CN104486312A - Recognition method and recognition device for applications - Google Patents
Recognition method and recognition device for applications Download PDFInfo
- Publication number
- CN104486312A CN104486312A CN201410737499.4A CN201410737499A CN104486312A CN 104486312 A CN104486312 A CN 104486312A CN 201410737499 A CN201410737499 A CN 201410737499A CN 104486312 A CN104486312 A CN 104486312A
- Authority
- CN
- China
- Prior art keywords
- attribute information
- information
- characteristic
- feature
- application program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The embodiment of the invention provides a recognition method and a recognition device for applications. The method includes the following steps: one or more attribute information of an executable file in an application to be recognized is detected; the attribute information is sent to a server; one or more characteristic attribute information of an executable file in a characteristic application is stored in the server; a recognition result which is returned by the server and obtained by adopting the attribute information and the characteristic attribute information for recognition is received; when the recognition result indicates that the attribute information is matched with the characteristic attribute information, the situation that the application to be recognized is matched with the characteristic application is made. The embodiment of the invention does not require a locally configured recognition library, the resource occupation of a local system is reduced, and the accuracy of characteristic attribute information is ensured.
Description
Technical field
The present invention relates to application program technical field, particularly relate to a kind of recognition methods of application program and a kind of recognition device of application program.
Background technology
Along with the development of Internet technology, be developed the application program of various feature richness, such as, immediate communication tool, audio player, video player, calendar tool etc., bring many facilities to the life of people.
In some sight, need to operate application-specific, such as, safety detection, generally needs first to identify this application program.
To recognition application, generally download from server and identify that storehouse is to client, client local runtime recognizer uses and identifies that recognition application is carried out in storehouse.
But, identify that storehouse is general very large, because application program often can upgrade, identify that storehouse also may need to upgrade thereupon, if upgrade not in time, identification may be caused to make mistakes.Therefore, client needs again to download from server continually to identify storehouse, frequently takies a large amount of bandwidth sum time, if unstable networks, can cause and identify that stock is at latent fault.
Client recognizer is deployed in client, and because application program often can upgrade, recognizer also may need to upgrade thereupon, and identification may be caused to make mistakes.Therefore, client needs also to need again to download new recognizer file from server from client continually, disposes new recognizer, equally frequently takies a large amount of bandwidth sum time, and upgrading recognizer file also can bring latent fault.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of overcoming the problems referred to above or a kind of recognition methods of application program solved the problem at least in part and the recognition device of corresponding a kind of application program.
According to one aspect of the present invention, provide a kind of recognition methods of application program, comprising:
Detect one or more attribute informations of executable file in application program to be identified;
Described one or more attribute information is sent to server; Described server stores has one or more characteristic attribute information of execute file in characteristic application program;
Receive that described server returns, adopt described one or more attribute information and described one or more characteristic attribute information to carry out identifying the recognition result obtained;
When described recognition result be described one or more attribute information mate with described one or more characteristic attribute information time, then judge that described application program to be identified is mated with described characteristic application program.
Alternatively, described the step that described one or more attribute information is sent to server to be comprised:
Described one or more attribute information is encrypted, obtains cryptographic attributes information aggregate;
Described cryptographic attributes information aggregate is sent to server.
Alternatively, described attribute information comprises the first attribute information and the second attribute information; Described characteristic attribute information comprises fisrt feature attribute information and second feature attribute information;
Described one or more attribute information is mated by described server in the following manner with described one or more characteristic attribute information:
Sub-step S21, judges whether described first attribute information mates with described fisrt feature attribute information; If so, then sub-step S22 is performed;
Sub-step S22, judges whether described second attribute information mates with described second feature attribute information; If so, then sub-step S23 is performed;
Sub-step S23, judges that described one or more attribute information mates with described one or more characteristic attribute information.
Alternatively, described first attribute information comprises file name, and described fisrt feature attribute information comprises tag file title;
The described step judging whether described first attribute information and described fisrt feature attribute information mate comprises:
Judge that whether described file name is identical with described tag file title; If so, then judge that described first attribute information mates with described fisrt feature attribute information.
Alternatively, described second attribute information comprises at least one in registry information, file icon, file specification information, name of product, version information;
Described second feature attribute information comprises at least one in feature registry information, tag file icon, tag file descriptive information, characteristic product title, feature version information.
Alternatively, the described step judging whether described second attribute information and described second feature attribute information mate comprises:
Judge described registry information whether with described feature registry information matches; If so, then judge that described second attribute information mates with described second feature attribute information.
Alternatively, the described step judging whether described second attribute information and described second feature attribute information mate comprises:
Judge described file icon whether with described tag file icon matches; If so, then judge that described second attribute information mates with described second feature attribute information.
Alternatively, the described step judging whether described second attribute information and described second feature attribute information mate comprises:
Judge described file specification information, name of product, version information respectively whether with described tag file descriptive information, characteristic product title, feature matches version information; If so, then judge that described second attribute information mates with described second feature attribute information.
According to a further aspect in the invention, provide a kind of recognition device of application program, comprising:
Detection module, is suitable for detecting one or more attribute informations of executable file in application program to be identified;
Sending module, is suitable for described one or more attribute information to be sent to server; Described server stores has one or more characteristic attribute information of execute file in characteristic application program;
Receiver module, is suitable for receiving that described server returns, and adopts described one or more attribute information and described one or more characteristic attribute information to carry out identifying the recognition result obtained;
Judge module, be suitable for described recognition result be described one or more attribute information mate with described one or more characteristic attribute information time, then judge that described application program to be identified is mated with described characteristic application program.
Alternatively, described sending module is also suitable for:
Described one or more attribute information is encrypted, obtains cryptographic attributes information aggregate;
Described cryptographic attributes information aggregate is sent to server.
Alternatively, state attribute information and comprise the first attribute information and the second attribute information; Described characteristic attribute information comprises fisrt feature attribute information and second feature attribute information;
Described one or more attribute information is mated by described server in the following manner with described one or more characteristic attribute information:
Sub-step S21, judges whether described first attribute information mates with described fisrt feature attribute information; If so, then sub-step S22 is performed;
Sub-step S22, judges whether described second attribute information mates with described second feature attribute information; If so, then sub-step S23 is performed;
Sub-step S23, judges that described one or more attribute information mates with described one or more characteristic attribute information.
Alternatively, described first attribute information comprises file name, and described fisrt feature attribute information comprises tag file title;
Described first attribute information mates in the following manner with described fisrt feature attribute information:
Judge that whether described file name is identical with described tag file title; If so, then judge that described first attribute information mates with described fisrt feature attribute information.
Alternatively, described second attribute information comprises at least one in registry information, file icon, file specification information, name of product, version information;
Described second feature attribute information comprises at least one in feature registry information, tag file icon, tag file descriptive information, characteristic product title, feature version information.
Alternatively, described second attribute information mates in the following manner with described second feature attribute information:
Judge described registry information whether with described feature registry information matches; If so, then judge that described second attribute information mates with described second feature attribute information.
Alternatively, described second attribute information mates in the following manner with described second feature attribute information:
Judge described file icon whether with described tag file icon matches; If so, then judge that described second attribute information mates with described second feature attribute information.
Alternatively, described second attribute information mates in the following manner with described second feature attribute information:
Judge described file specification information, name of product, version information respectively whether with described tag file descriptive information, characteristic product title, feature matches version information; If so, then judge that described second attribute information mates with described second feature attribute information.
The one or more attribute informations detecting executable file in application program to be identified are sent to server by the embodiment of the present invention, server adopts one or more attribute information and one or more characteristic attribute information to identify, when one or more attribute information mates with one or more characteristic attribute information, then judge that application program to be identified is identical with characteristic application program, by the characteristic attribute information at server update and maintenance features application program, without the need in this locality, configuration identifies storehouse, decrease the resource occupation of local system, simultaneously, server can fast application programs attribute information change make fast reaction, characteristic attribute information is modified, ensure that the accuracy of characteristic attribute information in the overall situation.
The embodiment of the present invention is encrypted attribute information, improves the fail safe in the process being transferred to server.
The embodiment of the present invention is on the basis passing through file name recognition application, the attribute informations such as registry information, file icon, file specification information, name of product, version information are coordinated to carry out recognition application, can effectively identify the application program of distorting camouflage, substantially increase the recognition success rate of application program.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of specification, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows a kind of according to an embodiment of the invention flow chart of steps of recognition methods embodiment of application program; And
Fig. 2 shows a kind of according to an embodiment of the invention structured flowchart of recognition device embodiment of application program.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
With reference to Fig. 1, show a kind of according to an embodiment of the invention flow chart of steps of recognition methods embodiment of application program, specifically can comprise the steps:
Step 101, detects one or more attribute informations of executable file in application program to be identified;
In specific implementation, the modes such as the fileinfo under scanning document catalogue, file directory can be passed through, find the executable file (executable file) of application program to be identified
Wherein, executable file, can refer to that portable can perform the file of (PE) file format, it can be loaded in internal memory, and is performed by operating system loading procedure.
The extension name of executable file can comprise " .exe ", " .sys ", " .com " etc.
For executable file, can by extracting corresponding attribute information by field value mode in its installation kit.
Because executable file is compiled, its attribute information generally can not directly be changed, and may be used for the identification of application program.
Step 102, is sent to server by described one or more attribute information;
In embodiments of the present invention, can identify application program to be identified at one or more attribute informations of server by executable file.
In a kind of embodiment of the present invention, step 102 can comprise following sub-step:
Sub-step S11, is encrypted described one or more attribute information, obtains cryptographic attributes information aggregate;
Sub-step S12, is sent to server by described cryptographic attributes information aggregate.
In specific implementation, client and server can be made an appointment the mode of encrypting.
In the mode of symmetric cryptography, asymmetric encryption one or more attribute information is encrypted below and is described.
Symmetric cryptography can for adopting the encryption method of one-key cryptosystem, and same key can be used as the encryption and decryption of information simultaneously.
Client and server can make an appointment attribute information is encrypted and decrypted key, encryption and decryption algorithm, as DES (Data Encryption Standard, DEA) algorithm, IDEA (International Data Encryption Algorithm, IDEA) algorithm, AES (Advanced Encryption Standard, Advanced Encryption Standard) algorithm etc.
Asymmetric encryption can use the encryption method of the cryptographic system of two different keys for encryption and decryption.
To data or file (such as, attribute information) generate digital signature, recipient (such as, server) verification msg or file whether complete and accurate can be carried out by certifying digital signature, determine that data or file are by generation digital signature side (such as, client) to send instead of third party forges, and these data or file were not tampered.
A set of digital signature can comprise two kinds of complementary algorithms usually, and wherein a kind of algorithm may be used for generating digital signature, and another kind of algorithm may be used for certifying digital signature.
Certainly, just exemplarily, when implementing the embodiment of the present invention, can arrange the mode of other encryptions according to actual conditions, the embodiment of the present invention is not limited this mode of above-mentioned encryption.In addition, except the mode of above-mentioned encryption, the mode that those skilled in the art can also adopt other to encrypt according to actual needs, the embodiment of the present invention is not also limited this.
The application embodiment of the present invention, described server can store one or more characteristic attribute information of execute file in characteristic application program.
Server can be analyzed required application program (i.e. characteristic application program), extracts the attribute information of the executable file of this application program, as characteristic attribute information, is stored in the database of server, uses for subsequent detection.
The embodiment of the present invention is encrypted attribute information, improves the fail safe in the process being transferred to server.
Step 103, receives that described server returns, and adopts described one or more attribute information and described one or more characteristic attribute information to carry out identifying the recognition result obtained;
The attribute information that server receives client sends, then can mate with the characteristic attribute information gathered in advance, to identify application program to be identified.
If client is encrypted one or more attribute information, send cryptographic attributes information to server, then server can carry out corresponding decryption processing to cryptographic attributes information, obtains one or more characteristic attribute information.
In specific implementation, described attribute information can comprise the first attribute information and the second attribute information, and described characteristic attribute information can comprise fisrt feature attribute information and second feature attribute information;
In embodiments of the present invention, described one or more attribute information is mated by described server in the following manner with described one or more characteristic attribute information:
Sub-step S21, judges whether described first attribute information mates with described fisrt feature attribute information; If so, then sub-step S22 is performed;
In the embodiment of the present invention, can mate at least two attribute informations (i.e. the first attribute information, the second attribute information), to improve the accuracy of identification.
In a kind of alternate exemplary of the embodiment of the present invention, described first attribute information can comprise file name, and described fisrt feature attribute information can comprise tag file title; Then in this example, sub-step S21 can comprise following sub-step:
Sub-step S211, judges that whether described file name is identical with described tag file title; If so, then sub-step S212 is performed;
Sub-step S212, judges that described first attribute information mates with described fisrt feature attribute information.
The application embodiment of the present invention, at the preset list of file names of server, can store one or more tag file title at this list of file names.
Whether the file name of the application program to be identified of client upload is mated by server in this list of file names, identical with the tag file title preset with the file name detecting application program to be identified.If identical, then can proceed the coupling of the second attribute information; If not identical, then can think that application program to be identified is not required application program.
Sub-step S22, judges whether described second attribute information mates with described second feature attribute information; If so, then sub-step S23 is performed;
Because the file name of executable file is easily modified, therefore generally can not judge whether very exactly to scan required application program by file name.
In the embodiment of the present invention, can, on the basis of file name detecting application program, specific other character (i.e. the second attribute information) of application program be adopted to continue to judge, to ensure the accuracy rate of the identification to required application program.
In specific implementation, described second attribute information can comprise at least one in registry information, file icon, file specification information, name of product, version information;
Described second feature attribute information can comprise at least one in feature registry information, tag file icon, tag file descriptive information, characteristic product title, feature version information.
In a kind of alternate exemplary of the embodiment of the present invention, sub-step S22 can comprise following sub-step:
Sub-step S221, judge described registry information whether with described feature registry information matches; If so, then sub-step S222 is performed;
Sub-step S222, judges that described second attribute information mates with described second feature attribute information.
Registration table (Registry, also known as logfile) is the important database of in operating system, may be used for the configuration information of storage system and application program.
The application embodiment of the present invention, the registry information (i.e. feature registry information) of required application program can be gathered in advance, mated with preset feature registry by the registry information of application program, thus the application program of specified type can be identified fast.
Because application program is when operating system installation, its registration table path is generally unique.Therefore, when registration table path and the feature registry information matches of this application program, this application program is installed in an operating system can illustrate, if registration table path is not mated with feature registry information, then the application program that the application program be triggered is not necessarily required.
In a kind of alternate exemplary of the embodiment of the present invention, sub-step S22 can comprise following sub-step:
Sub-step S223, judge described file icon whether with described tag file icon matches; If so, then sub-step S224 is performed;
Sub-step S224, judges that described second attribute information mates with described second feature attribute information.
Icon (as Icon), can refer in computer software programming for making man-machine interface more be easy to operate and hommization and the logotype of mark specific function designed.
Generally speaking, the icon (as Icon) of each application program can be unique, unique, namely the icon (as Icon) that different application programs adopts can not be identical, therefore, icon (as Icon) can be relied on as the means of identification of the application program of specified type.
The application embodiment of the present invention, the icon (i.e. feature icon) of required application program can be gathered in advance, mated with preset feature icon by the icon (as Icon) of application program, thus the application program of specified type can be identified fast.
In specific implementation, can the similarity of characteristic information of calculation document icon and tag file icon, when this similarity is greater than a similarity threshold, this file icon and tag file icon matches can be thought.
Such as, this characteristic information can comprise shape facility information and color characteristic information; Shape facility information can refer to the information of token image style characteristic, and color characteristic information can refer to the information of token image color characteristics.
The method for expressing of shape facility information mainly contains two classes, and a class is provincial characteristics, and it is mainly for the whole shape area of image; Another kind of is contour feature, its for be the external boundary of object.
The typical method extracting shape facility information comprises boundary characteristic value method (external boundary of image), geometry parameter method (image geometry parameterized treatment), shape invariance moments method (looking for Image Moment Invariants feature), Fourier's shape description method (fourier transform method) etc.
Color characteristic information can be described by the color characteristic of image or image-region, and it has globality.
The typical method extracting color characteristic information comprises color histogram, color set, color moment etc.
Certainly, just exemplarily, when implementing the embodiment of the present invention, can arrange other characteristic informations according to actual conditions, the embodiment of the present invention is not limited this above-mentioned judging characteristic information.In addition, except above-mentioned characteristic information, those skilled in the art can also adopt further feature information according to actual needs, and the embodiment of the present invention is not also limited this.
In a kind of alternate exemplary of the embodiment of the present invention, sub-step S22 can comprise following sub-step:
Sub-step S225, judge described file specification information, name of product, version information respectively whether with described tag file descriptive information, characteristic product title, feature matches version information; If so, then sub-step S226 is performed;
Sub-step S226, judges that described second attribute information mates with described second feature attribute information.
The application embodiment of the present invention, can gather the feature description information of required application program, characteristic product title, feature version information in advance.
Undertaken mating by the file specification information of current application program and the feature description information preset, the name of product of current application program and the characteristic product title preset and, the version information of current application program mates with default feature version information, thus can identify required application program fast.
It should be noted that, the embodiment of the present invention can application registry information, file icon, file specification information, name of product, at least one in version information be mated, and judges whether application program is required application program.
Such as, first mate registration table, if judge, the registry information of application program is not mated with the feature registry information preset, then can matching files icon, if judge, the file icon of application program does not mate with the feature icon preset, then can matching files descriptive information, name of product, version information.
Certainly, just exemplarily, when implementing the embodiment of the present invention, can arrange other the second attribute informations according to actual conditions, the embodiment of the present invention is not limited this above-mentioned second attribute information.In addition, except above-mentioned second attribute information, those skilled in the art can also adopt other second attribute informations according to actual needs, and the embodiment of the present invention is not also limited this.
The embodiment of the present invention is on the basis passing through file name recognition application, the attribute informations such as registry information, file icon, file specification information, name of product, version information are coordinated to carry out recognition application, can effectively identify the application program of distorting camouflage, substantially increase the recognition success rate of application program.
Sub-step S23, judges that described one or more attribute information mates with described one or more characteristic attribute information.
In actual applications, if the second attribute information mates with second feature attribute information, then can think that attribute information mates with characteristic attribute information.
Server can return recognition result that one or more attribute information mates with described one or more characteristic attribute information to client.
If the second attribute information does not mate with second feature attribute information, then can think that attribute information does not mate with characteristic attribute information.
Server can return one or more attribute information and the unmatched recognition result of described one or more characteristic attribute information to client.
Step 104, when described recognition result be described one or more attribute information mate with described one or more characteristic attribute information time, then judge that described application program to be identified is mated with described characteristic application program.
When attribute information mates with characteristic attribute information, can think that current application program is mated with characteristic application program, be required application program.
If identify required application program, then can process accordingly this application program.
Such as, if this application program is game, the means of payment, is often attacked by rogue program, individual privacy and property are worked the mischief, need to protect it.
Again such as, if this application program exists malicious act, the performance of equipment, the privacy of individual are impacted, then needs to monitor this application program.
The one or more attribute informations detecting executable file in application program to be identified are sent to server by the embodiment of the present invention, server adopts one or more attribute information and one or more characteristic attribute information to identify, when one or more attribute information mates with one or more characteristic attribute information, then judge that application program to be identified is identical with characteristic application program, by the characteristic attribute information at server update and maintenance features application program, without the need in this locality, configuration identifies storehouse, decrease the resource occupation of local system, simultaneously, server can fast application programs attribute information change make fast reaction, characteristic attribute information is modified, ensure that the accuracy of characteristic attribute information in the overall situation.
For embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the embodiment of the present invention is not by the restriction of described sequence of movement, because according to the embodiment of the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and involved action might not be that the embodiment of the present invention is necessary.
With reference to Fig. 2, show a kind of according to an embodiment of the invention structured flowchart of recognition device embodiment of application program, specifically can comprise as lower module:
Detection module 201, is suitable for detecting one or more attribute informations of executable file in application program to be identified;
Sending module 202, is suitable for described one or more attribute information to be sent to server; Described server stores has one or more characteristic attribute information of execute file in characteristic application program;
Receiver module 203, is suitable for receiving that described server returns, and adopts described one or more attribute information and described one or more characteristic attribute information to carry out identifying the recognition result obtained;
Judge module 204, be suitable for described recognition result be described one or more attribute information mate with described one or more characteristic attribute information time, then judge that described application program to be identified is mated with described characteristic application program.
In a kind of embodiment of the present invention, described sending module 202 can also be suitable for:
Described one or more attribute information is encrypted, obtains cryptographic attributes information aggregate;
Described cryptographic attributes information aggregate is sent to server.
In a kind of embodiment of the present invention, described attribute information can comprise the first attribute information and the second attribute information; Described characteristic attribute information comprises fisrt feature attribute information and second feature attribute information;
Described one or more attribute information can be mated by described server in the following manner with described one or more characteristic attribute information:
Sub-step S21, judges whether described first attribute information mates with described fisrt feature attribute information; If so, then sub-step S22 is performed;
Sub-step S22, judges whether described second attribute information mates with described second feature attribute information; If so, then sub-step S23 is performed;
Sub-step S23, judges that described one or more attribute information mates with described one or more characteristic attribute information.
In a kind of alternate exemplary of the embodiment of the present invention, described first attribute information can comprise file name, and described fisrt feature attribute information comprises tag file title;
Described first attribute information mates in the following manner with described fisrt feature attribute information:
Judge that whether described file name is identical with described tag file title; If so, then judge that described first attribute information mates with described fisrt feature attribute information.
In specific implementation, described second attribute information can comprise at least one in registry information, file icon, file specification information, name of product, version information;
Described second feature attribute information can comprise at least one in feature registry information, tag file icon, tag file descriptive information, characteristic product title, feature version information.
In a kind of alternate exemplary of the embodiment of the present invention, described second attribute information can mate in the following manner with described second feature attribute information:
Judge described registry information whether with described feature registry information matches; If so, then judge that described second attribute information mates with described second feature attribute information.
In a kind of alternate exemplary of the embodiment of the present invention, described second attribute information can mate in the following manner with described second feature attribute information:
Judge described file icon whether with described tag file icon matches; If so, then judge that described second attribute information mates with described second feature attribute information.
In a kind of alternate exemplary of the embodiment of the present invention, described second attribute information can mate in the following manner with described second feature attribute information:
Judge described file specification information, name of product, version information respectively whether with described tag file descriptive information, characteristic product title, feature matches version information; If so, then judge that described second attribute information mates with described second feature attribute information.
For device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part illustrates see the part of embodiment of the method.
Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.
In specification provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this specification (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary compound mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the identification equipment of the use program of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computer of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
The embodiment of the invention discloses the recognition methods of A1, a kind of application program, comprising:
Detect one or more attribute informations of executable file in application program to be identified;
Described one or more attribute information is sent to server; Described server stores has one or more characteristic attribute information of execute file in characteristic application program;
Receive that described server returns, adopt described one or more attribute information and described one or more characteristic attribute information to carry out identifying the recognition result obtained;
When described recognition result be described one or more attribute information mate with described one or more characteristic attribute information time, then judge that described application program to be identified is mated with described characteristic application program.
A2, method as described in A1, describedly comprise the step that described one or more attribute information is sent to server:
Described one or more attribute information is encrypted, obtains cryptographic attributes information aggregate;
Described cryptographic attributes information aggregate is sent to server.
A3, method as described in A1 or A2, described attribute information comprises the first attribute information and the second attribute information; Described characteristic attribute information comprises fisrt feature attribute information and second feature attribute information;
Described one or more attribute information is mated by described server in the following manner with described one or more characteristic attribute information:
Sub-step S21, judges whether described first attribute information mates with described fisrt feature attribute information; If so, then sub-step S22 is performed;
Sub-step S22, judges whether described second attribute information mates with described second feature attribute information; If so, then sub-step S23 is performed;
Sub-step S23, judges that described one or more attribute information mates with described one or more characteristic attribute information.
A4, method as described in A3, described first attribute information comprises file name, and described fisrt feature attribute information comprises tag file title;
The described step judging whether described first attribute information and described fisrt feature attribute information mate comprises:
Judge that whether described file name is identical with described tag file title; If so, then judge that described first attribute information mates with described fisrt feature attribute information.
A5, method as described in A3, described second attribute information comprises at least one in registry information, file icon, file specification information, name of product, version information;
Described second feature attribute information comprises at least one in feature registry information, tag file icon, tag file descriptive information, characteristic product title, feature version information.
A6, method as described in A5, the described step judging whether described second attribute information and described second feature attribute information mate comprises:
Judge described registry information whether with described feature registry information matches; If so, then judge that described second attribute information mates with described second feature attribute information.
A7, method as described in A5, the described step judging whether described second attribute information and described second feature attribute information mate comprises:
Judge described file icon whether with described tag file icon matches; If so, then judge that described second attribute information mates with described second feature attribute information.
A8, method as described in A5, the described step judging whether described second attribute information and described second feature attribute information mate comprises:
Judge described file specification information, name of product, version information respectively whether with described tag file descriptive information, characteristic product title, feature matches version information; If so, then judge that described second attribute information mates with described second feature attribute information.
The embodiment of the invention also discloses the recognition device of B9, a kind of application program, comprising:
Detection module, is suitable for detecting one or more attribute informations of executable file in application program to be identified;
Sending module, is suitable for described one or more attribute information to be sent to server; Described server stores has one or more characteristic attribute information of execute file in characteristic application program;
Receiver module, is suitable for receiving that described server returns, and adopts described one or more attribute information and described one or more characteristic attribute information to carry out identifying the recognition result obtained;
Judge module, be suitable for described recognition result be described one or more attribute information mate with described one or more characteristic attribute information time, then judge that described application program to be identified is mated with described characteristic application program.
B10, device as described in B9, described sending module is also suitable for:
Described one or more attribute information is encrypted, obtains cryptographic attributes information aggregate;
Described cryptographic attributes information aggregate is sent to server.
B11, device as described in B9 or B10, described attribute information comprises the first attribute information and the second attribute information; Described characteristic attribute information comprises fisrt feature attribute information and second feature attribute information;
Described one or more attribute information is mated by described server in the following manner with described one or more characteristic attribute information:
Sub-step S21, judges whether described first attribute information mates with described fisrt feature attribute information; If so, then sub-step S22 is performed;
Sub-step S22, judges whether described second attribute information mates with described second feature attribute information; If so, then sub-step S23 is performed;
Sub-step S23, judges that described one or more attribute information mates with described one or more characteristic attribute information.
B12, device as described in B11, described first attribute information comprises file name, and described fisrt feature attribute information comprises tag file title;
Described first attribute information mates in the following manner with described fisrt feature attribute information:
Judge that whether described file name is identical with described tag file title; If so, then judge that described first attribute information mates with described fisrt feature attribute information.
B13, device as described in B11, described second attribute information comprises at least one in registry information, file icon, file specification information, name of product, version information;
Described second feature attribute information comprises at least one in feature registry information, tag file icon, tag file descriptive information, characteristic product title, feature version information.
B14, device as described in B13, described second attribute information mates in the following manner with described second feature attribute information:
Judge described registry information whether with described feature registry information matches; If so, then judge that described second attribute information mates with described second feature attribute information.
B15, device as described in B13, described second attribute information mates in the following manner with described second feature attribute information:
Judge described file icon whether with described tag file icon matches; If so, then judge that described second attribute information mates with described second feature attribute information.
B16, device as described in B13, described second attribute information mates in the following manner with described second feature attribute information:
Judge described file specification information, name of product, version information respectively whether with described tag file descriptive information, characteristic product title, feature matches version information; If so, then judge that described second attribute information mates with described second feature attribute information.
Claims (10)
1. a recognition methods for application program, comprising:
Detect one or more attribute informations of executable file in application program to be identified;
Described one or more attribute information is sent to server; Described server stores has one or more characteristic attribute information of execute file in characteristic application program;
Receive that described server returns, adopt described one or more attribute information and described one or more characteristic attribute information to carry out identifying the recognition result obtained;
When described recognition result be described one or more attribute information mate with described one or more characteristic attribute information time, then judge that described application program to be identified is mated with described characteristic application program.
2. the method for claim 1, is characterized in that, describedly the step that described one or more attribute information is sent to server is comprised:
Described one or more attribute information is encrypted, obtains cryptographic attributes information aggregate;
Described cryptographic attributes information aggregate is sent to server.
3. method as claimed in claim 1 or 2, it is characterized in that, described attribute information comprises the first attribute information and the second attribute information; Described characteristic attribute information comprises fisrt feature attribute information and second feature attribute information;
Described one or more attribute information is mated by described server in the following manner with described one or more characteristic attribute information:
Sub-step S21, judges whether described first attribute information mates with described fisrt feature attribute information; If so, then sub-step S22 is performed;
Sub-step S22, judges whether described second attribute information mates with described second feature attribute information; If so, then sub-step S23 is performed;
Sub-step S23, judges that described one or more attribute information mates with described one or more characteristic attribute information.
4. method as claimed in claim 3, it is characterized in that, described first attribute information comprises file name, and described fisrt feature attribute information comprises tag file title;
The described step judging whether described first attribute information and described fisrt feature attribute information mate comprises:
Judge that whether described file name is identical with described tag file title; If so, then judge that described first attribute information mates with described fisrt feature attribute information.
5. method as claimed in claim 3, is characterized in that,
Described second attribute information comprises at least one in registry information, file icon, file specification information, name of product, version information;
Described second feature attribute information comprises at least one in feature registry information, tag file icon, tag file descriptive information, characteristic product title, feature version information.
6. method as claimed in claim 5, it is characterized in that, the described step judging whether described second attribute information and described second feature attribute information mate comprises:
Judge described registry information whether with described feature registry information matches; If so, then judge that described second attribute information mates with described second feature attribute information.
7. method as claimed in claim 5, it is characterized in that, the described step judging whether described second attribute information and described second feature attribute information mate comprises:
Judge described file icon whether with described tag file icon matches; If so, then judge that described second attribute information mates with described second feature attribute information.
8. method as claimed in claim 5, it is characterized in that, the described step judging whether described second attribute information and described second feature attribute information mate comprises:
Judge described file specification information, name of product, version information respectively whether with described tag file descriptive information, characteristic product title, feature matches version information; If so, then judge that described second attribute information mates with described second feature attribute information.
9. a recognition device for application program, comprising:
Detection module, is suitable for detecting one or more attribute informations of executable file in application program to be identified;
Sending module, is suitable for described one or more attribute information to be sent to server; Described server stores has one or more characteristic attribute information of execute file in characteristic application program;
Receiver module, is suitable for receiving that described server returns, and adopts described one or more attribute information and described one or more characteristic attribute information to carry out identifying the recognition result obtained;
Judge module, be suitable for described recognition result be described one or more attribute information mate with described one or more characteristic attribute information time, then judge that described application program to be identified is mated with described characteristic application program.
10. device as claimed in claim 9, it is characterized in that, described sending module is also suitable for:
Described one or more attribute information is encrypted, obtains cryptographic attributes information aggregate;
Described cryptographic attributes information aggregate is sent to server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410737499.4A CN104486312B (en) | 2014-12-04 | 2014-12-04 | A kind of recognition methods of application program and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410737499.4A CN104486312B (en) | 2014-12-04 | 2014-12-04 | A kind of recognition methods of application program and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104486312A true CN104486312A (en) | 2015-04-01 |
| CN104486312B CN104486312B (en) | 2018-09-04 |
Family
ID=52760816
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410737499.4A Active CN104486312B (en) | 2014-12-04 | 2014-12-04 | A kind of recognition methods of application program and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104486312B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105094904A (en) * | 2015-07-20 | 2015-11-25 | 小米科技有限责任公司 | Application program installation method and device |
| WO2016180211A1 (en) * | 2015-11-20 | 2016-11-17 | 中兴通讯股份有限公司 | Method and apparatus for processing faked application |
| CN106897617A (en) * | 2015-12-18 | 2017-06-27 | 北京奇虎科技有限公司 | A kind of method and device for recognizing bundled software |
| WO2017202214A1 (en) * | 2016-05-24 | 2017-11-30 | 腾讯科技(深圳)有限公司 | File verification method and apparatus |
| CN111030969A (en) * | 2019-02-26 | 2020-04-17 | 北京安天网络安全技术有限公司 | Threat detection method and device based on visible and non-visible data and storage equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1860481A (en) * | 2003-09-30 | 2006-11-08 | 皇家飞利浦电子股份有限公司 | Using content identifiers to download cd-cover pictures to represent audio content items |
| CN101610152A (en) * | 2008-06-19 | 2009-12-23 | 华为技术有限公司 | Content identification method and system and content management client and server |
| CN102932555A (en) * | 2012-12-03 | 2013-02-13 | 南京安讯科技有限责任公司 | Method and system for fast recognizing client software of mobile phone |
| CN104111993A (en) * | 2014-07-04 | 2014-10-22 | 广州华多网络科技有限公司 | Identification method and device for application archives |
-
2014
- 2014-12-04 CN CN201410737499.4A patent/CN104486312B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1860481A (en) * | 2003-09-30 | 2006-11-08 | 皇家飞利浦电子股份有限公司 | Using content identifiers to download cd-cover pictures to represent audio content items |
| CN101610152A (en) * | 2008-06-19 | 2009-12-23 | 华为技术有限公司 | Content identification method and system and content management client and server |
| CN102932555A (en) * | 2012-12-03 | 2013-02-13 | 南京安讯科技有限责任公司 | Method and system for fast recognizing client software of mobile phone |
| CN104111993A (en) * | 2014-07-04 | 2014-10-22 | 广州华多网络科技有限公司 | Identification method and device for application archives |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105094904A (en) * | 2015-07-20 | 2015-11-25 | 小米科技有限责任公司 | Application program installation method and device |
| WO2016180211A1 (en) * | 2015-11-20 | 2016-11-17 | 中兴通讯股份有限公司 | Method and apparatus for processing faked application |
| CN106778261A (en) * | 2015-11-20 | 2017-05-31 | 中兴通讯股份有限公司 | The treating method and apparatus of camouflage applications |
| CN106897617A (en) * | 2015-12-18 | 2017-06-27 | 北京奇虎科技有限公司 | A kind of method and device for recognizing bundled software |
| WO2017202214A1 (en) * | 2016-05-24 | 2017-11-30 | 腾讯科技(深圳)有限公司 | File verification method and apparatus |
| US11188635B2 (en) | 2016-05-24 | 2021-11-30 | Tencent Technology (Shenzhen) Company Limited | File authentication method and apparatus |
| CN111030969A (en) * | 2019-02-26 | 2020-04-17 | 北京安天网络安全技术有限公司 | Threat detection method and device based on visible and non-visible data and storage equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104486312B (en) | 2018-09-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gopinath et al. | A comprehensive survey on deep learning based malware detection techniques | |
| CN110839015B (en) | Log storage and reading method, device, equipment and medium based on block chain | |
| US11188650B2 (en) | Detection of malware using feature hashing | |
| US9553889B1 (en) | System and method of detecting malicious files on mobile devices | |
| US8479291B1 (en) | Systems and methods for identifying polymorphic malware | |
| US20180082061A1 (en) | Scanning device, cloud management device, method and system for checking and killing malicious programs | |
| CN109241484B (en) | Method and equipment for sending webpage data based on encryption technology | |
| CN104486312A (en) | Recognition method and recognition device for applications | |
| US10255436B2 (en) | Creating rules describing malicious files based on file properties | |
| CN104657665A (en) | File processing method | |
| EP3251047B1 (en) | Protection against database injection attacks | |
| Bakour et al. | The android malware static analysis: techniques, limitations, and open challenges | |
| EP3113065B1 (en) | System and method of detecting malicious files on mobile devices | |
| CN103679027A (en) | Searching and killing method and device for kernel level malware | |
| US10032022B1 (en) | System and method for self-protecting code | |
| US10216941B2 (en) | Method of distributing application with security features and method of operating the application | |
| US20210165904A1 (en) | Data loss prevention | |
| Jang et al. | Function‐Oriented Mobile Malware Analysis as First Aid | |
| CN104657504A (en) | Fast file identification method | |
| US11436331B2 (en) | Similarity hash for android executables | |
| US11496304B2 (en) | Information processing device, information processing method, and storage medium | |
| TW201626279A (en) | Protection method and computer system thereof | |
| CN114491533A (en) | Data processing method, device, server and storage medium | |
| CN113420313A (en) | Program safe operation and encryption method and device, equipment and medium thereof | |
| CN104484198A (en) | Method and device for setting up application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220726 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |