CN103699843A - Malicious activity detection method and device - Google Patents
Malicious activity detection method and device Download PDFInfo
- Publication number
- CN103699843A CN103699843A CN201310747287.XA CN201310747287A CN103699843A CN 103699843 A CN103699843 A CN 103699843A CN 201310747287 A CN201310747287 A CN 201310747287A CN 103699843 A CN103699843 A CN 103699843A
- Authority
- CN
- China
- Prior art keywords
- pixel
- malicious act
- similarity
- subelement
- characteristic image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
An embodiment of the invention discloses a malicious activity detection method and device. The method includes: during the process of detecting running of an object to be detected, capturing a visual interface created for the object to be detected, so as to obtain a running feature screenshot; calculating similarity between the running feature screenshot and a preset malicious activity feature image; according to the calculated similarity, determining whether the object to be detected has malicious activities or not. Through the application of the method and device, while information of activity features of the running object to be detected is little, whether the object has malicious activities or not can still be detected.
Description
Technical field
The present invention relates to computer security technique field, particularly a kind of malicious act detection method and device.
Background technology
Development along with computer technology; computer security is more and more important; and some hackers often can write malicious code in application program or document; if user from website or other approach obtain these programs or document; make malicious code bring in the lump computing machine into; malicious code can produce malicious act on subscriber computer, thereby subscriber computer is worked the mischief or brings various interference to user.Therefore, be necessary whether exist malicious act to detect in application programs or document.
In prior art, for example, by recording object to be detected (application program or document), be loaded all behavior characteristic information in when operation and these behavior characteristic information and known malicious act characteristic information are contrasted, judging whether this object to be detected exists malicious act.But the behavior that some application program or document produce when load operating seldom, cannot effectively be extracted behavior characteristic information and contrast, cause accurately judging this object and whether have malicious act.
Summary of the invention
The embodiment of the present invention provides a kind of malicious act detection method and device, to realize in the situation that object to be detected to be loaded the behavior characteristic information that when operation produce few, also can detect this object and whether have malicious act.
For achieving the above object, the embodiment of the invention discloses a kind of malicious act detection method, described method comprises:
In the operational process of object to be detected, the visual interface of described Object Creation to be detected is intercepted, obtain operation characteristic sectional drawing;
Calculate the similarity of described operation characteristic sectional drawing and default malicious act characteristic image;
According to the similarity of described calculating, determine whether described object to be detected exists malicious act.
Optionally, described according to the similarity of described calculating, determine that whether described object to be detected exists malicious act, comprising:
According to the similarity of described calculating, judge whether described similarity is less than default first threshold;
If not, determine that described object to be detected exists malicious act.
Optionally, described in the operational process of object to be detected, the visual interface of described Object Creation to be detected is intercepted, comprising:
Visual interface establishment behavior in described object operational process to be detected is monitored, if monitor visual interface, create behavior, created visual interface is intercepted.
Optionally, described default malicious act characteristic image, obtains by the following method:
The known object of malicious act that exists is loaded;
In the operational process of the described object that has a malicious act, the described visual interface of the Object Creation of malicious act that exists is intercepted;
According to intercepting result, obtain malicious act characteristic image;
The malicious act characteristic image that record obtains.
Optionally, the similarity of the described operation characteristic sectional drawing of described calculating and default malicious act characteristic image, comprising:
A. obtain the pixel value X (Pa) of the pixel Pa of described malicious act characteristic image the first row first row, and the pixel of the first row first row of described operation characteristic sectional drawing is initialized as to scan start point;
B. from described scan start point, in described operation characteristic sectional drawing, search pixel Pb, the pixel value X (Pb) of Pb is met: X (Pb)=X (Pa);
C. take Pa and Pb as corresponding point, determine the corresponding relation of pixel in described malicious act characteristic image and described operation characteristic sectional drawing;
D. judge that whether pixel that Pa is expert at is identical with the pixel value of its corresponding pixel points,
If so, further perform step e;
If not, using the next pixel of current pixel point Pb as scan start point, repeated execution of steps b-c, until pixel that Pa is expert at is identical with the pixel value of its corresponding pixel points, further performs step e; If cannot meet the identical condition of described pixel value, it is 0 that similarity result of calculation is set;
E. according to the pixel corresponding relation of setting up in step c, judge that whether the pixel of malicious act characteristic image and the pixel value of its corresponding pixel points be identical, the number C of the pixel that statistical pixel values is identical
e; Calculate C
e/ C
t, obtain the similarity of described operation characteristic sectional drawing and default malicious act characteristic image, wherein, C
tfor in described malicious act characteristic image for judging total number of the pixel whether identical with its corresponding pixel points.
Optionally, whether pixel that the described Pa of judgement is expert at is identical with the pixel value of its corresponding pixel points, comprising:
Judgement during Pa is expert at, be take Pa as starting point, and whether the definite pixel in Second Threshold interval as between pixel point of presetting of take is identical with the pixel value of its corresponding pixel points.
Optionally, describedly judge that whether the pixel of malicious act characteristic image is identical with the pixel value of its corresponding pixel points, comprising:
In judgement malicious act characteristic image, the pixel of predetermining of take is starting point, and whether the definite pixel in the 3rd threshold value interval as between pixel point of presetting of take is identical with the pixel value of its corresponding pixel points.
For achieving the above object, the embodiment of the invention discloses a kind of malicious act pick-up unit, described device comprises:
Interception unit, for the operational process at object to be detected, intercepts the visual interface of described Object Creation to be detected, obtains operation characteristic sectional drawing;
Similarity calculated, for calculating the similarity of described operation characteristic sectional drawing and default malicious act characteristic image;
Malicious act determining unit, for according to the similarity of described calculating, determines whether described object to be detected exists malicious act.
Optionally, described malicious act determining unit, comprising: similarity judgment sub-unit and malicious act are determined subelement;
Described similarity judgment sub-unit, for according to the similarity of described calculating, judges whether described similarity is less than default first threshold;
Described malicious act is determined subelement, for when described similarity judgment sub-unit judges that described similarity is not less than default first threshold, determines that described object to be detected exists malicious act.
Optionally, described interception unit, specifically for the visual interface establishment behavior in described object operational process to be detected is monitored, creates behavior if monitor visual interface, created visual interface is intercepted.
Optionally, described malicious act pick-up unit also comprises: malicious act characteristic image generation unit;
Described malicious act characteristic image generation unit, comprising: load subelement, intercept subelement, obtain subelement and record subelement;
Described loading subelement, for loading the known object of malicious act that exists;
Described intercepting subelement, for intercepting the described visual interface of the Object Creation of malicious act that exists at the described object operational process of malicious act that exists;
The described subelement that obtains, for according to intercepting result, generates malicious act characteristic image;
The described subelement that records, for recording the malicious act characteristic image obtaining.
Optionally, described similarity calculated, comprising: initialization subelement, scanning subelement, corresponding relation are determined subelement, cycle control subelement and similarity computation subunit;
Described initialization subelement, for obtaining the pixel value X (Pa) of the pixel Pa of described malicious act characteristic image the first row first row, and is initialized as scan start point by the pixel of the first row first row of described operation characteristic sectional drawing;
Described scanning subelement for from described scan start point, is searched pixel Pb in described operation characteristic sectional drawing, and the pixel value X (Pb) of Pb is met: X (Pb)=X (Pa), triggers described corresponding relation and determines subelement;
Described corresponding relation is determined subelement, for take Pa and Pb as corresponding point, determines the corresponding relation of pixel in described malicious act characteristic image and described operation characteristic sectional drawing;
Described cycle control subelement, whether identical with the pixel value of its corresponding pixel points for judging pixel that Pa is expert at,
If so, trigger described similarity computation subunit and carry out similarity calculating;
If not, the next one of current pixel point Pb point is set to scan start point, trigger described scanning subelement and scan, until pixel that Pa is expert at is identical with the pixel value of its corresponding pixel points, triggers described similarity computation subunit and carry out similarity calculating; If cannot meet the identical condition of described pixel value, it is 0 that similarity result of calculation is set;
Described similarity computation subunit, for determine the pixel corresponding relation that subelement is set up according to described corresponding relation, judges that whether the pixel of malicious act characteristic image and the pixel value of its corresponding pixel points be identical, the number C of the point that statistical pixel values is identical
e; Calculate C
e/ C
t, obtain the similarity of described operation characteristic sectional drawing and default malicious act characteristic image, wherein, C
tfor in described malicious act characteristic image for judging total number of the pixel whether identical with its corresponding pixel points.
Optionally, described cycle control subelement, during Pa is expert at specifically for judgement, take Pa as starting point, and whether the definite pixel in Second Threshold interval as between pixel point of presetting of take is identical with the pixel value of its corresponding pixel points,
If so, trigger described similarity computation subunit and carry out similarity calculating;
If not, the next one of current pixel point Pb point is set to scan start point, triggers described scanning subelement and scans; Until during Pa is expert at, take Pa as starting point, default Second Threshold is identical with the pixel value of its corresponding pixel points for the definite pixel in interval between point, and further the described similarity computation subunit of triggering is carried out similarity calculating; If cannot meet the identical condition of described pixel value, it is 0 that similarity result of calculation is set.
Optionally, described similarity computation subunit, specifically for determine the pixel corresponding relation that subelement is set up according to described corresponding relation, in judgement malicious act characteristic image, the pixel of predetermining of take is starting point, whether the definite pixel in the 3rd threshold value interval as between pixel point of presetting of take is identical with the pixel value of its corresponding pixel points, the number C of the point that statistical pixel values is identical
e; Calculate C
e/ C
t, obtain the similarity of described operation characteristic sectional drawing and default malicious act characteristic image, wherein, C
tfor in described malicious act characteristic image for judging total number of the pixel whether identical with its corresponding pixel points.
As seen from the above technical solution, the present invention program, it is the mode of interface sectional drawing when obtaining object to be detected and be loaded, detect and in object to be detected, whether have malicious act, and behavior characteristic information while not needing to use object to be detected to be loaded, therefore,, the in the situation that when object to be detected is loaded, behavior characteristic information being few, also can realize whether there is the detection of malicious act in this object.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
The schematic flow sheet of a kind of malicious act detection method that Fig. 1 provides for the embodiment of the present invention;
The schematic flow sheet of the method for a kind of computed image similarity that Fig. 2 provides for the embodiment of the present invention;
The structural representation of a kind of malicious act pick-up unit that Fig. 3 provides for the embodiment of the present invention;
The structural representation of the another kind of malicious act pick-up unit that Fig. 4 provides for the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
The embodiment of the present invention provides a kind of malicious act detection method and device, interface sectional drawing while being loaded by obtaining object to be detected, and calculate the mode of the similarity of this interface sectional drawing and default malicious act characteristic image, detect in object to be detected, whether there is malicious act.
Below by specific embodiment, the present invention is described in detail.
The schematic flow sheet of a kind of malicious act detection method that Fig. 1 provides for the embodiment of the present invention, the method comprises the following steps:
Step 101: in the operational process of object to be detected, the visual interface of described Object Creation to be detected is intercepted, obtain operation characteristic sectional drawing.
In this step, can monitor for the visual interface establishment behavior for the treatment of in detected object operational process, if monitor visual interface, create behavior, created visual interface be intercepted.
In actual application, may only monitor a visual interface at operational process and create behavior, only a created visual interface is intercepted; Also a plurality of visual interfaces may in operational process, be detected and create behavior, respectively created a plurality of visual interfaces be intercepted.
In the present embodiment, object to be detected can be application program, for example an executable file, or the application program that a plurality of files form, also can be document, for example Word, Execl document, even audio frequency, video documents etc., the present invention is not construed as limiting this.The operational process of object to be detected can be for example the process that object to be detected is loaded on internal memory operation.
Step 102: the similarity of calculating described operation characteristic sectional drawing and default malicious act characteristic image.
Wherein, malicious act characteristic image is the characteristic image of the object that has a malicious act that obtained, known intercepting while being loaded, can in advance a malicious act characteristic image be stored as to a tag file, also can in advance a plurality of malicious act characteristic images be stored in a tag file.When a plurality of malicious act characteristic images store in a tag file, need calculate one by one the similarity of each malicious act characteristic image in operation characteristic sectional drawing and tag file, and judge that according to similarity loading characteristic image is similar to the one or more malicious act characteristic images in tag file.
In a kind of embodiment of the present invention, default malicious act characteristic image, can obtain by the following method:
The known object of malicious act that exists is loaded; Visual interface to this Object Creation in the operational process of this object intercepts; According to intercepting result, obtain malicious act characteristic image; The malicious act characteristic image that record obtains.Wherein, malicious act characteristic image can be loading interface sectional drawing whole of intercepting, can be also a part for the loading interface sectional drawing that intercepts.When using the part of loading interface sectional drawing for intercepting during as malicious act characteristic image, can by manual type determine using load interface sectional drawing which partly as malicious act characteristic image, to obtain more giving prominence to the image of malicious act feature.
Step 103: according to the similarity of described calculating, determine whether described object to be detected exists malicious act.
When whether definite object to be detected there is malicious act, for example, concrete, can be according to calculated similarity, judge whether this similarity is less than default first threshold, if be not less than, judge that described object to be detected exists malicious act, otherwise, judge in object to be detected and do not detect and have malicious act.
In this step, default first threshold for example, for judging that whether operation characteristic sectional drawing is similar to default malicious act characteristic image,, it is 90% that this value can be set, certainly, the application just be take and is above-mentionedly described as example, and in practical application, the setting of default first threshold is not limited to this.
When a plurality of malicious act characteristic images are stored in a tag file, can set respectively for judging and the threshold value of operation characteristic sectional drawing similarity each malicious act characteristic image, also can only set a threshold value by a plurality of malicious act characteristic images.
When relatively obtaining the similarity of operation characteristic sectional drawing and default malicious act characteristic image and be not less than default first threshold, think that object to be detected is by operational process, the sectional drawing of the visual interface creating is enough similar to default malicious act characteristic image, can judge the existence malicious act corresponding with malicious act characteristic image in object to be detected.
Malicious act may work the mischief or bring various interference to user subscriber computer, for example, steals user login code etc.
When relatively obtaining the similarity of operation characteristic sectional drawing and default malicious act characteristic image and be less than default first threshold, think that object to be detected is by operational process, the sectional drawing of the visual interface creating is similar not to default malicious act characteristic image, can judge and in object to be detected, not have the malicious act corresponding with malicious act characteristic image.
As seen from the above, in the present embodiment, the mode of interface sectional drawing while being loaded by obtaining object to be detected, detect and in object to be detected, whether have malicious act, and behavior characteristic information while not needing to use object to be detected to be loaded, therefore,, the in the situation that when object to be detected is loaded, behavior characteristic information being few, also can realize whether there is the detection of malicious act in this object.
In conjunction with practical application scene of the present invention, in one embodiment of the invention, also provide a kind of method of computed image similarity.
The schematic flow sheet of the method for a kind of computed image similarity that Fig. 2 provides for the embodiment of the present invention, the method comprises the following steps:
Step 201: obtain the pixel value X (Pa) of the pixel Pa of malicious act characteristic image the first row first row, and the pixel of the first row first row of operation characteristic sectional drawing is initialized as to scan start point.
Step 202: from described scan start point, search pixel Pb in described operation characteristic sectional drawing, the pixel value X (Pb) of Pb is met: X (Pb)=X (Pa).
Step 203: take Pa and Pb as corresponding point, determine the corresponding relation of pixel in malicious act characteristic image and operation characteristic sectional drawing.
In this step, while determining the corresponding relation of pixel in malicious act characteristic image and operation characteristic sectional drawing, take Pa and Pb as corresponding point, during Pa is expert at other points be expert at Pb in other points be corresponding point, in the next line that Pa is expert at, in the point of Pa same column and next line that Pb is expert at, the point of Pb same column is corresponding point, in the next line that in the next line that Pa is expert at, other points and Pb are expert at, other points are corresponding point, determine according to this corresponding relation.
Step 204: judge that whether pixel that Pa is expert at is identical with the pixel value of its corresponding pixel points, if so, carry out step 208, otherwise, carry out step 205.
In another embodiment of the present invention, this step can be by: during judgement Pa is expert at, take Pa as starting point, whether the definite pixel in Second Threshold interval as between pixel point of presetting of take is identical with the pixel value of its corresponding pixel points.For example, default Second Threshold can be 1, that is, dot interlace judges that whether the pixel value of corresponding pixel points is identical, does not need to judge all pixels.Certainly, the application just be take and is above-mentionedly described as example, and Second Threshold default in practical application is not limited to this.
Step 205: judge whether Pb is the pixel that in operation characteristic sectional drawing, last can be corresponding with Pa, if so, carry out step 206, otherwise, carry out step 207.
Step 206: using the next pixel of current pixel point Pb as scan start point, return to step 202.
Wherein, the next pixel of pixel Pb can be with the same a line of pixel Pb, be positioned at the pixel on pixel Pb right side, also can be, the pixel of the next line that pixel Pb is expert at, for example, pixel Pb is expert at during a rightmost pixel by current, and the next pixel of pixel Pb is first pixel of the pixel Pb next line of being expert at.Above-mentioned is next pixel with the pixel Pb of "the" shape scanning sequency definition, in practical application, and can also for example, according to the next pixel of other scanning sequencies definition pixels Pb: serrate etc.
In this step, return to step 202 repeating step 202~step 203 until pixel that Pa is expert at is identical with the pixel value of its corresponding pixel points.
In another embodiment of the present invention, when step 204 is during by: judgement, Pa is expert at, take Pa as starting point, when whether the pixel value of the definite pixel in Second Threshold interval as between pixel point of presetting and its corresponding pixel points of take is identical, in this step, need repeating step 202~step 203 until during Pa is expert at, take Pa as starting point, and default Second Threshold is that between pixel point, the definite pixel in interval is identical with the pixel value of its corresponding pixel points.
Step 207: the similarity result of calculation that operation characteristic sectional drawing and default malicious act characteristic image are set is 0.
Step 208: according to the pixel corresponding relation of setting up in step 203, judge that whether the pixel of malicious act characteristic image and the pixel value of its corresponding pixel points be identical, the number C of the pixel that statistical pixel values is identical
e; Calculate C
e/ C
t, obtain the similarity of described operation characteristic sectional drawing and default malicious act characteristic image, wherein, C
tfor in described malicious act characteristic image for judging total number of the pixel whether identical with its corresponding pixel points.
In another embodiment of the present invention, this step can be: in judgement malicious act characteristic image, the pixel of predetermining of take is starting point, and whether the definite pixel in the 3rd threshold value interval as between pixel point of presetting of take is identical with the pixel value of its corresponding pixel points.Wherein, the pixel of predetermining can be the pixel of the first row first row in malicious act characteristic image, and the 3rd default threshold value can be identical with default Second Threshold, also can be not identical.
As seen from the above, in the present embodiment, by default Second Threshold and the 3rd default threshold value, determine the pixel using in image similarity computation process, when preset value is non-vanishing, can improve the efficiency that image similarity calculates.
Below in conjunction with instantiation, the application is elaborated again.
Suppose, in the operational process of application program W to be detected, to loading interface, intercept, obtain operation characteristic sectional drawing Pic1, to the known application program Y that has malicious act, the visual interface creating in operational process intercepts, and obtains cut-away view picture, and by manual type from intercepting Image Acquisition characteristic image, i.e. default malicious act characteristic image Pic2.
Step 201, obtain the pixel value X (Pa) of the pixel Pa of malicious act characteristic image Pic2 the first row first row (being the Pic2 upper left corner), and the pixel of the first row first row of operation characteristic sectional drawing Pic1 (being the Pic1 upper left corner) is initialized as to scan start point.
Step 202 from described scan start point, is searched pixel Pb in operation characteristic sectional drawing Pic1, the pixel value X (Pb) of Pb is met: X (Pb)=X (Pa).Suppose, in operation characteristic sectional drawing Pic1, the pixel of the first row secondary series, meets above-mentioned requirements, that is: in Pic1, the pixel Pb of the first row secondary series is identical with the pixel value of the pixel Pa of the first row first row in Pic2.
Step 203, according to abovementioned steps, take Pa and Pb as corresponding point, determine the corresponding relation of pixel in Pic1 and Pic2, that is: in Pic1 the 2nd, 4,6,8 of the first row ... in pixel and Pic2 the 1st, 3,5,7 of the first row ... pixel is corresponding point, in Pic1 the 2nd, 4,6,8 of the second row ... in pixel and Pic2 the 1st, 3,5,7 of the second row ... pixel is corresponding point, after each row the rest may be inferred.
Step 204, suppose, default Second Threshold is 1, in Pic2, the pixel value of the 2nd, 4 pixels of the first row and the 1st, 3 pixels of the first row in Pic1 is corresponding identical respectively, the pixel value of other corresponding pixel points is not identical, according to hypothesis, can judge that pixel and its corresponding point of the first row at the pixel Pa place of knowing in Pic2 are incomplete same.
Step 205, because Pb is the pixel of the first row secondary series in Pic1, so Pb is not the pixel that in Pic1, last can be corresponding with Pa.
Step 206, using the tertial pixel of the first row in Pic1 as scan start point, return to step 202 repeating step 202~step 203, until obtain Pa point, this point meets: in Pa is expert at, take Pa as starting point, between point, be spaced apart 1 definite pixel identical with the pixel value of its corresponding pixel points.Here the Pa point that hypothesis satisfies condition is: the point of the second row first row in Pic1.
Step 208, suppose, the 3rd default threshold value is 1, according to take the pixel of the second row first row in Pa(Pic1 in abovementioned steps 203) with Pb(Pic2 in the pixel of the first row first row) be corresponding point, definite corresponding relation, in judgement Pic2 and each corresponding row of Pic1 the 1st, 3,5,7,9 ... whether point equates, and add up C
eand C
t, calculate C
e/ C
tobtain the similarity value of P1 and P2.
On the basis of above-mentioned steps, suppose that default first threshold is 90%, the similarity that step 208 obtains is 95%, can judge that similarity is greater than default first threshold, in object A to be detected, has malicious act.
As seen from the above, in the present embodiment, the mode of interface sectional drawing while being loaded by obtaining object to be detected, detect and in object to be detected, whether have malicious act, and behavior characteristic information while not needing to use object to be detected to be loaded, therefore,, the in the situation that when object to be detected is loaded, behavior characteristic information being few, also can realize whether there is the detection of malicious act in this object.Meanwhile, in the present embodiment, adopt dot interlace to get mode computed image similarity a little, improved the counting yield of image similarity.
The structural representation of a kind of malicious act pick-up unit that Fig. 3 provides for the embodiment of the present invention, described device comprises: interception unit 301, similarity calculated 302 and malicious act determining unit 303.
Wherein, interception unit 301, for the operational process at object to be detected, intercepts the visual interface of described Object Creation to be detected, obtains operation characteristic sectional drawing;
Similarity calculated 302, for calculating the similarity of described operation characteristic sectional drawing and default malicious act characteristic image;
Malicious act determining unit 303, for according to the similarity of described calculating, determines whether described object to be detected exists malicious act.
In the present embodiment, malicious act determining unit 303 can comprise: similarity judgment sub-unit and malicious act are determined subelement (not shown).Wherein, similarity judgment sub-unit, for according to the similarity of described calculating, judges whether described similarity is less than default first threshold; Malicious act is determined subelement, for when described similarity judgment sub-unit judges that described similarity is not less than default first threshold, determines that described object to be detected exists malicious act.
In the present embodiment, interception unit 301, monitors specifically for the visual interface establishment behavior for the treatment of in detected object operational process, if monitor visual interface, creates behavior, created visual interface is intercepted.
In the present embodiment, similarity calculated 302, can comprise: initialization subelement, scanning subelement, corresponding relation are determined subelement, cycle control subelement and similarity computation subunit (not shown).
Wherein, initialization subelement, for obtaining the pixel value X (Pa) of the pixel Pa of described malicious act characteristic image the first row first row, and is initialized as scan start point by the pixel of the first row first row of described operation characteristic sectional drawing;
Scanning subelement for from described scan start point, is searched pixel Pb in described operation characteristic sectional drawing, and the pixel value X (Pb) of Pb is met: X (Pb)=X (Pa), triggers described corresponding relation and determines subelement;
Corresponding relation is determined subelement, for take Pa and Pb as corresponding point, determines the corresponding relation of pixel in described malicious act characteristic image and described operation characteristic sectional drawing;
Cycle control subelement, whether identical with the pixel value of its corresponding pixel points for judging pixel that Pa is expert at, if so, trigger described similarity computation subunit and carry out similarity calculating; If not, the next one of current pixel point Pb point is set to scan start point, trigger described scanning subelement and scan, until pixel that Pa is expert at is identical with the pixel value of its corresponding pixel points, triggers described similarity computation subunit and carry out similarity calculating; If cannot meet the identical condition of described pixel value, it is 0 that similarity result of calculation is set;
Similarity computation subunit, for determine the pixel corresponding relation that subelement is set up according to described corresponding relation, judges that whether the pixel of malicious act characteristic image and the pixel value of its corresponding pixel points be identical, the number C of the point that statistical pixel values is identical
e; Calculate C
e/ C
t, obtain the similarity of described operation characteristic sectional drawing and default malicious act characteristic image, wherein, C
tfor in described malicious act characteristic image for judging total number of the pixel whether identical with its corresponding pixel points.
In the present embodiment, cycle control subelement, in being expert at specifically for judgement Pa, take Pa as starting point, whether the definite pixel in Second Threshold interval as between pixel point of presetting of take is identical with the pixel value of its corresponding pixel points, if so, trigger described similarity computation subunit and carry out similarity calculating; If not, the next one of current pixel point Pb point is set to scan start point, triggers described scanning subelement and scans; Until during Pa is expert at, take Pa as starting point, default Second Threshold is identical with the pixel value of its corresponding pixel points for the definite pixel in interval between point, and further the described similarity computation subunit of triggering is carried out similarity calculating; If cannot meet the identical condition of described pixel value, it is 0 that similarity result of calculation is set.
In the present embodiment, similarity computation subunit, specifically for determine the pixel corresponding relation that subelement is set up according to described corresponding relation, in judgement malicious act characteristic image, the pixel of predetermining of take is starting point, for example the pixel of the first row first row is starting point, and whether the definite pixel in the 3rd threshold value interval as between pixel point of presetting of take is identical with the pixel value of its corresponding pixel points, the number C of the point that statistical pixel values is identical
e; Calculate C
e/ C
t, obtain the similarity of described operation characteristic sectional drawing and default malicious act characteristic image, wherein, C
tfor in described malicious act characteristic image for judging total number of the pixel whether identical with its corresponding pixel points.
As seen from the above, in the present embodiment, the mode of interface sectional drawing while being loaded by obtaining object to be detected, detect and in object to be detected, whether have malicious act, and behavior characteristic information while not needing to use object to be detected to be loaded, therefore,, the in the situation that when object to be detected is loaded, behavior characteristic information being few, also can realize whether there is the detection of malicious act in this object.
The structural representation of the another kind of malicious act pick-up unit that Fig. 4 provides for the embodiment of the present invention, this device comprises: interception unit 401, similarity calculated 402, malicious act determining unit 403 and malicious act characteristic image generation unit 404.
It should be noted that in the present embodiment, interception unit 401, similarity calculated 402, with malicious act determining unit 403, can be respectively identical with malicious act determining unit 303 with middle interception unit 301 embodiment illustrated in fig. 3, similarity calculated 302, no longer repeat here.
In the present embodiment, malicious act characteristic image generation unit 404, can comprise: load subelement, intercept subelement, obtain subelement and record subelement (not shown).
Wherein, load subelement, for the known object of malicious act that exists is loaded;
Intercepting subelement, for intercepting the described visual interface of the Object Creation of malicious act that exists at the described operational process of the object of malicious act that exists;
Obtain subelement, for according to intercepting result, generate malicious act characteristic image;
The described subelement that records, for recording the malicious act characteristic image obtaining.
As seen from the above, in the present embodiment, the mode of interface sectional drawing while being loaded by obtaining object to be detected, detect and in object to be detected, whether have malicious act, and behavior characteristic information while not needing to use object to be detected to be loaded, therefore,, the in the situation that when object to be detected is loaded, behavior characteristic information being few, also can realize whether there is the detection of malicious act in this object.
For device embodiment, because it is substantially similar in appearance to embodiment of the method, so description is fairly simple, relevant part is referring to the part explanation of embodiment of the method.
It should be noted that, in this article, relational terms such as the first and second grades is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply and between these entities or operation, have the relation of any this reality or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thereby the process, method, article or the equipment that make to comprise a series of key elements not only comprise those key elements, but also comprise other key elements of clearly not listing, or be also included as the intrinsic key element of this process, method, article or equipment.The in the situation that of more restrictions not, the key element being limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises described key element and also have other identical element.
One of ordinary skill in the art will appreciate that all or part of step realizing in said method embodiment is to come the hardware that instruction is relevant to complete by program, described program can be stored in computer read/write memory medium, here alleged storage medium, as: ROM/RAM, magnetic disc, CD etc.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.All any modifications of doing within the spirit and principles in the present invention, be equal to replacement, improvement etc., be all included in protection scope of the present invention.
Claims (14)
1. a malicious act detection method, is characterized in that, described method comprises:
In the operational process of object to be detected, the visual interface of described Object Creation to be detected is intercepted, obtain operation characteristic sectional drawing;
Calculate the similarity of described operation characteristic sectional drawing and default malicious act characteristic image;
According to the similarity of described calculating, determine whether described object to be detected exists malicious act.
2. method according to claim 1, is characterized in that, described according to the similarity of described calculating, determines that whether described object to be detected exists malicious act, comprising:
According to the similarity of described calculating, judge whether described similarity is less than default first threshold;
If not, determine that described object to be detected exists malicious act.
3. according to method described in claim 1 or 2, it is characterized in that, described in the operational process of object to be detected, the visual interface of described Object Creation to be detected is intercepted, comprising:
Visual interface establishment behavior in described object operational process to be detected is monitored, if monitor visual interface, create behavior, created visual interface is intercepted.
4. according to method described in claim 1 or 2, it is characterized in that described default malicious act characteristic image obtains by the following method:
The known object of malicious act that exists is loaded;
In the described object operational process that has a malicious act, the described visual interface of the Object Creation of malicious act that exists is intercepted;
According to intercepting result, obtain malicious act characteristic image;
The malicious act characteristic image that record obtains.
5. according to method described in claim 1 or 2, it is characterized in that, the similarity of the described operation characteristic sectional drawing of described calculating and default malicious act characteristic image, comprising:
A. obtain the pixel value X (Pa) of the pixel Pa of described malicious act characteristic image the first row first row, and the pixel of the first row first row of described operation characteristic sectional drawing is initialized as to scan start point;
B. from described scan start point, in described operation characteristic sectional drawing, search pixel Pb, the pixel value X (Pb) of Pb is met: X (Pb)=X (Pa);
C. take Pa and Pb as corresponding point, determine the corresponding relation of pixel in described malicious act characteristic image and described operation characteristic sectional drawing;
D. judge that whether pixel that Pa is expert at is identical with the pixel value of its corresponding pixel points,
If so, further perform step e;
If not, using the next pixel of current pixel point Pb as scan start point, repeated execution of steps b-c, until pixel that Pa is expert at is identical with the pixel value of its corresponding pixel points, further performs step e; If cannot meet the identical condition of described pixel value, it is 0 that similarity result of calculation is set;
E. according to the pixel corresponding relation of setting up in step c, judge that whether the pixel of malicious act characteristic image and the pixel value of its corresponding pixel points be identical, the number C of the pixel that statistical pixel values is identical
e; Calculate C
e/ C
t, obtain the similarity of described operation characteristic sectional drawing and default malicious act characteristic image, wherein, C
tfor in described malicious act characteristic image for judging total number of the pixel whether identical with its corresponding pixel points.
6. method according to claim 5, is characterized in that,
Whether pixel that the described Pa of judgement is expert at is identical with the pixel value of its corresponding pixel points, comprising:
Judgement during Pa is expert at, be take Pa as starting point, and whether the definite pixel in Second Threshold interval as between pixel point of presetting of take is identical with the pixel value of its corresponding pixel points.
7. method according to claim 6, is characterized in that,
Describedly judge that whether the pixel of malicious act characteristic image is identical with the pixel value of its corresponding pixel points, comprising:
In judgement malicious act characteristic image, the pixel of predetermining of take is starting point, and whether the definite pixel in the 3rd threshold value interval as between pixel point of presetting of take is identical with the pixel value of its corresponding pixel points.
8. a malicious act pick-up unit, is characterized in that, described device comprises:
Interception unit, for the operational process at object to be detected, intercepts the visual interface of described Object Creation to be detected, obtains operation characteristic sectional drawing;
Similarity calculated, for calculating the similarity of described operation characteristic sectional drawing and default malicious act characteristic image;
Malicious act determining unit, for according to the similarity of described calculating, determines whether described object to be detected exists malicious act.
9. device according to claim 8, is characterized in that, described malicious act determining unit, comprising: similarity judgment sub-unit and malicious act are determined subelement;
Described similarity judgment sub-unit, for according to the similarity of described calculating, judges whether described similarity is less than default first threshold;
Described malicious act is determined subelement, for when described similarity judgment sub-unit judges that described similarity is not less than default first threshold, determines that described object to be detected exists malicious act.
10. install according to claim 8 or claim 9, it is characterized in that, described interception unit, specifically for monitoring the visual interface establishment behavior in described object operational process to be detected, if monitor visual interface, create behavior, created visual interface is intercepted.
11. install according to claim 8 or claim 9, it is characterized in that, described device also comprises: malicious act characteristic image generation unit;
Described malicious act characteristic image generation unit, comprising: load subelement, intercept subelement, obtain subelement and record subelement;
Described loading subelement, for loading the known object of malicious act that exists;
Described intercepting subelement, for intercepting the described visual interface of the Object Creation of malicious act that exists at the described operational process of the object of malicious act that exists;
The described subelement that obtains, for according to intercepting result, generates malicious act characteristic image;
The described subelement that records, for recording the malicious act characteristic image obtaining.
12. install according to claim 8 or claim 9, it is characterized in that, described similarity calculated, comprising: initialization subelement, scanning subelement, corresponding relation are determined subelement, cycle control subelement and similarity computation subunit;
Described initialization subelement, for obtaining the pixel value X (Pa) of the pixel Pa of described malicious act characteristic image the first row first row, and is initialized as scan start point by the pixel of the first row first row of described operation characteristic sectional drawing;
Described scanning subelement for from described scan start point, is searched pixel Pb in described operation characteristic sectional drawing, and the pixel value X (Pb) of Pb is met: X (Pb)=X (Pa), triggers described corresponding relation and determines subelement;
Described corresponding relation is determined subelement, for take Pa and Pb as corresponding point, determines the corresponding relation of pixel in described malicious act characteristic image and described operation characteristic sectional drawing;
Described cycle control subelement, whether identical with the pixel value of its corresponding pixel points for judging pixel that Pa is expert at,
If so, trigger described similarity computation subunit and carry out similarity calculating;
If not, the next one of current pixel point Pb point is set to scan start point, trigger described scanning subelement and scan, until pixel that Pa is expert at is identical with the pixel value of its corresponding pixel points, triggers described similarity computation subunit and carry out similarity calculating; If cannot meet the identical condition of described pixel value, it is 0 that similarity result of calculation is set;
Described similarity computation subunit, for determine the pixel corresponding relation that subelement is set up according to described corresponding relation, judges that whether the pixel of malicious act characteristic image and the pixel value of its corresponding pixel points be identical, the number C of the point that statistical pixel values is identical
e; Calculate C
e/ C
t, obtain the similarity of described operation characteristic sectional drawing and default malicious act characteristic image, wherein, C
tfor in described malicious act characteristic image for judging total number of the pixel whether identical with its corresponding pixel points.
13. according to device described in claim 12, it is characterized in that,
Described cycle control subelement, during Pa is expert at specifically for judgement, take Pa as starting point, and whether the definite pixel in Second Threshold interval as between pixel point of presetting of take is identical with the pixel value of its corresponding pixel points,
If so, trigger described similarity computation subunit and carry out similarity calculating;
If not, the next one of current pixel point Pb point is set to scan start point, triggering described scanning subelement scans, until during Pa is expert at, take Pa as starting point, default Second Threshold is that between pixel point, the definite pixel in interval is identical with the pixel value of its corresponding pixel points, triggers described similarity computation subunit and carries out similarity calculating; If cannot meet the identical condition of described pixel value, it is 0 that similarity result of calculation is set.
14. according to device described in claim 13, it is characterized in that,
Described similarity computation subunit, specifically for determine the pixel corresponding relation that subelement is set up according to described corresponding relation, in judgement malicious act characteristic image, the pixel of predetermining of take is starting point, whether the definite pixel in the 3rd threshold value interval as between pixel point of presetting of take is identical with the pixel value of its corresponding pixel points, the number C of the point that statistical pixel values is identical
e; Calculate C
e/ C
t, obtain the similarity of described operation characteristic sectional drawing and default malicious act characteristic image, wherein, C
tfor in described malicious act characteristic image for judging total number of the pixel whether identical with its corresponding pixel points.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310747287.XA CN103699843A (en) | 2013-12-30 | 2013-12-30 | Malicious activity detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310747287.XA CN103699843A (en) | 2013-12-30 | 2013-12-30 | Malicious activity detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103699843A true CN103699843A (en) | 2014-04-02 |
Family
ID=50361367
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310747287.XA Pending CN103699843A (en) | 2013-12-30 | 2013-12-30 | Malicious activity detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103699843A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104679512A (en) * | 2015-02-12 | 2015-06-03 | 腾讯科技(深圳)有限公司 | Method and device for acquiring window program response time |
| CN106228156A (en) * | 2016-07-18 | 2016-12-14 | 百度在线网络技术(北京)有限公司 | A kind of method and apparatus determining information alert content |
| WO2016197710A1 (en) * | 2015-11-27 | 2016-12-15 | 中兴通讯股份有限公司 | Method and device for identifying fake software interface for mobile terminal |
| CN106485147A (en) * | 2016-09-13 | 2017-03-08 | 四川长虹电器股份有限公司 | Based on the method for security protection that intelligent mobile terminal interface image changes |
| CN106936998A (en) * | 2017-03-21 | 2017-07-07 | 北京小米移动软件有限公司 | Screenshotss method and screen video recorder |
| CN108062463A (en) * | 2016-11-07 | 2018-05-22 | 武汉安天信息技术有限责任公司 | It is a kind of that packet inspection method and system are beaten again based on screenshot picture |
| WO2020048392A1 (en) * | 2018-09-06 | 2020-03-12 | 腾讯科技(深圳)有限公司 | Application virus detection method, apparatus, computer device, and storage medium |
| CN113011449A (en) * | 2019-12-20 | 2021-06-22 | 中移(上海)信息通信科技有限公司 | Behavior determination method, behavior determination device, behavior determination equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101292252A (en) * | 2005-10-18 | 2008-10-22 | 松下电器产业株式会社 | Information processing device, and method therefor |
| CN101464951A (en) * | 2007-12-21 | 2009-06-24 | 北大方正集团有限公司 | Image recognition method and system |
| DE102008016667B3 (en) * | 2008-04-01 | 2009-07-23 | Siemens Aktiengesellschaft | Method for the detection of almost identical content or identical picture messages and its use for the suppression of unwanted picture messages |
| CN101626368A (en) * | 2008-07-11 | 2010-01-13 | 中联绿盟信息技术(北京)有限公司 | Device, method and system for preventing web page from being distorted |
| US20120002839A1 (en) * | 2010-06-30 | 2012-01-05 | F-Secure Corporation | Malware image recognition |
| US20130004087A1 (en) * | 2011-06-30 | 2013-01-03 | American Express Travel Related Services Company, Inc. | Method and system for webpage regression testing |
-
2013
- 2013-12-30 CN CN201310747287.XA patent/CN103699843A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101292252A (en) * | 2005-10-18 | 2008-10-22 | 松下电器产业株式会社 | Information processing device, and method therefor |
| CN101464951A (en) * | 2007-12-21 | 2009-06-24 | 北大方正集团有限公司 | Image recognition method and system |
| DE102008016667B3 (en) * | 2008-04-01 | 2009-07-23 | Siemens Aktiengesellschaft | Method for the detection of almost identical content or identical picture messages and its use for the suppression of unwanted picture messages |
| CN101626368A (en) * | 2008-07-11 | 2010-01-13 | 中联绿盟信息技术(北京)有限公司 | Device, method and system for preventing web page from being distorted |
| US20120002839A1 (en) * | 2010-06-30 | 2012-01-05 | F-Secure Corporation | Malware image recognition |
| US20130004087A1 (en) * | 2011-06-30 | 2013-01-03 | American Express Travel Related Services Company, Inc. | Method and system for webpage regression testing |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104679512A (en) * | 2015-02-12 | 2015-06-03 | 腾讯科技(深圳)有限公司 | Method and device for acquiring window program response time |
| WO2016197710A1 (en) * | 2015-11-27 | 2016-12-15 | 中兴通讯股份有限公司 | Method and device for identifying fake software interface for mobile terminal |
| CN106815522A (en) * | 2015-11-27 | 2017-06-09 | 中兴通讯股份有限公司 | Mobile terminal software vacation interface identification method and device |
| CN106228156A (en) * | 2016-07-18 | 2016-12-14 | 百度在线网络技术(北京)有限公司 | A kind of method and apparatus determining information alert content |
| CN106228156B (en) * | 2016-07-18 | 2019-09-20 | 百度在线网络技术(北京)有限公司 | A kind of method and apparatus of determining information alert content |
| CN106485147A (en) * | 2016-09-13 | 2017-03-08 | 四川长虹电器股份有限公司 | Based on the method for security protection that intelligent mobile terminal interface image changes |
| CN108062463A (en) * | 2016-11-07 | 2018-05-22 | 武汉安天信息技术有限责任公司 | It is a kind of that packet inspection method and system are beaten again based on screenshot picture |
| CN106936998A (en) * | 2017-03-21 | 2017-07-07 | 北京小米移动软件有限公司 | Screenshotss method and screen video recorder |
| WO2020048392A1 (en) * | 2018-09-06 | 2020-03-12 | 腾讯科技(深圳)有限公司 | Application virus detection method, apparatus, computer device, and storage medium |
| CN113011449A (en) * | 2019-12-20 | 2021-06-22 | 中移(上海)信息通信科技有限公司 | Behavior determination method, behavior determination device, behavior determination equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103699843A (en) | Malicious activity detection method and device | |
| EP2742442B1 (en) | A method for detecting a copy of a reference video, corresponding apparatus for extracting a spatio-temporal signature from video data and corresponding computer readable storage medium | |
| CN104217161B (en) | A kind of virus scan method and system, terminal unit | |
| CN111124888B (en) | Method and device for generating recording script and electronic device | |
| CN104836781A (en) | Method distinguishing identities of access users, and device | |
| CN109657431B (en) | Method for identifying user identity | |
| US8417026B2 (en) | Gesture recognition methods and systems | |
| Yue et al. | My google glass sees your passwords | |
| CN104573440A (en) | Data viewing method and device | |
| US20140325409A1 (en) | Active & Efficient Monitoring of a Graphical User Interface | |
| CN106897694A (en) | For the squatter building scene recognition method of land resources monitoring | |
| US10299117B2 (en) | Method for authenticating a mobile device and establishing a direct mirroring connection between the authenticated mobile device and a target screen device | |
| EP3076674A1 (en) | Video quality detection method and device | |
| CN112532884A (en) | Identification method and device and electronic equipment | |
| CN108762568B (en) | Broken line repairing method and device for touch screen and household appliance | |
| CN111898126A (en) | Android repackaging application detection method based on dynamically acquired user interface | |
| CN114098534B (en) | Cleaning area identification method and device of sweeper, storage medium and electronic equipment | |
| CN110991307B (en) | Face recognition method, device, equipment and storage medium | |
| CN105243062B (en) | Method and device for detecting webpage feature area | |
| CN111353332B (en) | Fingerprint image processing method, fingerprint image processing device and computer readable storage medium | |
| CN105844176B (en) | Security strategy generation method and equipment | |
| CN104754248A (en) | Method and device for acquiring target snapshot | |
| CN101620734A (en) | Motion detecting method, motion detecting device, background model establishing method and background model establishing device | |
| KR101519966B1 (en) | Vision recognitiong method and system based on reference plate | |
| CN109886058B (en) | Method and equipment for detecting image |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140402 |
|
| RJ01 | Rejection of invention patent application after publication |