CN105791250A - Application detection method and device - Google Patents
Application detection method and device Download PDFInfo
- Publication number
- CN105791250A CN105791250A CN201410831931.6A CN201410831931A CN105791250A CN 105791250 A CN105791250 A CN 105791250A CN 201410831931 A CN201410831931 A CN 201410831931A CN 105791250 A CN105791250 A CN 105791250A
- Authority
- CN
- China
- Prior art keywords
- program
- application program
- list
- running
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 27
- 238000012544 monitoring process Methods 0.000 claims abstract description 39
- 238000000034 method Methods 0.000 claims abstract description 34
- 230000006399 behavior Effects 0.000 description 61
- 238000012545 processing Methods 0.000 description 8
- 239000000243 solution Substances 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 241000239290 Araneae Species 0.000 description 1
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses an application detection method and device. The method comprises the following steps: when an application belonging to a white list runs, acquiring an application feature of the application; acquiring a running list of the application corresponding to the application feature according to the application feature; and monitoring running of the application corresponding to the application feature according to the running list. Through adoption of the application detection method in the embodiment of the invention, running of applications in the white list can be monitored effectively, so that running security of applications in a client is ensured, and the security of the client is ensured.
Description
Technical Field
The invention relates to a network security technology, in particular to an application program detection method and device.
Background
The traditional malicious program prevention and killing mainly depends on a feature library mode, the feature library is composed of feature codes of malicious program samples collected by manufacturers, and the feature codes are different from legitimate software found by an analysis engineer from the malicious programs and intercept a section of program codes similar to search keywords. In the process of searching and killing, the engine reads the file and matches with all the feature code keywords in the feature library, and if the file program code is found to be hit, the file program can be judged to be a malicious program.
Then, a local heuristic antivirus mode is derived, and a dynamic altimeter or a decompiler realized in a specific mode gradually understands and determines the true motivation of the embedded instruction sequence through decompilation of the related instruction sequence. The distinction between malicious programs and normal programs can be reflected in many aspects, such as: usually, an application program checks whether a command line has parameter items input, clears a screen, saves an original screen display and the like at the initial instruction, and a malicious program usually has the initial instruction of a related operation instruction sequence such as direct disk writing operation, decoding instruction, or searching an executable program under a certain path. These significant differences are apparent to a skilled programmer in the debug state with a glance. Heuristic code scanning techniques are in fact embodied as a concrete procedure that migrates such experience and knowledge into a antivirus software.
However, the above methods for searching and killing malware are based on malicious behaviors and/or malicious characteristics, and determine whether a program is a malicious program, and then determine whether to search and kill or clean the program. This inevitably leads to the following disadvantages.
Firstly, the method comprises the following steps: the number of malicious programs is increased in a geometric grade, based on the explosive acceleration, the generation and the updating of the feature library are usually lagged, and the supplement of feature codes of malicious programs in the feature library cannot keep up with the endless unknown malicious programs;
secondly, the method comprises the following steps: the application of a malicious program producer to the killing-free technology is more and more realized by adding a shell to the malicious program or modifying the feature code of the malicious program; and many trojan programs adopt more frequent and rapid automatic deformation, which all result in that the difficulty of judging the malicious programs through malicious behaviors and/or malicious characteristics is greater and greater, and more malicious programs are determined as white lists, so that the malicious programs cause damage in the device/client.
In view of this, how to ensure that all programs in the white list can run safely becomes a technical problem to be solved currently.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides an application program detection method and an application program detection device, wherein the application program detection method can effectively ensure the safe operation of the application program belonging to the white list in the client and ensure the safety of the client.
In a first aspect, the present invention provides an application detection apparatus, including:
the program feature acquisition unit is used for acquiring the program features of the application program when the application program belonging to the white list runs;
the running list acquiring unit is used for acquiring a running list of the application program corresponding to the program characteristics according to the program characteristics;
and the monitoring unit is used for monitoring the running of the application program corresponding to the program characteristics according to the running list.
Optionally, the run list acquiring unit is specifically configured to:
sending the program characteristics of the application program acquired by the program characteristic acquisition unit to a server so that the server determines an operation list of the application program corresponding to the program characteristics according to a preset rule;
and receiving the running list of the application program sent by the server.
Optionally, the run list acquiring unit is specifically configured to:
and sending the acquired program characteristics of the application program and the system environment information of the client to a server so that the server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics according to the searched preset rule.
Optionally, the run list acquiring unit is specifically configured to:
and sending the acquired program characteristics of the application program and the system environment information of the client to a server so that the server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics and the risk level of the client according to the searched preset rule.
Optionally, the run list acquiring unit is specifically configured to:
receiving a running list of the application program and a risk level of the client sent by the server;
the monitoring unit is specifically configured to:
and monitoring the running of the application program corresponding to the program characteristics by adopting the detection rule corresponding to the risk level of the client and the running list.
Optionally, the monitoring unit is specifically configured to:
intercepting the operation behavior of the application program when the operation behavior of the application program corresponding to the program characteristics is monitored to belong to the operation list;
or,
when the running behavior of the application program corresponding to the program characteristics is monitored to belong to the running list, sending the information of the running behavior of the application program to the server so that the server judges whether the application program is allowed to continue to run or not according to a statistical rule;
receiving a judgment result sent by the server, and processing the application program according to the judgment result;
wherein the playlist includes: intercepting information of at least one running behavior of the application program;
the statistical rules are statistical according to the application program running behavior in the plurality of clients.
In a second aspect, the present invention further provides an application detection method, including:
when an application program belonging to the white list runs, acquiring program characteristics of the application program;
acquiring an operation list of application programs corresponding to the program characteristics according to the program characteristics;
and monitoring the operation of the application program corresponding to the program characteristics according to the operation list.
Optionally, the obtaining, according to the program feature, an operation list of the application program corresponding to the program feature includes:
sending the acquired program characteristics of the application program to a server so that the server determines an operation list of the application program corresponding to the program characteristics according to a preset rule;
before monitoring the running of the application program corresponding to the program feature according to the running list, the method further includes:
and receiving the running list of the application program sent by the server.
Optionally, the obtaining, according to the program feature, an operation list of the application program corresponding to the program feature includes:
and sending the acquired program characteristics of the application program and the system environment information of the client to a server so that the server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics according to the searched preset rule.
Optionally, the obtaining, according to the program feature, an operation list of the application program corresponding to the program feature includes:
and sending the acquired program characteristics of the application program and the system environment information of the client to a server so that the server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics and the risk level of the client according to the searched preset rule.
Optionally, the method further includes:
the receiving the running list of the application program sent by the server includes:
receiving a running list of the application program and a risk level of the client sent by the server;
correspondingly, the monitoring the running of the application program corresponding to the program feature according to the running list includes:
and monitoring the running of the application program corresponding to the program characteristics by adopting the detection rule corresponding to the risk level of the client and the running list.
Optionally, the monitoring, according to the run list, the running of the application program corresponding to the program feature includes:
the run list includes: intercepting information of at least one running behavior of the application program;
intercepting the operation behavior of the application program when the operation behavior of the application program corresponding to the program characteristics belongs to the operation list;
or,
when the running behavior of the application program corresponding to the program characteristics belongs to the running list, the running behavior information of the application program is sent to the server, so that the server judges whether the application program is allowed to continue running or not according to the statistical rule;
receiving a judgment result sent by the server, and processing the application program according to the judgment result;
the statistical rules are statistical according to the application program running behavior in the plurality of clients.
According to the technical scheme, the application program belonging to the white list in the client is monitored, for example, the program characteristics of the application program belonging to the white list during operation are firstly obtained, the program characteristics are sent to the server, the server determines whether the application program corresponding to the program characteristics in the client has the operation list of the operation behaviors needing to be intercepted according to the preset rules, if so, the operation list is sent to the client, so that the client monitors the operation of the application program currently belonging to the white list according to the operation list, the safety of the operation of the program in the client can be further ensured, and the safety of the client is ensured.
Drawings
Fig. 1 is a schematic flowchart of an application detection method according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating an application detection method according to another embodiment of the present invention;
fig. 3 is a schematic structural diagram of an application detection apparatus according to an embodiment of the present invention.
Detailed Description
The following further describes embodiments of the invention with reference to the drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
Fig. 1 is a schematic flow chart illustrating an application detection method according to an embodiment of the present invention, and as shown in fig. 1, the application detection method according to the embodiment is as follows.
101. And when the application program belonging to the white list runs, acquiring the program characteristics of the application program.
Typically, the applications downloaded in the client belong partly to white-listed applications, partly to black-listed applications or partly to grey-listed applications. In actual application, if the application program downloaded and pre-run in the client belongs to the blacklist, the application program is directly killed, and if the application program downloaded and pre-run in the client belongs to the grey list, the application program is intercepted. If the application program downloaded and pre-run by the client belongs to the white list, the application program can be directly released, namely all running operations of the application program belonging to the white list are run. However, due to the fact that malicious programs are added too quickly, and for other reasons, it may happen that applications belonging to malicious programs are classified into a white list, and therefore further monitoring of the running of the applications in the white list is required.
In this embodiment, each application in the client may be distinguished by the MD5 value of that application.
It will be appreciated that the role of MD5 is to allow large volumes of information to be "compressed" into a secure format (i.e., to convert a byte string of any length into a fixed-length hexadecimal digital string) before signing the private key with digital signature software. A typical application of MD5 is to generate a Message Digest (Message-Digest) for a piece of information (Message) to prevent tampering.
MD5 may generate an equally unique "digital fingerprint" for any file (regardless of size, format, number) that changes in value of MD5, i.e., the corresponding "digital fingerprint," if anyone makes any changes to the file.
That is, the MD5 value may be a program characteristic of each program, i.e., a static characteristic of an application program, which is calculated by MD5(Message-digest algorithm 5). The program feature may also be other feature codes for uniquely identifying the program, such as SHA1 code, CRC code, or the like, which is not limited in this embodiment.
102. And acquiring an operation list of the application program corresponding to the program characteristics according to the program characteristics.
Specifically, the acquired program characteristics of the application program are sent to the server, so that the server determines an operation list of the application program corresponding to the program characteristics according to a preset rule.
The server may be a cloud server.
That is to say, the cloud server may dynamically count rules of various applications, and may determine whether the operation behavior of the applications affects the security of the client, and for this reason, an operation list may be established for the applications belonging to the white list in each client. The preset rules in the cloud server may be: interception rules, defense rules, data processing rules, etc.
For example, the playlist may include: information of at least one operational behavior of the application is intercepted. Therefore, the safe operation of the application program in the client can be ensured.
And receiving the running list of the application program sent by the cloud server.
103. And monitoring the operation of the application program corresponding to the program characteristics according to the operation list.
For example, when the operation behavior of the application program corresponding to the MD5 value is monitored to belong to the operation list, the operation behavior of the application program is intercepted;
alternatively, in other embodiments, step 103 may also specifically be: when the operation behavior of the application program corresponding to the MD5 value is monitored to belong to the operation list, the information of the operation behavior of the application program is sent to the cloud server, so that the cloud server judges whether the application program is allowed to continue to operate or not according to a statistical rule;
receiving a judgment result sent by the cloud server, and processing the application program according to the judgment result;
the statistical rules are statistical according to the application program running behavior in the plurality of clients.
In the application detection method of this embodiment, the application program belonging to the white list in the client is monitored, for example, first, a program feature of the application program belonging to the white list during running is obtained, the program feature is sent to the cloud server, and then the cloud server determines whether the application program corresponding to the program feature in the client has a running list of running behaviors that need to be intercepted according to a preset rule, and if so, the running list is sent to the client, so that the client monitors the running of the application program currently belonging to the white list according to the running list, and thus, the running safety of the program in the client can be ensured, and the safety of the client can be ensured.
Fig. 2 is a schematic flow chart illustrating an application detection method according to an embodiment of the present invention, and as shown in fig. 2, the application detection method according to the embodiment is as follows.
201. Applications belonging to the white list are determined.
For example, the client may periodically collect legitimate programs and screen out program features and/or program behaviors of the legitimate programs; saving the program features and/or program behavior to generate a white list.
Specifically, a white list of legal programs is established in a database of the cloud server, a client collects program features and/or program behaviors of a program and sends the program features and/or program behaviors to the cloud server for query, and the cloud server can analyze and compare the program features and/or program behaviors in the white list, judge the program according to a comparison result and feed the program back to the client. For example, if the comparison is consistent, it is determined that the program may be an application program belonging to the whitelist.
Namely, the client intercepts the malicious program behaviors according to the judgment result, and terminates the execution of the malicious program.
It is understood that the white list in the database of the cloud server may be obtained by the technician periodically collecting the legitimate programs manually, by using a spider or web crawler, and/or by user upload. I.e. the program characteristics and/or program behavior of the legitimate program are screened manually or automatically by means of a tool and saved in a white list.
202. When the application program belonging to the white list runs, the MD5 value of the application program is obtained.
That is, when an application belonging to the white list is started in the client, the MD5 value of the application can be obtained.
203. And sending the obtained MD5 value of the application program and the system environment information of the client to a cloud server so that the cloud server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the MD5 value according to the searched preset rule.
In other embodiments, the obtained MD5 value of the application and the system environment information of the client may also be sent to the cloud server, so that the cloud server searches for a preset rule matching the system environment information, and determines information such as a running list of the application corresponding to the MD5 value and a risk level of the client according to the searched preset rule.
Generally, the risk level of the client may be determined by the cloud server according to the MD5 value of the program sent by the client and the system environment information, and if the risk level of the client is less than a preset security trust value, it may be directly determined that the program corresponding to the MD5 value belongs to a malicious program. The client can directly intercept all running behaviors of the program.
204. And receiving the running list of the application program sent by the cloud server.
For example, the playlist may include: information of at least one operational behavior of the application is intercepted.
In other embodiments, the step 204 may be: and receiving information such as the running list of the application program and the risk level of the client sent by the cloud server.
205. And monitoring the running of the application program corresponding to the MD5 value according to the running list.
For example, the running of an application in a client may include: process creation, thread creation, file read-write operations, registry write operations, stack operations, and/or thread injection operations, and the like.
In this embodiment, if it is monitored that the running behavior of the application program corresponding to the MD5 value belongs to the running list, intercepting the running behavior of the application program; alternatively, the running behavior of the application is prohibited. For example, the creation of a process for intercepting the application, or the creation of a thread for intercepting the application, etc. The present embodiment is not limited thereto, and may be set according to actual needs.
In other embodiments, the running of the application corresponding to the MD5 value may also be monitored using the detection rule corresponding to the risk level of the client and the running list.
It can be understood that program detection rules corresponding to different risk levels are pre-stored in each client, and when the client learns the risk level of the client, the program detection rules corresponding to the risk levels are adopted to detect/monitor the running program in the client again.
The application detection method of this embodiment first determines an application program belonging to a white list in a client, and then monitors the application program belonging to the white list in the client, for example, first obtains an MD5 value when the application program belonging to the white list runs, and sends the MD5 value to a cloud server, and then the cloud server determines whether the application program corresponding to the MD5 value in the client has a running list of running behaviors that need to be intercepted according to a preset rule, and if so, sends the running list to the client, so that the client monitors the running of the application program currently belonging to the white list according to the running list, and further can ensure the safety of the running of the program in the client, and ensure the safety of the client.
Fig. 3 is a schematic structural diagram of an application detection apparatus according to an embodiment of the present invention, and as shown in fig. 3, the application detection apparatus according to the embodiment includes: a program feature acquisition unit 31, a run list acquisition unit 32, and a monitoring unit 33;
the program feature acquiring unit 31 is configured to acquire a program feature of an application program belonging to a white list when the application program runs;
a run list acquisition unit 32 configured to acquire a run list of application programs corresponding to the program features according to the program features;
and a monitoring unit 33, configured to monitor, according to the running list, running of the application program corresponding to the program feature.
For example, the run list here may include: intercepting information of at least one running behavior of the application program;
correspondingly, the monitoring unit 33 may be specifically configured to, when it is monitored that the operation behavior of the application corresponding to the program feature belongs to the operation list, intercept the operation behavior of the application;
or, the monitoring unit 33 may be specifically configured to, when it is monitored that the operation behavior of the application program corresponding to the program feature belongs to the operation list, send information of the operation behavior of the application program to the cloud server, so that the cloud server determines whether to allow the application program to continue to operate according to a statistical rule;
receiving a judgment result sent by the cloud server, and processing the application program according to the judgment result;
the statistical rules are statistical according to the application program running behavior in the plurality of clients.
In a possible implementation manner, the foregoing run list acquiring unit 32 may be specifically configured to send the program feature of the application program acquired by the program feature acquiring unit to the server, so that the server determines the run list of the application program corresponding to the program feature according to a preset rule;
in another possible implementation manner, the run list obtaining unit 32 is specifically configured to:
and sending the acquired program characteristics of the application program and the system environment information of the client to a cloud server so that the cloud server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics according to the searched preset rule.
In another possible implementation manner, the run list obtaining unit 32 may be further specifically configured to send the obtained program feature of the application program and the system environment information of the client to a cloud server, so that the cloud server searches for a preset rule matched with the system environment information, and determines the run list of the application program corresponding to the program feature and the risk level of the client according to the searched preset rule;
correspondingly, the run list obtaining unit 32 is further configured to receive the run list of the application program and the risk level of the client sent by the cloud server;
the monitoring unit 33 may be specifically configured to monitor the running of the application program corresponding to the program feature by using the detection rule corresponding to the risk level of the client and the running list.
The monitoring unit 33 is specifically configured to:
intercepting the operation behavior of the application program when the operation behavior of the application program corresponding to the program characteristics is monitored to belong to the operation list;
or,
when the running behavior of the application program corresponding to the program characteristics is monitored to belong to the running list, sending the information of the running behavior of the application program to the server so that the server judges whether the application program is allowed to continue to run or not according to a statistical rule;
receiving a judgment result sent by the server, and processing the application program according to the judgment result;
wherein the playlist includes: intercepting information of at least one running behavior of the application program;
the statistical rules are statistical according to the application program running behavior in the plurality of clients.
In addition, the application detection apparatus of the present embodiment may execute the aforementioned processes in the method embodiments shown in fig. 1 to fig. 2, and the present embodiment is not described in detail herein.
The application program detection device of the embodiment firstly obtains the program characteristics of the white list when the application program runs through the program characteristic obtaining unit, and sends the program characteristics to the cloud server through the sending unit, so that the cloud server determines whether the application program corresponding to the program characteristics in the client side has the running list of the running behaviors needing to be intercepted according to the preset rules, and if so, sends the running list to the client side, so that the monitoring unit monitors the running of the application program currently belonging to the white list according to the running list received by the receiving unit, further, the safety of the program running in the client side can be ensured, the running safety of the client side is ensured, and the customer experience is improved.
The embodiment of the invention also comprises the following steps:
a1, an application program detection device, comprising:
the program feature acquisition unit is used for acquiring the program features of the application program when the application program belonging to the white list runs;
the running list acquiring unit is used for acquiring a running list of the application program corresponding to the program characteristics according to the program characteristics;
and the monitoring unit is used for monitoring the running of the application program corresponding to the program characteristics according to the running list.
A2, the apparatus of A1, the playlist obtaining unit, configured to:
sending the program characteristics of the application program acquired by the program characteristic acquisition unit to a server so that the server determines an operation list of the application program corresponding to the program characteristics according to a preset rule;
and receiving the running list of the application program sent by the server.
A3, the apparatus of A1, the playlist obtaining unit, configured to:
and sending the acquired program characteristics of the application program and the system environment information of the client to a server so that the server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics according to the searched preset rule.
A4, the apparatus of A1, the playlist obtaining unit, configured to:
and sending the acquired program characteristics of the application program and the system environment information of the client to a server so that the server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics and the risk level of the client according to the searched preset rule.
A5, the apparatus of A4, the playlist obtaining unit, configured to:
receiving a running list of the application program and a risk level of the client sent by the server;
the monitoring unit is specifically configured to:
and monitoring the running of the application program corresponding to the program characteristics by adopting the detection rule corresponding to the risk level of the client and the running list.
A6, the device according to A1, the monitoring unit being specifically configured to:
intercepting the operation behavior of the application program when the operation behavior of the application program corresponding to the program characteristics is monitored to belong to the operation list;
or,
when the running behavior of the application program corresponding to the program characteristics is monitored to belong to the running list, sending the information of the running behavior of the application program to the server so that the server judges whether the application program is allowed to continue to run or not according to a statistical rule;
receiving a judgment result sent by the server, and processing the application program according to the judgment result;
wherein the playlist includes: intercepting information of at least one running behavior of the application program;
the statistical rules are statistical according to the application program running behavior in the plurality of clients.
B7, a method for detecting an application, comprising:
when an application program belonging to the white list runs, acquiring program characteristics of the application program;
acquiring an operation list of application programs corresponding to the program characteristics according to the program characteristics;
and monitoring the operation of the application program corresponding to the program characteristics according to the operation list.
B8, the method according to B7, the obtaining the running list of the application programs corresponding to the program features according to the program features comprises:
sending the acquired program characteristics of the application program to a server so that the server determines an operation list of the application program corresponding to the program characteristics according to a preset rule;
before monitoring the running of the application program corresponding to the program feature according to the running list, the method further includes:
and receiving the running list of the application program sent by the server.
B9, the method according to B7, the obtaining the running list of the application programs corresponding to the program features according to the program features comprises:
and sending the acquired program characteristics of the application program and the system environment information of the client to a server so that the server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics according to the searched preset rule.
B10, the method according to B7, the obtaining the running list of the application programs corresponding to the program features according to the program features comprises:
and sending the acquired program characteristics of the application program and the system environment information of the client to a server so that the server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics and the risk level of the client according to the searched preset rule.
B11, the method of B10, the method further comprising:
the receiving the running list of the application program sent by the server includes:
receiving a running list of the application program and a risk level of the client sent by the server;
correspondingly, the monitoring the running of the application program corresponding to the program feature according to the running list includes:
and monitoring the running of the application program corresponding to the program characteristics by adopting the detection rule corresponding to the risk level of the client and the running list.
B12, the method of B7, the monitoring the running of the application program corresponding to the program feature according to the running list, comprising:
the run list includes: intercepting information of at least one running behavior of the application program;
intercepting the operation behavior of the application program when the operation behavior of the application program corresponding to the program characteristics belongs to the operation list;
or,
when the running behavior of the application program corresponding to the program characteristics belongs to the running list, the running behavior information of the application program is sent to the server, so that the server judges whether the application program is allowed to continue running or not according to the statistical rule;
receiving a judgment result sent by the server, and processing the application program according to the judgment result;
the statistical rules are statistical according to the application program running behavior in the plurality of clients.
The invention takes a Windows system as an example for explanation, and the method is not limited to be used in operating systems such as iOS, Android and the like.
In the description of the present invention, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the devices in an embodiment may be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components in a device of a browser terminal according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.
Claims (10)
1. An application detection apparatus, comprising:
the program feature acquisition unit is used for acquiring the program features of the application program when the application program belonging to the white list runs;
the running list acquiring unit is used for acquiring a running list of the application program corresponding to the program characteristics according to the program characteristics;
and the monitoring unit is used for monitoring the running of the application program corresponding to the program characteristics according to the running list.
2. The apparatus according to claim 1, wherein the playlist obtaining unit is specifically configured to:
sending the program characteristics of the application program acquired by the program characteristic acquisition unit to a server so that the server determines an operation list of the application program corresponding to the program characteristics according to a preset rule;
and receiving the running list of the application program sent by the server.
3. The apparatus according to claim 1, wherein the playlist obtaining unit is specifically configured to:
and sending the acquired program characteristics of the application program and the system environment information of the client to a server so that the server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics according to the searched preset rule.
4. The apparatus according to claim 1, wherein the playlist obtaining unit is specifically configured to:
and sending the acquired program characteristics of the application program and the system environment information of the client to a server so that the server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics and the risk level of the client according to the searched preset rule.
5. The apparatus according to claim 4, wherein the playlist obtaining unit is specifically configured to:
receiving a running list of the application program and a risk level of the client sent by the server;
the monitoring unit is specifically configured to:
and monitoring the running of the application program corresponding to the program characteristics by adopting the detection rule corresponding to the risk level of the client and the running list.
6. An application detection method, comprising:
when an application program belonging to the white list runs, acquiring program characteristics of the application program;
acquiring an operation list of application programs corresponding to the program characteristics according to the program characteristics;
and monitoring the operation of the application program corresponding to the program characteristics according to the operation list.
7. The method of claim 6, wherein obtaining the running list of the application programs corresponding to the program features according to the program features comprises:
sending the acquired program characteristics of the application program to a server so that the server determines an operation list of the application program corresponding to the program characteristics according to a preset rule;
before monitoring the running of the application program corresponding to the program feature according to the running list, the method further includes:
and receiving the running list of the application program sent by the server.
8. The method of claim 6, wherein obtaining the running list of the application programs corresponding to the program features according to the program features comprises:
and sending the acquired program characteristics of the application program and the system environment information of the client to a server so that the server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics according to the searched preset rule.
9. The method of claim 6, wherein obtaining the running list of the application programs corresponding to the program features according to the program features comprises:
and sending the acquired program characteristics of the application program and the system environment information of the client to a server so that the server searches for a preset rule matched with the system environment information, and determining an operation list of the application program corresponding to the program characteristics and the risk level of the client according to the searched preset rule.
10. The method of claim 9, further comprising:
the receiving the running list of the application program sent by the server includes:
receiving a running list of the application program and a risk level of the client sent by the server;
correspondingly, the monitoring the running of the application program corresponding to the program feature according to the running list includes:
and monitoring the running of the application program corresponding to the program characteristics by adopting the detection rule corresponding to the risk level of the client and the running list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410831931.6A CN105791250B (en) | 2014-12-26 | 2014-12-26 | Application program detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410831931.6A CN105791250B (en) | 2014-12-26 | 2014-12-26 | Application program detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105791250A true CN105791250A (en) | 2016-07-20 |
| CN105791250B CN105791250B (en) | 2020-10-02 |
Family
ID=56389650
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410831931.6A Active CN105791250B (en) | 2014-12-26 | 2014-12-26 | Application program detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105791250B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106126310A (en) * | 2016-08-18 | 2016-11-16 | 北京奇虎科技有限公司 | Method, device and the terminal that the installation of application program is optimized |
| CN107330332A (en) * | 2017-05-23 | 2017-11-07 | 成都联宇云安科技有限公司 | A kind of leak detection method for Android mobile phone APP |
| CN108345525A (en) * | 2017-01-23 | 2018-07-31 | 新谊整合科技股份有限公司 | Computer program management method and system |
| CN108668002A (en) * | 2017-10-12 | 2018-10-16 | 湖南红手指信息技术有限公司 | A kind of application method for down loading of cloud mobile phone |
| CN109190366A (en) * | 2018-09-14 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of program processing method and relevant apparatus |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090313699A1 (en) * | 2008-06-17 | 2009-12-17 | Jang In Sook | Apparatus and method for preventing anomaly of application program |
| CN103281325A (en) * | 2013-06-04 | 2013-09-04 | 北京奇虎科技有限公司 | Method and device for processing file based on cloud security |
| CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
| CN104239791A (en) * | 2013-06-18 | 2014-12-24 | 李卷孺 | Anti-virus system and method of Android system and equipment with anti-virus system |
-
2014
- 2014-12-26 CN CN201410831931.6A patent/CN105791250B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090313699A1 (en) * | 2008-06-17 | 2009-12-17 | Jang In Sook | Apparatus and method for preventing anomaly of application program |
| CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
| CN103281325A (en) * | 2013-06-04 | 2013-09-04 | 北京奇虎科技有限公司 | Method and device for processing file based on cloud security |
| CN104239791A (en) * | 2013-06-18 | 2014-12-24 | 李卷孺 | Anti-virus system and method of Android system and equipment with anti-virus system |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106126310A (en) * | 2016-08-18 | 2016-11-16 | 北京奇虎科技有限公司 | Method, device and the terminal that the installation of application program is optimized |
| CN106126310B (en) * | 2016-08-18 | 2019-08-20 | 北京奇虎科技有限公司 | The method, apparatus and terminal that the installation of application program is optimized |
| CN108345525A (en) * | 2017-01-23 | 2018-07-31 | 新谊整合科技股份有限公司 | Computer program management method and system |
| CN107330332A (en) * | 2017-05-23 | 2017-11-07 | 成都联宇云安科技有限公司 | A kind of leak detection method for Android mobile phone APP |
| CN108668002A (en) * | 2017-10-12 | 2018-10-16 | 湖南红手指信息技术有限公司 | A kind of application method for down loading of cloud mobile phone |
| CN108668002B (en) * | 2017-10-12 | 2020-04-24 | 湖南微算互联信息技术有限公司 | Application downloading method of cloud mobile phone |
| CN109190366A (en) * | 2018-09-14 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of program processing method and relevant apparatus |
| CN109190366B (en) * | 2018-09-14 | 2021-11-19 | 郑州云海信息技术有限公司 | Program processing method and related device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105791250B (en) | 2020-10-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| US9519779B2 (en) | Methods and apparatus for control and detection of malicious content using a sandbox environment | |
| RU2698776C2 (en) | Method of maintaining database and corresponding server | |
| US9679136B2 (en) | Method and system for discrete stateful behavioral analysis | |
| US10055585B2 (en) | Hardware and software execution profiling | |
| RU2487405C1 (en) | System and method for correcting antivirus records | |
| KR101265173B1 (en) | Apparatus and method for inspecting non-portable executable files | |
| JP5793764B2 (en) | Method and apparatus for reducing false detection of malware | |
| US8042186B1 (en) | System and method for detection of complex malware | |
| JP5507176B2 (en) | Method and apparatus for measuring software reliability | |
| CN103390130B (en) | Based on the method for the rogue program killing of cloud security, device and server | |
| US20140053267A1 (en) | Method for identifying malicious executables | |
| KR102271545B1 (en) | Systems and Methods for Domain Generation Algorithm (DGA) Malware Detection | |
| US20170061126A1 (en) | Process Launch, Monitoring and Execution Control | |
| EP2515250A1 (en) | System and method for detection of complex malware | |
| US10783246B2 (en) | Comparing structural information of a snapshot of system memory | |
| CN105791250B (en) | Application program detection method and device | |
| CN107330328B (en) | Method and device for defending against virus attack and server | |
| KR20150124370A (en) | Method, apparatus and system for detecting malicious process behavior | |
| CN102982284A (en) | Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing | |
| JP6000465B2 (en) | Process inspection apparatus, process inspection program, and process inspection method | |
| JP2013508823A (en) | Malware detection and response to malware using link files | |
| WO2014082599A1 (en) | Scanning device, cloud management device, method and system for checking and killing malicious programs | |
| JP5326063B1 (en) | Malicious shellcode detection apparatus and method using debug events | |
| CN102984134B (en) | Safety defense system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220819 Address after: No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science and Technology Park, High-tech Zone, Binhai New District, Tianjin 300000 Patentee after: 3600 Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |