CN103268443A - Symbol-based Android malicious code detection method and system - Google Patents

Symbol-based Android malicious code detection method and system Download PDF

Info

Publication number
CN103268443A
CN103268443A CN2012105795415A CN201210579541A CN103268443A CN 103268443 A CN103268443 A CN 103268443A CN 2012105795415 A CN2012105795415 A CN 2012105795415A CN 201210579541 A CN201210579541 A CN 201210579541A CN 103268443 A CN103268443 A CN 103268443A
Authority
CN
China
Prior art keywords
file
symbol
symbolic
information
described
Prior art date
Application number
CN2012105795415A
Other languages
Chinese (zh)
Other versions
CN103268443B (en
Inventor
潘宣辰
Original Assignee
武汉安天信息技术有限责任公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 武汉安天信息技术有限责任公司 filed Critical 武汉安天信息技术有限责任公司
Priority to CN201210579541.5A priority Critical patent/CN103268443B/en
Publication of CN103268443A publication Critical patent/CN103268443A/en
Application granted granted Critical
Publication of CN103268443B publication Critical patent/CN103268443B/en

Links

Abstract

The invention provides a symbol-based Android malicious code detection method and system. The method comprises the following steps: resolving a file in a program to be detected, acquiring and recording the symbol information of each file, and marking a symbol type; filtering symbol information of the file according to a keyword feature library; and matching all filtered symbol information and symbol types with a symbol rule in a symbol feature library, and if the quantity of successful matching of symbol contents and corresponding symbol types in any symbol rule is larger than a preset value, outputting a virus name which corresponds to the symbol rule, otherwise, ending detection. The invention further provides a symbol-based Android malicious code detection system. Due to the adoption of the method and the system provided by the invention, malicious code detection can be performed on symbol information in the program to be detected, and even if resource files and data change, detection can be performed according to extracted symbol information features.

Description

A kind of Android malicious code detecting method and system based on symbol

Technical field

The present invention relates to the malicious code of mobile terminal detection technique, particularly a kind of Android malicious code detecting method and system based on symbol.

Background technology

Along with the development of mobile communications network, the smart mobile phone that merges 3C becomes the development trend of portable terminal.The kind that mobile phone is used has greatly been enriched in the appearance of smart mobile phone, for mobile value-added service provides terminal-based.But meanwhile, smart mobile phone popular also given growing and wreak havoc and having created convenience of mobile phone viruses, and mobile phone is becoming hacker, viral fabricator's fresh target.Therefore in the face of the increasingly serious personal data safety problem of situation, each security firm is all developing the viral testing mechanism of stability and high efficiency more.It generally all is extensively to adopt the eigenwert scanning technique in the file to detect that but present Malware is declared the method for grinding, in case resource file and data change, the eigenwert of file also changes thereupon, so malicious code can change compiling file and escapes detection by revising resource file and data file.

Summary of the invention

The invention provides a kind of Android malicious code detecting method based on symbol, by the symbolic information in the file is detected, solved that eigenwert causes the problem that can't detect with data variation in the eigenwert scan method.

A kind of Android malicious code detecting method based on symbol comprises:

The file for the treatment of in the trace routine is resolved, and obtains and record the symbolic information of each file, and the label symbol type, and the symbolic information of described file is all symbols in the file; The sign pattern of described file comprises at least: API, FILENAME and UNKNOWN;

Symbolic information and the sign pattern of traversal All Files, judge whether sign pattern is UNKNOWN, if, then according to the symbol content matching symbols information in key characteristics storehouse, if described symbolic information is identical with arbitrary symbol content in the key characteristics storehouse, then symbol content corresponding symbol type is the sign pattern of current sign information in the key characteristics storehouse, symbolic information and the sign pattern of output current file; If do not comprise symbol content in the key characteristics storehouse, then carry out the judgement of next file; Otherwise symbolic information and the symbol content of direct output file; Described key characteristics storehouse is the set of symbolic information and the corresponding sign pattern of known file;

Whole symbolic information and the coupling of the symbolic rule in sign pattern and the symbolic feature storehouse with output, if with symbol content in arbitrary symbolic rule and the quantity of corresponding symbol type matching success greater than preset value, the corresponding Virus Name of output symbol rule then, otherwise detection of end; Described symbolic feature comprises symbolic rule and Virus Name in the storehouse at least, and described symbolic rule is whole symbolic information of known malicious code and the set of corresponding sign pattern.

In the described method, the file in the described program to be detected comprises at least: dex file, apk file, resource file and elf file.

In the described method, the symbolic information of described file comprises at least: overall static data symbol, URL or the SP number among the rodata in the file path of each Archive sit, the resource symbol in the resource file, the elf file in the type function in the dex file, the apk file.

In the described method, the type function in the described dex file is to press class name and function name to the spliced functional symbol information of the API information group of each function.

A kind of Android malicious code detection system based on symbol comprises:

Parsing module is resolved for the file for the treatment of trace routine, obtains and record the symbolic information of each file, and the label symbol type, and the symbolic information of described file is all symbols in the file; The sign pattern of described file comprises at least: API, FILENAME and UNKNOWN;

Filtering module, the symbolic information and the sign pattern that are used for the traversal All Files, judge whether sign pattern is UNKNOWN, if, then according to the symbol content matching symbols information in key characteristics storehouse, if described symbolic information is identical with arbitrary symbol content in the key characteristics storehouse, then symbol content corresponding symbol type is the sign pattern of current sign information in the key characteristics storehouse, exports symbolic information and the sign pattern of current file; If do not comprise symbol content in the key characteristics storehouse, then carry out the judgement of next file; Otherwise symbolic information and the symbol content of direct output file;

Matching module, symbolic rule coupling for the whole symbolic information that will export and sign pattern and symbolic feature storehouse, if with symbol content in arbitrary symbolic rule and the quantity of corresponding symbol type matching success greater than preset value, the corresponding Virus Name of output symbol rule then, otherwise detection of end; Described symbolic feature comprises symbolic rule and Virus Name in the storehouse at least, and described symbolic rule is whole symbolic information of known malicious code and the set of corresponding sign pattern.

In the described system, the file in the described program to be detected comprises at least: dex file, apk file, resource file and elf file.

In the described system, the symbolic information of described file comprises at least: overall static data symbol, URL or the SP number among the rodata in the file path of each Archive sit, the resource symbol in the resource file, the elf file in the type function in the dex file, the apk file.

In the described system, the type function in the described dex file is to press class name and function name to the spliced functional symbol information of the API information group of each function.

Method and system of the present invention, detection to the mobile phone malicious code does not rely on dex file and data code segment data, detect and the symbolic information that malice file in the mobile phone file is often used extracted, even resource file and data change, also can detect according to the symbolic information feature of extracting, malicious code can not be changed compiling file by modification resource file and data file escape detection, improve the malicious code recall rate.

Description of drawings

In order to be illustrated more clearly in the present invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, the accompanying drawing that describes below only is some embodiment that put down in writing among the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.

Fig. 1 is a kind of Android malicious code detecting method process flow diagram based on symbol of the present invention;

Fig. 2 is a kind of Android malicious code detecting method embodiment process flow diagram based on symbol of the present invention;

Fig. 3 is a kind of Android malicious code detection system structural representation based on symbol of the present invention.

Embodiment

In order to make those skilled in the art person understand technical scheme in the embodiment of the invention better, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing technical scheme among the present invention is described in further detail.

Utilizable symbolic information can comprise that Apk installation kit file name information is the symbolic information of path type at the detection of the mobile phone Malware of Android platform; The symbolic information that URL or the SP type of number are arranged among the resource.arsc; The symbolic information that URL or the SP type of number are arranged in the elf file; The symbolic information that type function is arranged in the Dex file in call parameters, also has the symbolic information of URL or the SP type of number simultaneously.Wherein, the Dex file is to adopt the OO constructive system that is similar to java, to the class symbol, there are strict requirement and definition in functional symbol and path, and adopted a large amount of technology based on functional symbol, for example reflection is called, function addressing etc., and these provide strong data message support all for the detection of malicious code.No matter be one in the APK routine package file or independent dex file, all comprise the symbolic information that mass efficient can be used for detecting, can be used as a kind of malicious code gene tester based on symbol, a kind of android malicious code detecting method that possesses higher heuristic ability and accuracy is provided.

The invention provides a kind of Android malicious code detecting method based on symbol, by the symbolic information in the file is detected, solved that eigenwert causes the problem that can't detect with data variation in the eigenwert scan method.

A kind of Android malicious code detecting method based on symbol as shown in Figure 1, comprising:

S101: the file for the treatment of in the trace routine is resolved, and obtains and record the symbolic information of each file, and the label symbol type, and the symbolic information of described file is all symbols in the file; The sign pattern of described file comprises at least: API, FILENAME and UNKNOWN;

S102: symbolic information and the sign pattern of traversal All Files, judge whether sign pattern is UNKNOWN, if then carry out S104, otherwise carry out S105;

S103: according to the symbol content matching symbols information in key characteristics storehouse, judge that described symbolic information is whether identical with arbitrary symbol content in the key characteristics storehouse, if, then carry out S104, return S102, carry out the judgement of next file; Described key characteristics storehouse is the set of symbolic information and the corresponding sign pattern of known file;

S104: symbol content corresponding symbol type is the sign pattern of current sign information in the key characteristics storehouse, and symbolic information and the sign pattern of output current file are carried out S106;

S105: symbolic information and the sign pattern of direct output file;

S106: the symbolic rule coupling in the whole symbolic information that will export and sign pattern and the symbolic feature storehouse, if with symbol content in arbitrary symbolic rule and the quantity of corresponding symbol type matching success greater than preset value, the corresponding Virus Name of output symbol rule then, otherwise detection of end; Described symbolic feature comprises symbolic rule and Virus Name in the storehouse at least, and described symbolic rule is whole symbolic information of known malicious code and the set of corresponding sign pattern.

In the described method, the file in the described program to be detected comprises at least: dex file, apk file, resource file and elf file.

In the described method, the symbolic information of described file comprises at least: overall static data symbol, URL or the SP number among the rodata in the file path of each Archive sit, the resource symbol in the resource file, the elf file in the type function in the dex file, the apk file.

In the described method, the type function in the described dex file is to press class name and function name to the spliced functional symbol information of the API information group of each function.

For better understanding the inventive method, as shown in Figure 2, the inventive method is illustrated.

Before carrying out the malicious code detection, set up key characteristics storehouse and symbolic feature storehouse in advance, the key characteristics storehouse is designated as SymKeyDatabase in the present embodiment, and symbol content and sign pattern are designated as an iKeySymList array; The symbolic feature storehouse is designated as SymRuleDatabase, it is the array that has recorded symbolic rule and corresponding virus name in the symbolic feature storehouse, described array is designated as iRuleList, each array node is designated as SymRule, comprise symbolic rule and corresponding Virus Name, symbolic rule is the array iSymList that has recorded sign pattern and corresponding symbol content, and each array node is designated as SymNode, sign pattern is designated as type, and symbol content is designated as symbol.

S201: the file for the treatment of in the trace routine is resolved, and obtains and record the symbolic information of each file, and the label symbol type; Be that example describes to detect dex file, apk file, resource.arsc file and elf file;

Detect the dex file, the dex file is carried out format analysis, identify all structures, then method_ids is scanned, and according to class name and function name the API information of each function is spliced, formation function symbolic information group deposits in the SymNode array complete API symbolic information as the symbol symbol content in, and the corresponding symbol type is API;

Detect the apk file, file is carried out format analysis, all fileinfo nodes in the identification file structure are stored as among the SymNode file path as the symbol symbolic information, and the corresponding symbol type is FILENAME;

Detect the resource.arsc file, this document is carried out format analysis, identify all resource symbol information, resource symbol is stored as among the SymNode as the symbol symbolic information, the corresponding symbol type is UNKNOWN;

Detect the elf file, file is carried out format analysis, identify the overall static data symbolic information among all rodata, and it is stored as among the SymNode as the symbol symbolic information, the corresponding symbol type is UNKNOWN.

S202: travel through each SymNode, judge whether sign pattern is UNKNOWN, if then carry out S203, otherwise directly export SymNode as symbol to be detected;

S203: call key characteristics storehouse matching symbols information, judge the symbol content that whether comprises among the symbolic information symbol among the crucial subcharacter storehouse SymKeyDatabase, if then symbol content corresponding symbol type is designated as the sign pattern of current SymNode, and export SymNode as symbol to be detected, otherwise return S202;

S204: the SymNode that travels through each coupling back output, mate with the array iSymList of each symbol content among the SymRule among the SymRuleDatabase of symbolic feature storehouse, if with wherein a certain array node is identical, the virus name of then output correspondence, otherwise detection of end.

With the mode of symbolic feature storehouse coupling in, can be according to the default different matching condition of actual conditions, as identical, comprise or default identical threshold value etc.

A kind of Android malicious code detection system based on symbol as shown in Figure 3, comprising:

Parsing module 301 is resolved for the file for the treatment of trace routine, obtains and record the symbolic information of each file, and the label symbol type, and the symbolic information of described file is all symbols in the file; The sign pattern of described file comprises at least: API, FILENAME and UNKNOWN;

Filtering module 302, the symbolic information and the sign pattern that are used for the traversal All Files, judge whether sign pattern is UNKNOWN, if, then according to the symbol content matching symbols information in key characteristics storehouse, if described symbolic information is identical with arbitrary symbol content in the key characteristics storehouse, then symbol content corresponding symbol type is the sign pattern of current sign information in the key characteristics storehouse, exports symbolic information and the sign pattern of current file; If do not comprise symbol content in the key characteristics storehouse, then carry out the judgement of next file; Otherwise symbolic information and the symbol content of direct output file; Described key characteristics storehouse is the set of symbolic information and the corresponding sign pattern of known file;

Matching module 303, symbolic rule coupling for the whole symbolic information that will export and sign pattern and symbolic feature storehouse, if with symbol content in arbitrary symbolic rule and the quantity of corresponding symbol type matching success greater than preset value, the corresponding Virus Name of output symbol rule then, otherwise detection of end; Described symbolic feature comprises symbolic rule and Virus Name in the storehouse at least, and described symbolic rule is whole symbolic information of known malicious code and the set of corresponding sign pattern.

In the described system, the file in the described program to be detected comprises at least: dex file, apk file, resource file and elf file.

In the described system, the symbolic information of described file comprises at least: overall static data symbol, URL or the SP number among the rodata in the file path of each Archive sit, the resource symbol in the resource file, the elf file in the type function in the dex file, the apk file.

In the described system, the type function in the described dex file is to press class name and function name to the spliced functional symbol information of the API information group of each function.

Method and system of the present invention, detection to the mobile phone malicious code does not rely on dex file and data code segment data, detect and the symbolic information that malice file in the mobile phone file is often used extracted, even resource file and data change, also can detect according to the symbolic information feature of extracting, malicious code can not be changed compiling file by modification resource file and data file escape detection, improve the malicious code recall rate.

Method and system of the present invention, detection to the mobile phone malicious code does not rely on dex file and data code segment data, detect and the symbolic information that malice file in the mobile phone file is often used extracted, even resource file and data change, also can detect according to the symbolic information feature of extracting, malicious code can not be changed compiling file by modification resource file and data file escape detection, improve the malicious code recall rate.

The invention provides a kind of Android malicious code detecting method and system based on symbol, comprising: the file for the treatment of in the trace routine is resolved, and obtains and record the symbolic information of each file, and the label symbol type; According to the key characteristics storehouse, the symbolic information of kill file; With after filtering whole symbolic information and the symbolic rule in sign pattern and the symbolic feature storehouse mate, if with symbol content in arbitrary symbolic rule and the quantity of corresponding symbol type matching success greater than preset value, the corresponding Virus Name of output symbol rule then, otherwise detection of end.The present invention also provides the Android malicious code detection system based on symbol.By method and system of the present invention, can carry out the malicious code detection by the symbolic information for the treatment of in the trace routine, even resource file and data change, also can detect according to the symbolic information feature of extracting.

Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and identical similar part is mutually referring to getting final product between each embodiment, and each embodiment stresses is difference with other embodiment.Especially, for system embodiment, because it is substantially similar in appearance to method embodiment, so description is fairly simple, relevant part gets final product referring to the part explanation of method embodiment.

Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.

Claims (8)

1. the Android malicious code detecting method based on symbol is characterized in that, comprising:
The file for the treatment of in the trace routine is resolved, and obtains and record the symbolic information of each file, and the label symbol type; The sign pattern of described file comprises at least: API, FILENAME and UNKNOWN;
Symbolic information and the sign pattern of traversal All Files, judge whether sign pattern is UNKNOWN, if, then according to the symbol content matching symbols information in key characteristics storehouse, if described symbolic information is identical with arbitrary symbol content in the key characteristics storehouse, then symbol content corresponding symbol type is the sign pattern of current sign information in the key characteristics storehouse, symbolic information and the sign pattern of output current file; If do not comprise symbol content in the key characteristics storehouse, then carry out the judgement of next file; Otherwise symbolic information and the symbol content of direct output file; Described key characteristics storehouse is the set of symbolic information and the corresponding sign pattern of known file;
Whole symbolic information and the coupling of the symbolic rule in sign pattern and the symbolic feature storehouse with output, if with symbol content in arbitrary symbolic rule and the quantity of corresponding symbol type matching success greater than preset value, the corresponding Virus Name of output symbol rule then, otherwise detection of end; Described symbolic feature comprises symbolic rule and Virus Name in the storehouse at least, and described symbolic rule is whole symbolic information of known malicious code and the set of corresponding sign pattern.
2. the method for claim 1 is characterized in that, the file in the described program to be detected comprises at least: dex file, apk file, resource file and elf file.
3. method as claimed in claim 2, it is characterized in that the symbolic information of described file comprises at least: overall static data symbol, URL or the SP number among the rodata in the file path of each Archive sit, the resource symbol in the resource file, the elf file in the type function in the dex file, the apk file.
4. method as claimed in claim 3 is characterized in that, the type function in the described dex file is to press class name and function name to the spliced functional symbol information of the API information group of each function.
5. the Android malicious code detection system based on symbol is characterized in that, comprising:
Parsing module is resolved for the file for the treatment of trace routine, obtains and record the symbolic information of each file, and the label symbol type; The sign pattern of described file comprises at least: API, FILENAME and UNKNOWN;
Filtering module, the symbolic information and the sign pattern that are used for the traversal All Files, judge whether sign pattern is UNKNOWN, if, then according to the symbol content matching symbols information in key characteristics storehouse, if described symbolic information is identical with arbitrary symbol content in the key characteristics storehouse, then symbol content corresponding symbol type is the sign pattern of current sign information in the key characteristics storehouse, exports symbolic information and the sign pattern of current file; If do not comprise symbol content in the key characteristics storehouse, then carry out the judgement of next file; Otherwise symbolic information and the symbol content of direct output file; Described key characteristics storehouse is the set of symbolic information and the corresponding sign pattern of known file;
Matching module, symbolic rule coupling for the whole symbolic information that will export and sign pattern and symbolic feature storehouse, if with symbol content in arbitrary symbolic rule and the quantity of corresponding symbol type matching success greater than preset value, the corresponding Virus Name of output symbol rule then, otherwise detection of end; Described symbolic feature comprises symbolic rule and Virus Name in the storehouse at least, and described symbolic rule is whole symbolic information of known malicious code and the set of corresponding sign pattern.
6. system as claimed in claim 5 is characterized in that, the file in the described program to be detected comprises at least: dex file, apk file, resource file and elf file.
7. system as claimed in claim 6, it is characterized in that the symbolic information of described file comprises at least: overall static data symbol, URL or the SP number among the rodata in the file path of each Archive sit, the resource symbol in the resource file, the elf file in the type function in the dex file, the apk file.
8. system as claimed in claim 7 is characterized in that, the type function in the described dex file is to press class name and function name to the spliced functional symbol information of the API information group of each function.
CN201210579541.5A 2012-12-27 2012-12-27 A kind of Android malicious code detecting method based on symbol and system CN103268443B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210579541.5A CN103268443B (en) 2012-12-27 2012-12-27 A kind of Android malicious code detecting method based on symbol and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210579541.5A CN103268443B (en) 2012-12-27 2012-12-27 A kind of Android malicious code detecting method based on symbol and system

Publications (2)

Publication Number Publication Date
CN103268443A true CN103268443A (en) 2013-08-28
CN103268443B CN103268443B (en) 2016-08-10

Family

ID=49012071

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210579541.5A CN103268443B (en) 2012-12-27 2012-12-27 A kind of Android malicious code detecting method based on symbol and system

Country Status (1)

Country Link
CN (1) CN103268443B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104700030A (en) * 2013-12-04 2015-06-10 腾讯科技(深圳)有限公司 Virus data searching method, device and server
CN106295343A (en) * 2016-08-24 2017-01-04 北京奇虎测腾科技有限公司 A kind of source code distributed detection system based on serializing intermediate representation and method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080016573A1 (en) * 2006-07-13 2008-01-17 Aladdin Knowledge System Ltd. Method for detecting computer viruses
CN101162485A (en) * 2006-10-11 2008-04-16 飞塔信息科技(北京)有限公司 Computer malevolence code processing method and system
US7861304B1 (en) * 2004-05-07 2010-12-28 Symantec Corporation Pattern matching using embedded functions
CN102779257A (en) * 2012-06-28 2012-11-14 奇智软件(北京)有限公司 Security detection method and system of Android application program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7861304B1 (en) * 2004-05-07 2010-12-28 Symantec Corporation Pattern matching using embedded functions
US20080016573A1 (en) * 2006-07-13 2008-01-17 Aladdin Knowledge System Ltd. Method for detecting computer viruses
CN101162485A (en) * 2006-10-11 2008-04-16 飞塔信息科技(北京)有限公司 Computer malevolence code processing method and system
CN102779257A (en) * 2012-06-28 2012-11-14 奇智软件(北京)有限公司 Security detection method and system of Android application program

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104700030A (en) * 2013-12-04 2015-06-10 腾讯科技(深圳)有限公司 Virus data searching method, device and server
CN104700030B (en) * 2013-12-04 2017-12-01 腾讯科技(深圳)有限公司 A kind of viral data search method, device and server
CN106295343A (en) * 2016-08-24 2017-01-04 北京奇虎测腾科技有限公司 A kind of source code distributed detection system based on serializing intermediate representation and method
CN106295343B (en) * 2016-08-24 2019-03-12 北京奇虎测腾安全技术有限公司 A kind of source code distributed detection system and method based on serializing intermediate representation

Also Published As

Publication number Publication date
CN103268443B (en) 2016-08-10

Similar Documents

Publication Publication Date Title
JP5069308B2 (en) Improvements in preventing inappropriate code and data diffusion
CA2611227C (en) Resisting the spread of unwanted code and data
US20140344928A1 (en) Systems and methods for risk rating and pro-actively detecting malicious online ads
US9277378B2 (en) Short message service validation engine
CN102801574B (en) The detection method of a kind of web page interlinkage, device and system
CN102254111B (en) Malicious site detection method and device
JP2014063490A (en) System and method for analyzing repackaged application through risk calculation
Moonsamy et al. Mining permission patterns for contrasting clean and malicious android applications
WO2011156652A1 (en) System and method for analyzing malicious code using a static analyzer
WO2005076101A3 (en) System and method for securing computers against computer virus
Sato et al. Detecting android malware by analyzing manifest files
TWI461952B (en) Method and system for detecting malware applications
CN102801697A (en) Malicious code detection method and system based on plurality of URLs (Uniform Resource Locator)
US8713680B2 (en) Method and apparatus for modeling computer program behaviour for behavioural detection of malicious program
US20150052612A1 (en) Method and device for identifying virus apk
WO2015169158A1 (en) Information protection method and system
US20130160126A1 (en) Malware remediation system and method for modern applications
CN103685307A (en) Method, system, client and server for detecting phishing fraud webpage based on feature library
US9600668B2 (en) Method and device for extracting characteristic code of APK virus
CN104468249B (en) Account abnormity detection method and device
CN103279706A (en) Method and device for intercepting installation of Android application program in mobile terminal
CN103425926B (en) The method of application program launching method, configured list, terminal and server
CN104320756B (en) A kind of variation and device of account information
EP2461549A1 (en) Mobile phone internet flow counting and displaying method, device, and mobile phone
CN102243699A (en) Malicious code detection method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
COR Change of bibliographic data
CB02 Change of applicant information

Address after: 430000, Hubei province East Lake Wuhan New Technology Development Zone Software Park East Road 1 software industry phase 4-1, B4, building 12, room 01

Applicant after: Wuhan Antian Information Technology Co., Ltd.

Address before: 430000 Hubei Development Zone, East Lake, Optics Valley Venture Street, building 6, building 2, building

Applicant before: Wuhan Antian Information Technology Co., Ltd.

C14 Grant of patent or utility model
GR01 Patent grant