CN105791250A - Application detection method and device - Google Patents

Application detection method and device Download PDF

Info

Publication number
CN105791250A
CN105791250A CN201410831931.6A CN201410831931A CN105791250A CN 105791250 A CN105791250 A CN 105791250A CN 201410831931 A CN201410831931 A CN 201410831931A CN 105791250 A CN105791250 A CN 105791250A
Authority
CN
China
Prior art keywords
program
application program
list
performance
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410831931.6A
Other languages
Chinese (zh)
Other versions
CN105791250B (en
Inventor
张晓霖
何博
张聪
王亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201410831931.6A priority Critical patent/CN105791250B/en
Publication of CN105791250A publication Critical patent/CN105791250A/en
Application granted granted Critical
Publication of CN105791250B publication Critical patent/CN105791250B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses an application detection method and device. The method comprises the following steps: when an application belonging to a white list runs, acquiring an application feature of the application; acquiring a running list of the application corresponding to the application feature according to the application feature; and monitoring running of the application corresponding to the application feature according to the running list. Through adoption of the application detection method in the embodiment of the invention, running of applications in the white list can be monitored effectively, so that running security of applications in a client is ensured, and the security of the client is ensured.

Description

Application program detection method and device
Technical field
The present invention relates to network security technology, be specifically related to a kind of application program detection method and device.
Background technology
Anti-the killing of traditional rogue program depends on feature database pattern, the condition code of the rogue program sample that feature database is collected by manufacturer forms, condition code is then that analysis project is an apprentice of in rogue program and is found the difference with proprietary software, intercepts one section of program code being similar to " search key word ".When, in killing process, engine can read file and mate with all condition codes " key word " in feature database, if it find that file routine code is hit, it is possible to judge that this document program is as rogue program.
Derive again the mode in local heuristic virus killing afterwards, be the dynamic height device or decompiler that realize in a specific way, by the decompiling about job sequence being progressively understood and determined by its real motive contained.The difference of rogue program and normal procedure can embody in many aspects, such as: a usual application program is in initial instruction, it is check that order line input shows with or without parameter item, cls and preservation original screen, the generally initial instruction of rogue program is then direct writing disk manipulation, solves code instruction, or searches for the associative operation job sequences such as executable program under certain path.These significant differences, skilled programmer only need to take a glance in a debug state just can be very clear.Heuristic code scans technology is actually the specific procedure that this experience and knowledge is transplanted in a killing bogusware and embodies.
But the method for above-mentioned killing Malware is all based on malicious act and/or malice feature, and first to a programmed decision, whether it is rogue program, then decides whether to carry out killing or cleaning again.This just inevitably results in and occurs in that following drawback.
First: rogue program quantity is that geometry level increases, based on the speedup of this explosion type, generating and updating of feature database is often delayed, and in feature database, the supplementary of the condition code of rogue program does not catch up with the unknown rogue program emerged in an endless stream;
Second: the rogue program producer application to technology free to kill, more and more occur by rogue program being added the maneuver of shell or the condition code of revising this rogue program;And many trojan horse programs have employed more frequently quick auto Deformation, it is increasing that these result in difficulty rogue program judged by malicious act and/or malice feature, cause that more rogue program is confirmed as white list, thus, those rogue programs damage in equipment/client.
In consideration of it, how to ensure in white list that all of program safe operation can both become and be currently needed for solving the technical problem that.
Summary of the invention
For defect of the prior art, the invention provides a kind of application program detection method and device, this application program detection method can effectively ensure that the safe operation of the application program belonging to white list in client, it is ensured that the safety of client.
First aspect, the present invention provides a kind of application program detecting device, including:
Performance of program acquiring unit, during for running at the application program belonging to white list, obtains the performance of program of this application program;
Run list acquiring unit, for obtaining the operation list of the application program corresponding with described performance of program according to described performance of program;
Monitoring unit, for the operation of the application program corresponding with described performance of program according to described operation list monitoring.
Optionally, described operation list acquiring unit, specifically for:
The performance of program of the application program obtained by described performance of program acquiring unit sends server, so that server determines the operation list of the application program corresponding with described performance of program according to preset rules;
Receive the operation list of the described application program that described server sends.
Optionally, described operation list acquiring unit, specifically for:
The system environmental information of the performance of program of this application program obtained and described client is sent server, so that the preset rules that whois lookup mates with described system environmental information, determine the operation list of the application program corresponding with described performance of program according to the preset rules searched.
Optionally, described operation list acquiring unit, specifically for:
The system environmental information of the performance of program of this application program obtained and described client is sent server, so that the preset rules that whois lookup mates with described system environmental information, determine the risk class running list and described client of the application program corresponding with described performance of program according to the preset rules searched.
Optionally, described operation list acquiring unit, specifically for:
Receive the risk class running list and described client of the described application program that described server sends;
Described monitoring unit, specifically for:
Adopt the operation of the application program that detected rule that the risk class of described client is corresponding is corresponding with described performance of program with described operation list monitoring.
Optionally, described monitoring unit, specifically for:
When the operation action monitoring the application program corresponding with described performance of program belongs to described operation list, intercept the operation action of this application program;
Or,
When the operation action monitoring the application program corresponding with described performance of program belongs to described operation list, the information of the operation action of this application program is sent described server, so that according to statistical rules, described server determines whether that this application program continues to run with;
Receive the judged result that described server sends, according to described judged result, described application program is processed;
Wherein, described operation list includes: intercept the information of at least one operation action of this application program;
Described statistical rules is add up according to this application program operation action in multiple clients.
Second aspect, present invention also offers a kind of application program detection method, including:
When the application program belonging to white list runs, obtain the performance of program of this application program;
The operation list of the application program corresponding with described performance of program is obtained according to described performance of program;
The operation of the application program corresponding with described performance of program is monitored according to described operation list.
Optionally, the described operation list obtaining the application program corresponding with described performance of program according to described performance of program, including:
The performance of program of this application program obtained is sent server, so that server determines the operation list of the application program corresponding with described performance of program according to preset rules;
Before the operation of the described application program corresponding with described performance of program according to described operation list monitoring, described method also includes:
Receive the operation list of the described application program that described server sends.
Optionally, the described operation list obtaining the application program corresponding with described performance of program according to described performance of program, including:
The system environmental information of the performance of program of this application program obtained and described client is sent server, so that the preset rules that whois lookup mates with described system environmental information, determine the operation list of the application program corresponding with described performance of program according to the preset rules searched.
Optionally, the described operation list obtaining the application program corresponding with described performance of program according to described performance of program, including:
The system environmental information of the performance of program of this application program obtained and described client is sent server, so that the preset rules that whois lookup mates with described system environmental information, determine the risk class running list and described client of the application program corresponding with described performance of program according to the preset rules searched.
Optionally, described method also includes:
The operation list of the described application program that the described server of described reception sends, including:
Receive the risk class running list and described client of the described application program that described server sends;
Correspondingly, the operation of the described application program corresponding with described performance of program according to described operation list monitoring, including:
Adopt the operation of the application program that detected rule that the risk class of described client is corresponding is corresponding with described performance of program with described operation list monitoring.
Optionally, the operation of the described application program corresponding with described performance of program according to described operation list monitoring, including:
Described operation list includes: intercept the information of at least one operation action of this application program;
Monitor the operation action of the application program corresponding with described performance of program when belonging to described operation list, intercept the operation action of this application program;
Or,
Monitor the operation action of the application program corresponding with described performance of program when belonging to described operation list, the information of the operation action of this application program is sent described server, so that according to statistical rules, described server determines whether that this application program continues to run with;
Receive the judged result that described server sends, according to described judged result, described application program is processed;
Described statistical rules is add up according to this application program operation action in multiple clients.
As shown from the above technical solution, application program detection method provided by the invention and device, by the application program belonging to white list in client is monitored, such as, first the performance of program during application program operation of white list is obtained, this performance of program is sent server, and then server is according to whether the application program corresponding with performance of program that preset rules is determined in this client there is a need to the operation list of the operation action intercepted, if had, then send this operation list to client, so that client currently belongs to the operation of the application program of white list according to this operation list monitoring, and then the safety that client Program runs can be ensured, and ensure the safety of client.
Accompanying drawing explanation
The schematic flow sheet of the application program detection method that Fig. 1 provides for one embodiment of the invention;
The schematic flow sheet of the application program detection method that Fig. 2 provides for another embodiment of the present invention;
The structural representation of the application program detecting device that Fig. 3 provides for one embodiment of the invention.
Detailed description of the invention
Below in conjunction with accompanying drawing, the detailed description of the invention of invention is further described.Following example are only for clearly illustrating technical scheme, and can not limit the scope of the invention with this.
Fig. 1 illustrates the schematic flow sheet of the application program detection method that one embodiment of the invention provides, as it is shown in figure 1, the application program detection method of the present embodiment is as described below.
101, when the application program belonging to white list runs, the performance of program of this application program is obtained.
Generally, the application program downloaded in client partly belongs to the application program of white list, partly belongs to the application program of blacklist, or, also have the application program partly belonging to gray list.In actual applications, if the application program downloading prerun in client belongs to blacklist, directly kill, if the application program of client downloads prerun belongs to gray list, then this application program is carried out intercept process.If the application program of client downloads prerun belongs to white list, then can directly let pass, namely run all of application program belonging to white list and run operation.Too fast yet with gathering way of rogue program, and have other reasons, it is possible to there will be and the application program belonging to rogue program is divided into white list, thus, it is desirable to the operation of the application program in white list is further monitored.
In the present embodiment, can being distinguished by the MD5 value of this application program of each application program in client.
It will be appreciated that the effect of MD5 is the form (being exactly the hexadecimal number word string byte serial of a random length being transformed into a fixed length) allowing Large Copacity information be become a kind of secrecy before signing private key with digital signature software by " compression ".Typical case's application of MD5 is that a segment information (Message) is produced informative abstract (Message-Digest), to prevent from being tampered.
MD5 can be that any file (regardless of its size, form, quantity) produces one same unique " digital finger-print ", if file has been done any change by anyone, " digital finger-print " of its MD5 value namely correspondence all can change.
It is to say, MD5 value can be the performance of program of each program, the i.e. static nature of application program, draw via MD5 (Message-DigestAlgorithm5, md5-challenge) computing.Performance of program can be also that other uniquely identify condition codes of this programs, such as SHA1 code, or CRC code etc., the present embodiment is not limited thereof.
102, the operation list of the application program corresponding with described performance of program is obtained according to described performance of program.
Concrete, the performance of program of this application program obtained is sent server, so that server determines the operation list of the application program corresponding with described performance of program according to preset rules.
This server can be cloud server.
That is, in cloud server, dynamic statistics has the rule of various application program, and can determine whether the operation action of those application programs affects the safety of client, for this, the application program belonging to white list in each client can have been set up operation list.Preset rules in this place's cloud server can be: intercepts rule, defence rule, data processing rule etc..
For example, run list and comprise the steps that the information of at least one operation action intercepting this application program.Thus, it is ensured that the safe operation of this application program in client.
Receive the operation list of the described application program that described cloud server sends.
103, the operation of the application program corresponding with described performance of program is monitored according to described operation list.
Such as, monitor the operation action of the application program corresponding with described MD5 value when belonging to described operation list, intercept the operation action of this application program;
Or, in other embodiments, step 103 may further be embodied as: monitors the operation action of the application program corresponding with described MD5 value when belonging to described operation list, the information of the operation action of this application program is sent described cloud server, so that according to statistical rules, described cloud server determines whether that this application program continues to run with;
Receive the judged result that described cloud server sends, according to described judged result, described application program is processed;
Described statistical rules is add up according to this application program operation action in multiple clients.
The application program detection method of the present embodiment, by the application program belonging to white list in client is monitored, such as, first the performance of program during application program operation of white list is obtained, this performance of program is sent cloud server, and then cloud server is according to whether the application program corresponding with performance of program that preset rules is determined in this client there is a need to the operation list of the operation action intercepted, if had, then send this operation list to client, so that client currently belongs to the operation of the application program of white list according to this operation list monitoring, and then the safety that client Program runs can be ensured, and ensure the safety of client.
Fig. 2 illustrates the schematic flow sheet of the application program detection method that one embodiment of the invention provides, as in figure 2 it is shown, the application program detection method of the present embodiment is as described below.
201, the application program belonging to white list is determined.
For example, legal procedure can be regularly collected by client, screens out performance of program and/or the program behavior of described legal procedure;Preserve to generate white list to described performance of program and/or program behavior.
Specifically, the data base of cloud server sets up the white list having legal procedure, the performance of program of one program and/or program behavior are inquired about being collected and be sent to cloud server by client, cloud server can be analyzed comparison according to described performance of program and/or program behavior in described white list, according to comparison result described program is judged and feeds back to described client.Such as, if comparison is consistent, then, it is determined that this program can be the application program belonging to white list.
That is, rogue program behavior is intercepted by client according to result of determination, terminates performing rogue program.
It will be appreciated that white list in the data base of cloud server can be technical staff periodically through craft, utilize Aranea or web crawlers and/or user to upload to be collected legal procedure obtaining.Namely pass through automatically screen the performance of program of described legal procedure and/or program behavior manually or by instrument and be saved in white list.
202, when the application program belonging to white list runs, the MD5 value of this application program is obtained.
It is to say, when client starts the application program belonging to white list, the MD5 value of this application program can be obtained.
203, the MD5 value of this application program obtained and the system environmental information of described client are sent cloud server, so that cloud server searches the preset rules mated with described system environmental information, determine the operation list of the application program corresponding with described MD5 value according to the preset rules searched.
In other embodiments, also the system environmental information of the MD5 value of this application program obtained and described client can be sent cloud server, so that cloud server searches the preset rules mated with described system environmental information, determine the information such as the operation list of the application program corresponding with described MD5 value and the risk class of described client according to the preset rules searched.
Generally, the MD5 value of this program that the risk class of this place's client can send according to client for cloud server and what system environmental information was determined, if the risk class of client is less than default safe trust value, then can directly judge that the program of this MD5 value correspondence belongs to rogue program.This client can directly intercept all of operation action of this program.
204, the operation list of the described application program that described cloud server sends is received.
For example, run list and comprise the steps that the information of at least one operation action intercepting this application program.
In other embodiments, this step 204 can be: receives the information such as the operation list of the described application program that described cloud server sends and the risk class of described client.
205, the operation of the application program corresponding with described MD5 value is monitored according to described operation list.
For example, application program operation in the client comprise the steps that process creation, thread creation, file read-write operations, registration table read-write operation, this write operation of registration table, stack manipulation and/or, thread inject operation etc..
In the present embodiment, if the operation action monitoring the application program corresponding with described MD5 value belongs to described operation list, then the operation action of this application program is intercepted;Or, forbid the operation action of this application program.Such as, intercept the process creation of this application program, or, intercept the establishment etc. of a certain thread of this application program.The present embodiment is not limited thereof, and can arrange according to actual needs.
In other embodiments, the operation of the application program that detected rule that the risk class of described client is corresponding is corresponding with described MD5 value with described operation list monitoring can also be adopted.
Will be understood that, each client prestores the Programmable detection rule that different risk class is corresponding, and then when client knows the risk class of this client, adopt the Programmable detection rule that this risk class is corresponding that the program of the operation in client carries out detection/monitoring again.
The application program detection method of the present embodiment, first the application program belonging to white list is determined in client, and then the application program belonging to white list in client is monitored, such as, first the MD5 value during application program operation of white list is obtained, this MD5 value is sent cloud server, and then cloud server is according to whether the application program corresponding with MD5 value that preset rules is determined in this client there is a need to the operation list of the operation action intercepted, if had, then send this operation list to client, so that client currently belongs to the operation of the application program of white list according to this operation list monitoring, and then the safety that client Program runs can be ensured, and ensure the safety of client.
Fig. 3 illustrates the structural representation of the application program detecting device that one embodiment of the invention provides, as it is shown on figure 3, the application program detecting device of the present embodiment includes: performance of program acquiring unit 31, run list acquiring unit 32 and monitoring unit 33;
Wherein, when performance of program acquiring unit 31 is for running at the application program belonging to white list, the performance of program of this application program is obtained;
Run list acquiring unit 32, for obtaining the operation list of the application program corresponding with described performance of program according to described performance of program;
Monitoring unit 33, for the operation of the application program corresponding with described performance of program according to described operation list monitoring.
For example, the list that runs at this place comprises the steps that the information of at least one operation action intercepting this application program;
Correspondingly, monitoring unit 33 can be specifically for, monitors the operation action of the application program corresponding with described performance of program when belonging to described operation list, intercepts the operation action of this application program;
Or, monitoring unit 33 can be specifically for, monitor the operation action of the application program corresponding with described performance of program when belonging to described operation list, the information of the operation action of this application program is sent described cloud server, so that according to statistical rules, described cloud server determines whether that this application program continues to run with;
Receive the judged result that described cloud server sends, according to described judged result, described application program is processed;
Described statistical rules is add up according to this application program operation action in multiple clients.
In a kind of possible implementation, aforesaid operation list acquiring unit 32 can be specifically for, the performance of program of the application program obtained by described performance of program acquiring unit sends server, so that server determines the operation list of the application program corresponding with described performance of program according to preset rules;
In alternatively possible implementation, aforesaid operation list acquiring unit 32, specifically for:
The system environmental information of the performance of program of this application program obtained and described client is sent cloud server, so that cloud server searches the preset rules mated with described system environmental information, determine the operation list of the application program corresponding with described performance of program according to the preset rules searched.
In alternatively possible implementation, aforesaid operation list acquiring unit 32 also can be specifically for, the system environmental information of the performance of program of this application program obtained and described client is sent cloud server, so that cloud server searches the preset rules mated with described system environmental information, determine the risk class running list and described client of the application program corresponding with described performance of program according to the preset rules searched;
Correspondingly, aforesaid operation list acquiring unit 32, it is additionally operable to receive the risk class running list and described client of the described application program that described cloud server sends;
Aforesaid monitoring unit 33 can specifically for the operation of detected rule that the risk class that adopts described client the is corresponding application program corresponding with described performance of program with described operation list monitoring.
Aforementioned monitoring unit 33, specifically for:
When the operation action monitoring the application program corresponding with described performance of program belongs to described operation list, intercept the operation action of this application program;
Or,
When the operation action monitoring the application program corresponding with described performance of program belongs to described operation list, the information of the operation action of this application program is sent described server, so that according to statistical rules, described server determines whether that this application program continues to run with;
Receive the judged result that described server sends, according to described judged result, described application program is processed;
Wherein, described operation list includes: intercept the information of at least one operation action of this application program;
Described statistical rules is add up according to this application program operation action in multiple clients.
Additionally, the application program detecting device of the present embodiment can perform the flow process in the embodiment of the method shown in aforesaid Fig. 1 to Fig. 2, the present embodiment is not described in detail at this.
The application program detecting device of the present embodiment, first pass through the performance of program during application program operation of performance of program acquiring unit acquisition white list, by transmitting element, this performance of program is sent cloud server, and then cloud server is according to whether the application program corresponding with performance of program that preset rules is determined in this client there is a need to the operation list of the operation action intercepted, if had, then send this operation list to client, so that monitoring unit currently belongs to the operation of the application program of white list according to this operation list monitoring receiving unit reception, and then the safety that client Program runs can be ensured, and ensure the operation safety of client, promote customer experience.
The embodiment of the present invention also includes:
A1, a kind of application program detecting device, including:
Performance of program acquiring unit, during for running at the application program belonging to white list, obtains the performance of program of this application program;
Run list acquiring unit, for obtaining the operation list of the application program corresponding with described performance of program according to described performance of program;
Monitoring unit, for the operation of the application program corresponding with described performance of program according to described operation list monitoring.
A2, device according to A1, described operation list acquiring unit, specifically for:
The performance of program of the application program obtained by described performance of program acquiring unit sends server, so that server determines the operation list of the application program corresponding with described performance of program according to preset rules;
Receive the operation list of the described application program that described server sends.
A3, device according to A1, described operation list acquiring unit, specifically for:
The system environmental information of the performance of program of this application program obtained and described client is sent server, so that the preset rules that whois lookup mates with described system environmental information, determine the operation list of the application program corresponding with described performance of program according to the preset rules searched.
A4, device according to A1, described operation list acquiring unit, specifically for:
The system environmental information of the performance of program of this application program obtained and described client is sent server, so that the preset rules that whois lookup mates with described system environmental information, determine the risk class running list and described client of the application program corresponding with described performance of program according to the preset rules searched.
A5, device according to A4, described operation list acquiring unit, specifically for:
Receive the risk class running list and described client of the described application program that described server sends;
Described monitoring unit, specifically for:
Adopt the operation of the application program that detected rule that the risk class of described client is corresponding is corresponding with described performance of program with described operation list monitoring.
A6, device according to A1, described monitoring unit, specifically for:
When the operation action monitoring the application program corresponding with described performance of program belongs to described operation list, intercept the operation action of this application program;
Or,
When the operation action monitoring the application program corresponding with described performance of program belongs to described operation list, the information of the operation action of this application program is sent described server, so that according to statistical rules, described server determines whether that this application program continues to run with;
Receive the judged result that described server sends, according to described judged result, described application program is processed;
Wherein, described operation list includes: intercept the information of at least one operation action of this application program;
Described statistical rules is add up according to this application program operation action in multiple clients.
B7, a kind of application program detection method, including:
When the application program belonging to white list runs, obtain the performance of program of this application program;
The operation list of the application program corresponding with described performance of program is obtained according to described performance of program;
The operation of the application program corresponding with described performance of program is monitored according to described operation list.
B8, method according to B7, the described operation list obtaining the application program corresponding with described performance of program according to described performance of program, including:
The performance of program of this application program obtained is sent server, so that server determines the operation list of the application program corresponding with described performance of program according to preset rules;
Before the operation of the described application program corresponding with described performance of program according to described operation list monitoring, described method also includes:
Receive the operation list of the described application program that described server sends.
B9, method according to B7, the described operation list obtaining the application program corresponding with described performance of program according to described performance of program, including:
The system environmental information of the performance of program of this application program obtained and described client is sent server, so that the preset rules that whois lookup mates with described system environmental information, determine the operation list of the application program corresponding with described performance of program according to the preset rules searched.
B10, method according to B7, the described operation list obtaining the application program corresponding with described performance of program according to described performance of program, including:
The system environmental information of the performance of program of this application program obtained and described client is sent server, so that the preset rules that whois lookup mates with described system environmental information, determine the risk class running list and described client of the application program corresponding with described performance of program according to the preset rules searched.
B11, method according to B10, described method also includes:
The operation list of the described application program that the described server of described reception sends, including:
Receive the risk class running list and described client of the described application program that described server sends;
Correspondingly, the operation of the described application program corresponding with described performance of program according to described operation list monitoring, including:
Adopt the operation of the application program that detected rule that the risk class of described client is corresponding is corresponding with described performance of program with described operation list monitoring.
B12, method according to B7, the operation of the described application program corresponding with described performance of program according to described operation list monitoring, including:
Described operation list includes: intercept the information of at least one operation action of this application program;
Monitor the operation action of the application program corresponding with described performance of program when belonging to described operation list, intercept the operation action of this application program;
Or,
Monitor the operation action of the application program corresponding with described performance of program when belonging to described operation list, the information of the operation action of this application program is sent described server, so that according to statistical rules, described server determines whether that this application program continues to run with;
Receive the judged result that described server sends, according to described judged result, described application program is processed;
Described statistical rules is add up according to this application program operation action in multiple clients.
The present invention illustrates for Windows system, does not limit said method in the operating systems such as iOS, Android.
In the description of the present invention, describe a large amount of detail.It is to be appreciated, however, that embodiments of the invention can be put into practice when not having these details.In some instances, known method, structure and technology it are not shown specifically, in order to do not obscure the understanding of this description.
Similarly, it is to be understood that, one or more in order to what simplify that disclosure helping understands in each inventive aspect, herein above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or descriptions thereof sometimes.But, the method for the disclosure should not explained in reflecting an intention that namely the present invention for required protection requires feature more more than the feature being expressly recited in each claim.More precisely, as the following claims reflect, inventive aspect is in that all features less than single embodiment disclosed above.Therefore, it then follows claims of detailed description of the invention are thus expressly incorporated in this detailed description of the invention, wherein each claim itself as the independent embodiment of the present invention.
It will be understood by those skilled in the art that and can carry out the module in the equipment in embodiment adaptively changing and they being provided in one or more equipment that this embodiment is different.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit is mutually exclusive part, it is possible to adopt any combination that all processes or the unit of all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment are combined.Unless expressly stated otherwise, each feature disclosed in this specification (including adjoint claim, summary and accompanying drawing) can be replaced by the alternative features providing purpose identical, equivalent or similar.
In addition, those skilled in the art it will be appreciated that, although embodiments more described herein include some feature included in other embodiments rather than further feature, but the combination of the feature of different embodiment means to be within the scope of the present invention and form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can mode use in any combination.
The all parts embodiment of the present invention can realize with hardware, or realizes with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions of some or all parts in the equipment of a kind of browser terminal that microprocessor or digital signal processor (DSP) can be used in practice to realize according to embodiments of the present invention.The present invention is also implemented as part or all the equipment for performing method as described herein or device program (such as, computer program and computer program).The program of such present invention of realization can store on a computer-readable medium, or can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described rather than limits the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment without departing from the scope of the appended claims.In the claims, any reference marks that should not will be located between bracket is configured to limitations on claims.Word " comprises " and does not exclude the presence of the element or step not arranged in the claims.Word "a" or "an" before being positioned at element does not exclude the presence of multiple such element.The present invention by means of including the hardware of some different elements and can realize by means of properly programmed computer.In the unit claim listing some devices, several in these devices can be through same hardware branch and specifically embody.Word first, second and third use do not indicate that any order.Can be title by these word explanations.
Last it is noted that various embodiments above is only in order to illustrate technical scheme, it is not intended to limit;Although the present invention being described in detail with reference to foregoing embodiments, it will be understood by those within the art that: the technical scheme described in foregoing embodiments still can be modified by it, or wherein some or all of technical characteristic is carried out equivalent replacement;And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme, it all should be encompassed in the middle of the claim of the present invention and the scope of description.

Claims (10)

1. an application program detecting device, it is characterised in that including:
Performance of program acquiring unit, during for running at the application program belonging to white list, obtains the performance of program of this application program;
Run list acquiring unit, for obtaining the operation list of the application program corresponding with described performance of program according to described performance of program;
Monitoring unit, for the operation of the application program corresponding with described performance of program according to described operation list monitoring.
2. device according to claim 1, it is characterised in that described operation list acquiring unit, specifically for:
The performance of program of the application program obtained by described performance of program acquiring unit sends server, so that server determines the operation list of the application program corresponding with described performance of program according to preset rules;
Receive the operation list of the described application program that described server sends.
3. device according to claim 1, it is characterised in that described operation list acquiring unit, specifically for:
The system environmental information of the performance of program of this application program obtained and described client is sent server, so that the preset rules that whois lookup mates with described system environmental information, determine the operation list of the application program corresponding with described performance of program according to the preset rules searched.
4. device according to claim 1, it is characterised in that described operation list acquiring unit, specifically for:
The system environmental information of the performance of program of this application program obtained and described client is sent server, so that the preset rules that whois lookup mates with described system environmental information, determine the risk class running list and described client of the application program corresponding with described performance of program according to the preset rules searched.
5. device according to claim 4, it is characterised in that described operation list acquiring unit, specifically for:
Receive the risk class running list and described client of the described application program that described server sends;
Described monitoring unit, specifically for:
Adopt the operation of the application program that detected rule that the risk class of described client is corresponding is corresponding with described performance of program with described operation list monitoring.
6. an application program detection method, it is characterised in that including:
When the application program belonging to white list runs, obtain the performance of program of this application program;
The operation list of the application program corresponding with described performance of program is obtained according to described performance of program;
The operation of the application program corresponding with described performance of program is monitored according to described operation list.
7. method according to claim 6, it is characterised in that the described operation list obtaining the application program corresponding with described performance of program according to described performance of program, including:
The performance of program of this application program obtained is sent server, so that server determines the operation list of the application program corresponding with described performance of program according to preset rules;
Before the operation of the described application program corresponding with described performance of program according to described operation list monitoring, described method also includes:
Receive the operation list of the described application program that described server sends.
8. method according to claim 6, it is characterised in that the described operation list obtaining the application program corresponding with described performance of program according to described performance of program, including:
The system environmental information of the performance of program of this application program obtained and described client is sent server, so that the preset rules that whois lookup mates with described system environmental information, determine the operation list of the application program corresponding with described performance of program according to the preset rules searched.
9. method according to claim 6, it is characterised in that the described operation list obtaining the application program corresponding with described performance of program according to described performance of program, including:
The system environmental information of the performance of program of this application program obtained and described client is sent server, so that the preset rules that whois lookup mates with described system environmental information, determine the risk class running list and described client of the application program corresponding with described performance of program according to the preset rules searched.
10. method according to claim 9, it is characterised in that described method also includes:
The operation list of the described application program that the described server of described reception sends, including:
Receive the risk class running list and described client of the described application program that described server sends;
Correspondingly, the operation of the described application program corresponding with described performance of program according to described operation list monitoring, including:
Adopt the operation of the application program that detected rule that the risk class of described client is corresponding is corresponding with described performance of program with described operation list monitoring.
CN201410831931.6A 2014-12-26 2014-12-26 Application program detection method and device Active CN105791250B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410831931.6A CN105791250B (en) 2014-12-26 2014-12-26 Application program detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410831931.6A CN105791250B (en) 2014-12-26 2014-12-26 Application program detection method and device

Publications (2)

Publication Number Publication Date
CN105791250A true CN105791250A (en) 2016-07-20
CN105791250B CN105791250B (en) 2020-10-02

Family

ID=56389650

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410831931.6A Active CN105791250B (en) 2014-12-26 2014-12-26 Application program detection method and device

Country Status (1)

Country Link
CN (1) CN105791250B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106126310A (en) * 2016-08-18 2016-11-16 北京奇虎科技有限公司 Method, device and the terminal that the installation of application program is optimized
CN107330332A (en) * 2017-05-23 2017-11-07 成都联宇云安科技有限公司 A kind of leak detection method for Android mobile phone APP
CN108345525A (en) * 2017-01-23 2018-07-31 新谊整合科技股份有限公司 Computer program management method and system
CN108668002A (en) * 2017-10-12 2018-10-16 湖南红手指信息技术有限公司 A kind of application method for down loading of cloud mobile phone
CN109190366A (en) * 2018-09-14 2019-01-11 郑州云海信息技术有限公司 A kind of program processing method and relevant apparatus

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090313699A1 (en) * 2008-06-17 2009-12-17 Jang In Sook Apparatus and method for preventing anomaly of application program
CN103281325A (en) * 2013-06-04 2013-09-04 北京奇虎科技有限公司 Method and device for processing file based on cloud security
CN103839003A (en) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN104239791A (en) * 2013-06-18 2014-12-24 李卷孺 Anti-virus system and method of Android system and equipment with anti-virus system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090313699A1 (en) * 2008-06-17 2009-12-17 Jang In Sook Apparatus and method for preventing anomaly of application program
CN103839003A (en) * 2012-11-22 2014-06-04 腾讯科技(深圳)有限公司 Malicious file detection method and device
CN103281325A (en) * 2013-06-04 2013-09-04 北京奇虎科技有限公司 Method and device for processing file based on cloud security
CN104239791A (en) * 2013-06-18 2014-12-24 李卷孺 Anti-virus system and method of Android system and equipment with anti-virus system

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106126310A (en) * 2016-08-18 2016-11-16 北京奇虎科技有限公司 Method, device and the terminal that the installation of application program is optimized
CN106126310B (en) * 2016-08-18 2019-08-20 北京奇虎科技有限公司 The method, apparatus and terminal that the installation of application program is optimized
CN108345525A (en) * 2017-01-23 2018-07-31 新谊整合科技股份有限公司 Computer program management method and system
CN107330332A (en) * 2017-05-23 2017-11-07 成都联宇云安科技有限公司 A kind of leak detection method for Android mobile phone APP
CN108668002A (en) * 2017-10-12 2018-10-16 湖南红手指信息技术有限公司 A kind of application method for down loading of cloud mobile phone
CN108668002B (en) * 2017-10-12 2020-04-24 湖南微算互联信息技术有限公司 Application downloading method of cloud mobile phone
CN109190366A (en) * 2018-09-14 2019-01-11 郑州云海信息技术有限公司 A kind of program processing method and relevant apparatus

Also Published As

Publication number Publication date
CN105791250B (en) 2020-10-02

Similar Documents

Publication Publication Date Title
US10528745B2 (en) Method and system for identification of security vulnerabilities
Xing et al. Upgrading your android, elevating my malware: Privilege escalation through mobile os updating
CN105791250A (en) Application detection method and device
US9294486B1 (en) Malware detection and analysis
KR101693370B1 (en) Fuzzy whitelisting anti-malware systems and methods
JP2015511338A (en) Method and system for ensuring the reliability of IP data provided by a service provider
US7269851B2 (en) Managing malware protection upon a computer network
US20130167236A1 (en) Method and system for automatically generating virus descriptions
EP3506139B1 (en) Malware detection in event loops
JP2009500706A (en) Method and apparatus for dealing with malware
RU2487405C1 (en) System and method for correcting antivirus records
TW201642135A (en) Detecting malicious files
CN104573515A (en) Virus processing method, device and system
CN103390130B (en) Based on the method for the rogue program killing of cloud security, device and server
AU2014207540A1 (en) Systems and methods for identifying and reporting application and file vulnerabilities
US10009370B1 (en) Detection and remediation of potentially malicious files
US20170061126A1 (en) Process Launch, Monitoring and Execution Control
CN103279707A (en) Method, device and system for actively defending against malicious programs
CN103475671A (en) Method for detecting rogue programs
CN107330328B (en) Method and device for defending against virus attack and server
JP5613000B2 (en) Application characteristic analysis apparatus and program
JP6169497B2 (en) Connection destination information determination device, connection destination information determination method, and program
Choi et al. Large-scale analysis of remote code injection attacks in android apps
CN103501294A (en) Method for judging whether program is malicious or not
JP2017129893A (en) Malware detection method and system

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant