalue from the Second Characteristic storehouse;
With each the First Eigenvalue successively with the Second Characteristic storehouse in all Second Eigenvalues compare, detect the First Eigenvalue and the Second Eigenvalue whether there is coupling, obtain testing result;
When described testing result shows the existence coupling, the output detections result;
Wherein, described First Characteristic storehouse is the application characteristic storehouse, and described the First Eigenvalue is the application characteristic value; Described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; Perhaps, described First Characteristic storehouse is the malicious application feature database, and described the First Eigenvalue is the malicious application eigenwert; Described Second Characteristic storehouse is the application characteristic storehouse, and described Second Eigenvalue is the application characteristic value.
Wherein, before receiving sense command, described method also comprises:
Described electronic equipment is when installing or upgrade the first application, and the eigenwert of application is installed or upgraded in calculating;
The eigenwert that calculates as the First Eigenvalue, is stored in the First Characteristic storehouse; Wherein, described First Characteristic storehouse is the application characteristic storehouse.
Wherein, when electronic equipment is installed or upgraded first and use, and after going out eigenwert for the computation that institute installs or upgrades, described method also comprises:
The detection trigger order detects whether all Second Eigenvalues that the first computation of installing or upgrading goes out in eigenwert and the Second Characteristic storehouse is mated, and obtains testing result; Wherein, described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert;
When described testing result shows the existence coupling, the output detections result.
Wherein, described each application characteristic value comprises the eigenwert of developer's signing certificate and/or the eigenwert of application program itself; Described malicious application eigenwert comprises the malicious application eigenwert of developer's signing certificate and/or the malicious application eigenwert of application program itself.
Wherein, when the malicious application eigenwert of the eigenwert of application program itself and application program itself is complementary, confirm the corresponding malicious application that is applied as of eigenwert of described application program itself.
Wherein, when the malicious application eigenwert of the eigenwert of developer's signing certificate and developer's signing certificate was complementary, the corresponding application of eigenwert of confirming developer's signing certificate was that the first kind is used.
Wherein, when the malicious application eigenwert of the eigenwert of developer's signing certificate and developer's signing certificate is complementary, and the corresponding application of the eigenwert of described developer's signing certificate produced security incident, and the corresponding application of eigenwert of then confirming developer's signing certificate is that Equations of The Second Kind is used.
Wherein, when the malicious application eigenwert of the eigenwert of developer's signing certificate and developer's signing certificate is complementary, if the eigenwert of described developer's signing certificate is identical with the eigenwert of system default signing certificate, the corresponding application of eigenwert of then not sending out person's signing certificate is that the 3rd class is used.
The embodiment of the invention also provides a kind of pick-up unit, is applied to electronic equipment, and described device comprises:
Receiving element is used for receiving sense command;
Reading unit is used for reading at least one the First Eigenvalue according to described sense command from the First Characteristic storehouse, reads at least one Second Eigenvalue from the Second Characteristic storehouse;
The contrast unit is used for each the First Eigenvalue is compared with all Second Eigenvalues in Second Characteristic storehouse successively, detects the First Eigenvalue and the Second Eigenvalue that whether there are coupling, obtains testing result;
Output unit is used for when described testing result shows the existence coupling output detections result;
Wherein, described First Characteristic storehouse is the application characteristic storehouse, and described the First Eigenvalue is the application characteristic value; Described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; Perhaps, described First Characteristic storehouse is the malicious application feature database, and described the First Eigenvalue is the malicious application eigenwert; Described Second Characteristic storehouse is the application characteristic storehouse, and described Second Eigenvalue is the application characteristic value.
Wherein, described device also comprises:
Computing unit, for before receiving sense command, described electronic equipment is when installing or upgrade the first application, and the eigenwert of application is installed or is upgraded in calculating;
Storage unit, the eigenwert that is used for calculating is stored in the First Characteristic storehouse as the First Eigenvalue; Wherein, described First Characteristic storehouse is the application characteristic storehouse.
Wherein, described device also comprises:
Trigger element is used for installing or upgrading first and use when electronic equipment, and after going out eigenwert for the computation that institute installs or upgrades, the detection trigger order;
Described contrast unit, whether all Second Eigenvalues that also go out in eigenwert and the Second Characteristic storehouse for detection of the first computation that institute is installed or upgrades mate, and obtain testing result; Wherein, described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert;
Described output unit also is used for when described testing result shows the existence coupling output detections result.
Wherein, described each application characteristic value comprises the eigenwert of developer's signing certificate and/or the eigenwert of application program itself; Described malicious application eigenwert comprises the malicious application eigenwert of developer's signing certificate and/or the malicious application eigenwert of application program itself.
The embodiment of the invention also provides a kind of electronic equipment, and described electronic equipment comprises:
Storage unit is used for storage First Characteristic storehouse and Second Characteristic storehouse;
Processing unit is used for receiving sense command; Read at least one the First Eigenvalue according to described sense command from the First Characteristic storehouse, read at least one Second Eigenvalue from the Second Characteristic storehouse; With each the First Eigenvalue successively with the Second Characteristic storehouse in all Second Eigenvalues compare, detect the First Eigenvalue and the Second Eigenvalue whether there is coupling, obtain testing result; When described testing result shows the existence coupling, the output detections result;
Wherein, described First Characteristic storehouse is the application characteristic storehouse, and described the First Eigenvalue is the application characteristic value; Described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; Perhaps, described First Characteristic storehouse is the malicious application feature database, and described the First Eigenvalue is the malicious application eigenwert; Described Second Characteristic storehouse is the application characteristic storehouse, and described Second Eigenvalue is the application characteristic value.
Wherein, described processing unit, also for before receiving sense command, when installing or upgrade the first application, the eigenwert of application is installed or is upgraded in calculating; The eigenwert that calculates as the First Eigenvalue, is stored in the First Characteristic storehouse; Wherein, described First Characteristic storehouse is the application characteristic storehouse.
Wherein, described processing unit also is used for using when installing first, and after going out eigenwert for the computation that institute installs or upgrades, the detection trigger order; Whether all Second Eigenvalues that the first computation that detection is installed or upgraded institute goes out in eigenwert and the Second Characteristic storehouse mate, and obtain testing result; Wherein, described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; When described testing result shows the existence coupling, the output detections result.
Use method, device and electronic equipment that the embodiment of the invention provides, when totally killing virus, the value in the feature database that direct use has been stored compares, need not each application is calculated one by one, greatly improve detection speed, saved the resource of CPU, thus also more energy-conservation.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, the below will do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art, apparently, accompanying drawing in the following describes only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is a kind of detection method process flow diagram according to the embodiment of the invention;
Fig. 2 is the process flow diagram of the specific embodiment that provides of the embodiment of the invention;
Fig. 3 is a kind of pick-up unit logical organization synoptic diagram according to the embodiment of the invention;
Fig. 4 is the logical organization synoptic diagram according to a kind of electronic equipment of the embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that obtains under the creative work prerequisite.
For better explanation the present invention, the below does simple introduction to several concepts first:
Use, refer in this article the application program that can move, it may be the Secure Application that is not embedded into vicious function, also may be the malicious application that is embedded into vicious function.
The application characteristic value by application being calculated a value that obtains, for example, can be cryptographic hash, binary coded value etc.;
Malicious application refers to the application program of infected virus or vicious function in this article, namely comprises the improper application program of virus or vicious function.Virus comprises: the code that device software/hardware is caused damage.Vicious function comprises: data theft function and expense are stolen function, and data theft comprises lower column data stealing such as private data (user data such as note, mail, chat record, account number cipher etc., geographic position data, operation note etc.); Expense is stolen and is comprised, need not that the user participates in, and sends with the short message that causes expenses, and access to netwoks is called etc.
The malicious application eigenwert by malicious application being calculated a value that obtains, for example, can be cryptographic hash, binary coded value etc.
Referring to Fig. 1, it is a kind of detection method process flow diagram according to the embodiment of the invention, be applied to electronic equipment, described electronic equipment comprises at least one application, application characteristic value set and malicious application characteristic value collection, the application characteristic value that comprises at least one application in described at least one application in the described application characteristic data acquisition, described malicious application characteristic value collection comprises at least one malicious application eigenwert, and flow process shown in Figure 1 specifically comprises:
Step 101 receives sense command;
Step 102 reads at least one the First Eigenvalue according to described sense command from the First Characteristic storehouse, reads at least one Second Eigenvalue from the Second Characteristic storehouse;
Step 103, with each the First Eigenvalue successively with the Second Characteristic storehouse in all Second Eigenvalues compare, detect the First Eigenvalue and the Second Eigenvalue whether there is coupling, obtain testing result;
Step 104, when described testing result shows the existence coupling, the output detections result;
Wherein, described First Characteristic storehouse is the application characteristic storehouse, and described the First Eigenvalue is the application characteristic value; Described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; Perhaps, described First Characteristic storehouse is the malicious application feature database, and described the First Eigenvalue is the malicious application eigenwert; Described Second Characteristic storehouse is the application characteristic storehouse, and described Second Eigenvalue is the application characteristic value.
That is to say, when using method shown in Figure 1, namely can use each application characteristic value to compare with all malicious application eigenwerts successively, also can use each malicious application eigenwert successively with all application characteristic value relatively.
Need to prove, when described testing result shows the existence coupling, can comprise the Apply Names tabulation corresponding with the application characteristic value among the output detections result, to represent that the application in this tabulation may be malicious application or risky application; When showing, described testing result do not have when coupling, also can the output detections result, and this testing result shows and does not have malicious application or risky application.
Need to prove that before receiving sense command, flow process shown in Figure 1 can also comprise: described electronic equipment is when installing or upgrade the first application, and the eigenwert of application is installed or upgraded in calculating; The eigenwert that calculates as the First Eigenvalue, is stored in the First Characteristic storehouse; Wherein, described First Characteristic storehouse is the application characteristic storehouse.That is to say that before the reception sense command, when installing or upgrade certain application, the eigenwert of application is installed or upgraded in just calculating, and, the eigenwert that calculates is saved in the application characteristic storehouse.
Need to prove, when electronic equipment is installed or upgraded first and use, and after going out eigenwert for institute's computation of installing or upgrading, flow process shown in Figure 1 can also comprise: the detection trigger order, whether all Second Eigenvalues that the first computation that detection is installed or upgraded institute goes out in eigenwert and the Second Characteristic storehouse mate, and obtain testing result; Wherein, described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; When described testing result shows the existence coupling, the output detections result.That is to say, certain application be mounted or upgrade and and calculate the application characteristic value of this application after, can carry out one-time detection to this application immediately, to guarantee that the application that institute installs or upgrades is safe.
Similar with the front, when described testing result shows the existence coupling, can comprise the Apply Names of firm installation among the output detections result, may be malicious application or risky application to represent this application; When showing, described testing result do not have when coupling, also can the output detections result, and this testing result shows that the application of installing is not malicious application or risky application.
Need to prove, when described testing result shows the existence coupling, can also comprise: according to the corresponding application of application characteristic value that the instruction that receives (Tathagata is from user's instruction or the automatically instruction of generation of system) unloading and malicious application eigenwert are complementary, concrete operation can be:
Installing or upgrading first when using, after calculating institute and installing or upgrade the eigenwert of application, recording Apply Names and installation site such as the path corresponding with this eigenwert; When described testing result shows the existence coupling, according to the instruction that receives, according to the installation site and the Apply Names that record, the corresponding application of application characteristic value that unloading and malicious application eigenwert are complementary.Like this, can avoid because the loss that the operation of this malicious application brings.
Need to prove that described each application characteristic value comprises the eigenwert of developer's signing certificate and/or the eigenwert of application program itself; Described malicious application eigenwert comprises the malicious application eigenwert of developer's signing certificate and/or the malicious application eigenwert of application program itself.Like this,
When the malicious application eigenwert of the eigenwert of application program itself and application program itself is complementary, confirm the corresponding malicious application that is applied as of eigenwert of described application program itself.
When the malicious application eigenwert of the eigenwert of developer's signing certificate and developer's signing certificate was complementary, the corresponding application of eigenwert of confirming developer's signing certificate was that the first kind is used.Wherein, this first kind is used and is referred to the risk application, such as doubtful malicious application.
When the malicious application eigenwert of the eigenwert of developer's signing certificate and developer's signing certificate is complementary, and the corresponding application of the eigenwert of described developer's signing certificate produced security incident, and the corresponding application of eigenwert of then confirming developer's signing certificate is that Equations of The Second Kind is used.Wherein, this Equations of The Second Kind is used and is referred to the excessive risk application, such as doubtful and risky malicious application.
When the malicious application eigenwert of the eigenwert of developer's signing certificate and developer's signing certificate is complementary, if the eigenwert of described developer's signing certificate is identical with the eigenwert of system default signing certificate, the corresponding application of eigenwert of then not sending out person's signing certificate is that the 3rd class is used.Wherein, the 3rd class is used and is referred to the low-risk application, such as application that may be risky.
When the malicious application eigenwert of the eigenwert of developer's signing certificate and developer's signing certificate is complementary, if the eigenwert of described developer's signing certificate is identical with the eigenwert of system default signing certificate, and the corresponding application of the eigenwert of described developer's signing certificate produced security incident, and the corresponding application of eigenwert of then confirming developer's signing certificate is that Equations of The Second Kind is used.Wherein, this Equations of The Second Kind is used and is referred to the excessive risk application, such as doubtful and risky malicious application.
That is to say that the risk that Equations of The Second Kind is used is higher than the risk that the first kind is used, and the risk that the first kind is used is higher than the risk that the 3rd class is used.
Above-mentioned security incident can obtain by daily record, and above-mentioned security incident comprises accessing address list, peeps the events such as private data, consumption of natural resource, consumption rate.That is to say that all security-related events all can be used as record.
When the malicious application eigenwert of the eigenwert of developer's signing certificate and developer's signing certificate is complementary
As seen, use the method that the embodiment of the invention provides, when totally killing virus, value in the feature database that direct use has been stored compares, and need not each application is calculated one by one, has greatly improved detection speed, saved the resource of CPU, thus also more energy-conservation.
More as can be known, along with the increase of the quantity of application to be detected, use the method that the embodiment of the invention provides by practice, remain at detection time about 5 seconds, and make other killing instruments, when detecting the number of applications of as much, be about several times of the inventive method detection time.If the quantity of using reaches 100 or more, then use the needed time of other killing instruments will be far longer than more than 10 times of the inventive method required time.
Below in conjunction with an instantiation the present invention is elaborated again.
Referring to Fig. 2, it is the process flow diagram that the embodiment of the invention provides a specific embodiment.In this example, comprise two feature databases of A, B, wherein the A feature database is the application characteristic storehouse, and the B feature database is the malicious application feature database, and each application characteristic value of storage comprises the eigenwert of developer's signing certificate and the eigenwert of application program itself in the application characteristic storehouse; Each malicious application eigenwert of storage comprises the malicious application eigenwert of developer's signing certificate and the malicious application eigenwert of application program itself in the malicious application feature database.For example, the eigenwert of developer's signing certificate can be the cryptographic hash (HASH) of application signature certificate, the eigenwert of application program itself can be the HASH of APK, accordingly, the malicious application eigenwert of developer's signing certificate can be the cryptographic hash (HASH) of malicious application signing certificate, and the malicious application eigenwert of application program itself can be the HASH of malice APK.
Need to prove, because being the number of the eigenwert of developer's signing certificate, the author of malicious application is far smaller than the number that malicious application is the eigenwert of application program itself, therefore, in the present embodiment, if the eigenwert of mating first developer's signing certificate on the coupling, then confirms it may is malicious application, the eigenwert of recycling application program itself is mated, or utilizes other information to carry out risk stratification; If on the coupling, can not confirm directly that it is not malicious application.The described flow process of Fig. 2 specifically comprises:
00) when capturing the application installation or upgrading, the application characteristic value of application is installed or is upgraded in just calculating; The application characteristic value that calculates is stored in the application characteristic storehouse.
01) when needs detect, whether the eigenwert of contrast developer signing certificate is identical with the malicious application eigenwert of developer's signing certificate, if identical, then execution in step 02), otherwise execution in step 09);
Whether the eigenwert of 02) judging described developer's signing certificate is the eigenwert of system default signing certificate, if then execution in step 03), otherwise execution in step 04);
03) detect this application and whether trigger security incident, if then execution in step 06), otherwise execution in step 09);
04) whether the malicious application eigenwert of the eigenwert of contrast application program itself and application program itself is identical, if identical, then execution in step 05); Otherwise execution in step 06);
05) confirm to have malicious application in this application, then execution in step 09);
06) confirm that this is applied as the risky application of possibility, then execution in step 09);
07) detect this application and whether trigger security incident, if then execution in step 08), otherwise execution in step 09);
08) confirm that this is applied as the Equations of The Second Kind application is doubtful risky malicious application, then execution in step 09);
09) judge whether that all contrast is complete, if, then finish, otherwise execution in step 10);
10) obtain the application characteristic value of next application, then execution in step 01).
Use the method that the embodiment of the invention provides, when totally killing virus, the value in the feature database that direct use has been stored compares, need not each application is calculated one by one, greatly improve detection speed, saved the resource of CPU, thus also more energy-conservation.
The embodiment of the invention also provides a kind of pick-up unit, is applied to electronic equipment, and referring to Fig. 3, described device comprises:
Receiving element 301 is used for receiving sense command;
Reading unit 302 is used for reading at least one the First Eigenvalue according to described sense command from the First Characteristic storehouse, reads at least one Second Eigenvalue from the Second Characteristic storehouse;
Contrast unit 303 is used for each the First Eigenvalue is compared with all Second Eigenvalues in Second Characteristic storehouse successively, detects the First Eigenvalue and the Second Eigenvalue that whether there are coupling, obtains testing result;
Output unit 304 is used for when described testing result shows the existence coupling output detections result;
Wherein, described First Characteristic storehouse is the application characteristic storehouse, and described the First Eigenvalue is the application characteristic value; Described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; Perhaps, described First Characteristic storehouse is the malicious application feature database, and described the First Eigenvalue is the malicious application eigenwert; Described Second Characteristic storehouse is the application characteristic storehouse, and described Second Eigenvalue is the application characteristic value.
Wherein, device shown in Figure 3 can also comprise:
The computing unit (not shown), for before receiving sense command, described electronic equipment is when installing or upgrade the first application, and the eigenwert of application is installed or is upgraded in calculating;
The storage unit (not shown), the eigenwert that is used for calculating is stored in the First Characteristic storehouse as the First Eigenvalue; Wherein, described First Characteristic storehouse is the application characteristic storehouse.
Wherein, device shown in Figure 3 can also comprise:
The trigger element (not shown) is used for installing or upgrading first and use when electronic equipment, and after going out eigenwert for the computation that institute installs or upgrades, the detection trigger order;
Described contrast unit, whether all Second Eigenvalues that also go out in eigenwert and the Second Characteristic storehouse for detection of the first computation that institute is installed or upgrades mate, and obtain testing result; Wherein, described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert;
Described output unit also is used for when described testing result shows the existence coupling output detections result.
Above-mentioned each application characteristic value comprises the eigenwert of developer's signing certificate and/or the eigenwert of application program itself; Above-mentioned malicious application eigenwert comprises the malicious application eigenwert of developer's signing certificate and/or the malicious application eigenwert of application program itself.
Use the device that the embodiment of the invention provides, when totally killing virus, the value in the feature database that direct use has been stored compares, need not each application is calculated one by one, greatly improve detection speed, saved the resource of CPU, thus also more energy-conservation.
The embodiment of the invention also provides a kind of electronic equipment, and referring to Fig. 4, described electronic equipment comprises:
Storage unit 401 is used for storage First Characteristic storehouse and Second Characteristic storehouse;
Processing unit 402 is used for receiving sense command; Read at least one the First Eigenvalue according to described sense command from the First Characteristic storehouse, read at least one Second Eigenvalue from the Second Characteristic storehouse; With each the First Eigenvalue successively with the Second Characteristic storehouse in all Second Eigenvalues compare, detect the First Eigenvalue and the Second Eigenvalue whether there is coupling, obtain testing result; When described testing result shows the existence coupling, the output detections result;
Wherein, described First Characteristic storehouse is the application characteristic storehouse, and described the First Eigenvalue is the application characteristic value; Described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; Perhaps, described First Characteristic storehouse is the malicious application feature database, and described the First Eigenvalue is the malicious application eigenwert; Described Second Characteristic storehouse is the application characteristic storehouse, and described Second Eigenvalue is the application characteristic value.
Above-mentioned processing unit 402, also for before receiving sense command, when installing or upgrade the first application, the eigenwert of application is installed or is upgraded in calculating; The eigenwert that calculates as the First Eigenvalue, is stored in the First Characteristic storehouse; Wherein, described First Characteristic storehouse is the application characteristic storehouse.
Above-mentioned processing unit 402 also is used for using when installing first, and after going out eigenwert for the computation that institute installs or upgrades, the detection trigger order; Whether all Second Eigenvalues that the first computation that detection is installed or upgraded institute goes out in eigenwert and the Second Characteristic storehouse mate, and obtain testing result; Wherein, described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; When described testing result shows the existence coupling, the output detections result.
Use the electronic equipment that the embodiment of the invention provides, when totally killing virus, the value in the feature database that direct use has been stored compares, need not each application is calculated one by one, greatly improve detection speed, saved the resource of CPU, thus also more energy-conservation.
For device and electronic equipment embodiment because its basic simlarity is in embodiment of the method, so describe fairly simple, relevant part gets final product referring to the part explanation of embodiment of the method.
Need to prove, in this article, relational terms such as the first and second grades only is used for an entity or operation are made a distinction with another entity or operation, and not necessarily requires or hint and have the relation of any this reality or sequentially between these entities or the operation.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thereby not only comprise those key elements so that comprise process, method, article or the equipment of a series of key elements, but also comprise other key elements of clearly not listing, or also be included as the intrinsic key element of this process, method, article or equipment.Do not having in the situation of more restrictions, the key element that is limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises described key element and also have other identical element.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the said method embodiment is to come the relevant hardware of instruction to finish by program, described program can be stored in the computer read/write memory medium, here alleged storage medium, as: ROM/RAM, magnetic disc, CD etc.
The above is preferred embodiment of the present invention only, is not for limiting protection scope of the present invention.All any modifications of doing within the spirit and principles in the present invention, be equal to replacement, improvement etc., all be included in protection scope of the present invention.

Claims (15)

1. a detection method is applied to electronic equipment, it is characterized in that, described method comprises:
Receive sense command;
Read at least one the First Eigenvalue according to described sense command from the First Characteristic storehouse, read at least one Second Eigenvalue from the Second Characteristic storehouse;
With each the First Eigenvalue successively with the Second Characteristic storehouse in all Second Eigenvalues compare, detect the First Eigenvalue and the Second Eigenvalue whether there is coupling, obtain testing result;
When described testing result shows the existence coupling, the output detections result;
Wherein, described First Characteristic storehouse is the application characteristic storehouse, and described the First Eigenvalue is the application characteristic value; Described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; Perhaps, described First Characteristic storehouse is the malicious application feature database, and described the First Eigenvalue is the malicious application eigenwert; Described Second Characteristic storehouse is the application characteristic storehouse, and described Second Eigenvalue is the application characteristic value.
2. method according to claim 1 is characterized in that, before receiving sense command, described method also comprises:
Described electronic equipment is when installing or upgrade the first application, and the eigenwert of application is installed or upgraded in calculating;
The eigenwert that calculates as the First Eigenvalue, is stored in the First Characteristic storehouse; Wherein, described First Characteristic storehouse is the application characteristic storehouse.
3. method according to claim 2 is characterized in that, when electronic equipment is installed or upgraded first and use, and after going out eigenwert for the computation that institute installs or upgrades, described method also comprises:
The detection trigger order detects whether all Second Eigenvalues that the first computation of installing or upgrading goes out in eigenwert and the Second Characteristic storehouse is mated, and obtains testing result; Wherein, described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert;
When described testing result shows the existence coupling, the output detections result.
4. method according to claim 1 is characterized in that,
Described each application characteristic value comprises the eigenwert of developer's signing certificate and/or the eigenwert of application program itself;
Described malicious application eigenwert comprises the malicious application eigenwert of developer's signing certificate and/or the malicious application eigenwert of application program itself.
5. method according to claim 4 is characterized in that,
When the malicious application eigenwert of the eigenwert of application program itself and application program itself is complementary, confirm the corresponding malicious application that is applied as of eigenwert of described application program itself.
6. method according to claim 4 is characterized in that, when the malicious application eigenwert of the eigenwert of developer's signing certificate and developer's signing certificate was complementary, the corresponding application of eigenwert of confirming developer's signing certificate was that the first kind is used.
7. method according to claim 6, it is characterized in that, when the malicious application eigenwert of the eigenwert of developer's signing certificate and developer's signing certificate is complementary, and the corresponding application of the eigenwert of described developer's signing certificate produced security incident, and the corresponding application of eigenwert of then confirming developer's signing certificate is that Equations of The Second Kind is used.
8. method according to claim 6, it is characterized in that, when the malicious application eigenwert of the eigenwert of developer's signing certificate and developer's signing certificate is complementary, if the eigenwert of described developer's signing certificate is identical with the eigenwert of system default signing certificate, the corresponding application of eigenwert of then not sending out person's signing certificate is that the 3rd class is used.
9. a pick-up unit is applied to electronic equipment, it is characterized in that, described device comprises:
Receiving element is used for receiving sense command;
Reading unit is used for reading at least one the First Eigenvalue according to described sense command from the First Characteristic storehouse, reads at least one Second Eigenvalue from the Second Characteristic storehouse;
The contrast unit is used for each the First Eigenvalue is compared with all Second Eigenvalues in Second Characteristic storehouse successively, detects the First Eigenvalue and the Second Eigenvalue that whether there are coupling, obtains testing result;
Output unit is used for when described testing result shows the existence coupling output detections result;
Wherein, described First Characteristic storehouse is the application characteristic storehouse, and described the First Eigenvalue is the application characteristic value; Described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; Perhaps, described First Characteristic storehouse is the malicious application feature database, and described the First Eigenvalue is the malicious application eigenwert; Described Second Characteristic storehouse is the application characteristic storehouse, and described Second Eigenvalue is the application characteristic value.
10. device according to claim 9 is characterized in that, described device also comprises:
Computing unit, for before receiving sense command, described electronic equipment is when installing or upgrade the first application, and the eigenwert of application is installed or is upgraded in calculating;
Storage unit, the eigenwert that is used for calculating is stored in the First Characteristic storehouse as the First Eigenvalue; Wherein, described First Characteristic storehouse is the application characteristic storehouse.
11. device according to claim 10 is characterized in that, described device also comprises:
Trigger element is used for installing or upgrading first and use when electronic equipment, and after going out eigenwert for the computation that institute installs or upgrades, the detection trigger order;
Described contrast unit, whether all Second Eigenvalues that also go out in eigenwert and the Second Characteristic storehouse for detection of the first computation that institute is installed or upgrades mate, and obtain testing result; Wherein, described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert;
Described output unit also is used for when described testing result shows the existence coupling output detections result.
12. device according to claim 9 is characterized in that,
Described each application characteristic value comprises the eigenwert of developer's signing certificate and/or the eigenwert of application program itself;
Described malicious application eigenwert comprises the malicious application eigenwert of developer's signing certificate and/or the malicious application eigenwert of application program itself.
13. an electronic equipment is characterized in that, described electronic equipment comprises:
Storage unit is used for storage First Characteristic storehouse and Second Characteristic storehouse;
Processing unit is used for receiving sense command; Read at least one the First Eigenvalue according to described sense command from the First Characteristic storehouse, read at least one Second Eigenvalue from the Second Characteristic storehouse; With each the First Eigenvalue successively with the Second Characteristic storehouse in all Second Eigenvalues compare, detect the First Eigenvalue and the Second Eigenvalue whether there is coupling, obtain testing result; When described testing result shows the existence coupling, the output detections result;
Wherein, described First Characteristic storehouse is the application characteristic storehouse, and described the First Eigenvalue is the application characteristic value; Described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; Perhaps, described First Characteristic storehouse is the malicious application feature database, and described the First Eigenvalue is the malicious application eigenwert; Described Second Characteristic storehouse is the application characteristic storehouse, and described Second Eigenvalue is the application characteristic value.
14. electronic equipment according to claim 13 is characterized in that,
Described processing unit, also for before receiving sense command, when installing or upgrade the first application, the eigenwert of application is installed or is upgraded in calculating; The eigenwert that calculates as the First Eigenvalue, is stored in the First Characteristic storehouse; Wherein, described First Characteristic storehouse is the application characteristic storehouse.
15. electronic equipment according to claim 13 is characterized in that,
Described processing unit also is used for using when installing first, and after going out eigenwert for the computation that institute installs or upgrades, the detection trigger order; Whether all Second Eigenvalues that the first computation that detection is installed or upgraded institute goes out in eigenwert and the Second Characteristic storehouse mate, and obtain testing result; Wherein, described Second Characteristic storehouse is the malicious application feature database, and described Second Eigenvalue is the malicious application eigenwert; When described testing result shows the existence coupling, the output detections result.
CN201110294346.3A 2011-09-29 2011-09-29 A kind of detection method, device and electronic equipment Active CN103034810B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110294346.3A CN103034810B (en) 2011-09-29 2011-09-29 A kind of detection method, device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110294346.3A CN103034810B (en) 2011-09-29 2011-09-29 A kind of detection method, device and electronic equipment

Publications (2)

Publication Number Publication Date
CN103034810A true CN103034810A (en) 2013-04-10
CN103034810B CN103034810B (en) 2016-04-27

Family

ID=48021696

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110294346.3A Active CN103034810B (en) 2011-09-29 2011-09-29 A kind of detection method, device and electronic equipment

Country Status (1)

Country Link
CN (1) CN103034810B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103684872A (en) * 2013-12-26 2014-03-26 深圳数字电视国家工程实验室股份有限公司 Control method and device for application programs
CN104200163A (en) * 2014-08-27 2014-12-10 哈尔滨工业大学(威海) Virus detection method and virus detection engine
CN105975855A (en) * 2015-08-28 2016-09-28 武汉安天信息技术有限责任公司 Method and system for malicious code detection based on apk certificate similarity
CN106790287A (en) * 2017-03-03 2017-05-31 努比亚技术有限公司 A kind of Malware hold-up interception method and device
CN109714296A (en) * 2017-10-26 2019-05-03 中国电信股份有限公司 Threaten intelligence analysis method and apparatus
CN112052454A (en) * 2020-10-12 2020-12-08 腾讯科技(深圳)有限公司 Method, device and equipment for searching and killing applied viruses and computer storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080127346A1 (en) * 2006-11-23 2008-05-29 Electronics And Telecommunications Research Institute System and method of detecting anomaly malicious code by using process behavior prediction technique
CN101304426A (en) * 2008-07-10 2008-11-12 腾讯科技(深圳)有限公司 Method and device for recognizing and reporting questionable document
CN101458751A (en) * 2009-01-06 2009-06-17 华中科技大学 Storage abnormal detecting method based on artificial immunity

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080127346A1 (en) * 2006-11-23 2008-05-29 Electronics And Telecommunications Research Institute System and method of detecting anomaly malicious code by using process behavior prediction technique
CN101304426A (en) * 2008-07-10 2008-11-12 腾讯科技(深圳)有限公司 Method and device for recognizing and reporting questionable document
CN101458751A (en) * 2009-01-06 2009-06-17 华中科技大学 Storage abnormal detecting method based on artificial immunity

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103684872A (en) * 2013-12-26 2014-03-26 深圳数字电视国家工程实验室股份有限公司 Control method and device for application programs
CN104200163A (en) * 2014-08-27 2014-12-10 哈尔滨工业大学(威海) Virus detection method and virus detection engine
CN105975855A (en) * 2015-08-28 2016-09-28 武汉安天信息技术有限责任公司 Method and system for malicious code detection based on apk certificate similarity
CN106790287A (en) * 2017-03-03 2017-05-31 努比亚技术有限公司 A kind of Malware hold-up interception method and device
CN109714296A (en) * 2017-10-26 2019-05-03 中国电信股份有限公司 Threaten intelligence analysis method and apparatus
CN112052454A (en) * 2020-10-12 2020-12-08 腾讯科技(深圳)有限公司 Method, device and equipment for searching and killing applied viruses and computer storage medium

Also Published As

Publication number Publication date
CN103034810B (en) 2016-04-27

Similar Documents

Publication Publication Date Title
US10986103B2 (en) Signal tokens indicative of malware
JP6227772B2 (en) Method and apparatus for protecting a dynamic library
CN103324506A (en) Method and mobile phone for controlling installation of Android applications
CN103034810A (en) Detection method and detection device and electronic device
CN103839005A (en) Malware detection method and malware detection system of mobile operating system
CN106529218B (en) Application verification method and device
CN112231702B (en) Application protection method, device, equipment and medium
Tian et al. DKISB: Dynamic key instruction sequence birthmark for software plagiarism detection
US10296743B2 (en) Method and device for constructing APK virus signature database and APK virus detection system
CN102479305A (en) Software licensing verification method and system
CN103065072A (en) Method and device to improve Java software jailbreak difficulty and copyright verification method
US20080263542A1 (en) Software-Firmware Transfer System
CN109241707A (en) Application program obscures method, apparatus and server
Park et al. Detecting common modules in Java packages based on static object trace birthmark
CN104217162A (en) Method and system for detecting malicious software in smart terminal
CN111160879A (en) Hardware wallet and security improving method and device thereof
CN107871080A (en) The hybrid Android malicious code detecting methods of big data and device
JP2022527069A (en) Runtime code execution verification
CN105320886A (en) Method for detecting malware in mobile terminal and mobile terminal
Bouffard et al. Reversing the operating system of a Java based smart card
Kim et al. Runtime detection framework for android malware
KR102308477B1 (en) Method for Generating Information of Malware Which Describes the Attack Charateristics of the Malware
US9177123B1 (en) Detecting illegitimate code generators
CN109840417B (en) Malicious software detection method and device
WO2015188728A1 (en) Mobile payment security protection method, apparatus and cloud server

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant