CN106650439A - Suspicious application program detection method and device - Google Patents
Suspicious application program detection method and device Download PDFInfo
- Publication number
- CN106650439A CN106650439A CN201610875626.6A CN201610875626A CN106650439A CN 106650439 A CN106650439 A CN 106650439A CN 201610875626 A CN201610875626 A CN 201610875626A CN 106650439 A CN106650439 A CN 106650439A
- Authority
- CN
- China
- Prior art keywords
- domain name
- application program
- measured
- blacklist
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a suspicious application program detection method and device, relates to the technical field of internet, and aims at solving the problem of how to effectively detect suspicious application programs in massive unknown application programs. The method mainly comprises the following steps of: obtaining a to-be-detected application program and a domain name accessed by the to-be-detected application program; judging whether the domain name is a malicious domain name or a suspicious domain name according to a preset blacklist; if the domain name is a malicious domain name or a suspicious domain name and the to-be-detected application program corresponding to the domain name is applied to at least two operation systems, determining the to-be-detected application program corresponding to the domain name as a suspicious application program. The method and device disclosed by the invention are mainly suitable for the scenes of detecting cross-platform suspicious application programs.
Description
Technical field
The present invention relates to Internet technical field, more particularly to a kind of method and device of detection suspect application programs.
Background technology
With the high speed development of internet, the application program of different platform all gradually increases in type and quantity.However,
In the application program of these magnanimity, but along with rogue program.Wherein, rogue program is referred to as Virus, can
Damage or steal the file of terminal, or even remote control terminal.Thereby it is ensured that internet security is extremely important.
It is existing when safety detection is carried out to application program, generally first by each application program to be measured respectively with default journey
Sequence blacklist is matched, if the match is successful, corresponding application program is defined as into malicious application, if it fails to match,
Then directly the application program is defined as into normal application.But, the invention human hair during daily monitoring application program
It is existing:In actual applications, hackers develop miscellaneous editions simultaneously when the application program of certain vicious function is developed, often
Application program is separately in kinds of platform, so as to play a part of diversification destruction.Therefore, when with same or like
A certain application program in multiple application programs of vicious function is added into pre-set programs blacklist, and other application programs do not have
When being added into pre-set programs blacklist, other application programs directly can be classified as normal application by existing detection method,
Without carrying out checking and killing virus operation to them, so as to provide to hackers using these application program considerable damage user benefits
May.It follows that how effectively to detect that suspect application programs are urgently to be resolved hurrily in the Unknown Applications of magnanimity
's.
The content of the invention
In view of this, the present invention provides a kind of method and device of detection suspect application programs, its object is to solve such as
Where suspect application programs are effectively detected in the Unknown Applications of magnanimity.
On the one hand, the invention provides the method for detection suspect application programs, methods described includes:
Obtain the domain name that application program to be measured and the application program to be measured are accessed;
According to default blacklist, judge whether domain name is malice domain name or suspicious domain name;
If domain name is malice domain name or suspicious domain name, and the corresponding application program to be measured of domain name be applied to
Few two kinds of operating systems, then be defined as suspect application programs by the corresponding application program to be measured of domain name.
On the other hand, the invention provides a kind of device of detection suspect application programs, described device includes:
Acquiring unit, for obtaining the domain name that application program to be measured and the application program to be measured are accessed;
Judging unit, for according to default blacklist, judging whether the domain name that the acquiring unit is obtained is malice
Domain name or suspicious domain name;
Determining unit, it is malice domain name or region of doubt that the judged result for working as the judging unit is domain name
Name, and domain name corresponding application program to be measured is when being applied at least two operating system, domain name is corresponding to be measured
Application program is defined as suspect application programs.
The method and device of the detection suspect application programs provided by above-mentioned technical proposal, the present invention, can obtain
After the domain name that application program to be measured and application program to be measured are accessed, according to default blacklist, each domain name is judged respectively whether
For malice domain name or suspicious domain name;When it is determined that certain domain name is malice domain name or suspicious domain name, and the domain name is corresponding treats
When survey application program is applied at least two operating system, it may be determined that there is the application program under different operating system and access same
The phenomenon of one malicious server or suspicious server, may thereby determine that the server is likely to using different applications
File in the terminal of different operating system is damaged or stolen to program simultaneously, and then by the corresponding all application programs to be measured of the domain name
It is defined as suspect application programs, to carry out secondary-confirmation subsequently through the mode of checking and killing virus.It follows that with existing skill
Detection is carried out in art individually for certain application program to compare, the present invention can be by the application program under multiple operating systems
Comprehensive detection is carried out, hiding suspect application programs are therefrom identified, so as to improve the validity of detection suspect application programs.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of the drawings
By the detailed description for reading hereafter preferred embodiment, various other advantages and benefit is common for this area
Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred embodiment, and is not considered as to the present invention
Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Fig. 1 shows a kind of flow chart of the method for detection suspect application programs provided in an embodiment of the present invention;
Fig. 2 shows a kind of composition frame chart of the device of detection suspect application programs provided in an embodiment of the present invention;
Fig. 3 shows the composition frame chart of the device of another kind of detection suspect application programs provided in an embodiment of the present invention.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here
Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
A kind of method of detection suspect application programs is embodiments provided, as shown in figure 1, the method is mainly wrapped
Include:
101st, the domain name that application program to be measured and the application program to be measured are accessed is obtained.
Wherein, application program to be measured is Unknown Applications.Install when its is obtained in the terminal under various operating systems
Each Unknown Applications after, in order to avoid these Unknown Applications threaten to terminal, can respectively obtain each
The domain name of the server that Unknown Applications and each Unknown Applications are accessed, so that later use domain name judges correspondence
Unknown Applications whether be suspect application programs.
In actual applications, obtaining the specific implementation of the domain name of application program institute to be measured access server can be:
Obtain the log information of the application program to be measured;The log information is parsed, the application program to be measured is obtained and is visited
The domain name asked.
Security detection equipment can obtain application program to be measured in fortune from each end side for being provided with application program to be measured
Then these log informations are parsed one by one by the log information produced during row, therefrom obtain application program institute to be measured
The domain name of access.
102nd, according to default blacklist, judge whether domain name is malice domain name or suspicious domain name.
In actual applications, the virus that security detection equipment can be by each killing out is stored in virus base, by each
Malicious application is stored in pre-set programs blacklist, and the domain name of each malicious server is stored in default domain name blacklist,
Subsequently according to pre-set programs blacklist and default domain name blacklist to detect rogue program, and according to virus base to detection
The rogue program for going out carries out checking and killing virus operation.
Default blacklist in this step includes default domain name blacklist and pre-set programs blacklist.Work as security detection equipment
After obtaining the domain name that each application program to be measured and each application program to be measured are accessed, can be first to be measured to each according to domain name
Application program is classified so that the corresponding application program to be measured of same domain name is divided into same class, then according to default blacklist
In default domain name blacklist judge whether each domain name is malice domain name, if certain domain name is not malice domain name, further according to pre-
If program blacklist judges whether the domain name is suspicious domain name, so as to subsequently corresponding to be measured to determine according to domain name judged result
Whether application program is suspect application programs.
If the 103, domain name is malice domain name or suspicious domain name, and the corresponding application program application to be measured of domain name
In at least two operating systems, then the corresponding application program to be measured of domain name is defined as into suspect application programs.
Because hackers are when the application program of certain vicious function is developed, the malice of miscellaneous editions is often write simultaneously
Application program is separately in kinds of platform, so as to play a part of diversification destruction, so when security detection equipment determines
When certain domain name is malice domain name or suspicious domain name, need first to judge that the corresponding application program to be measured of the domain name whether there is
Be applied to the phenomenon of at least two operating systems, if exist, be likely to be hacker use same malicious server or
Suspicious server is damaging or steal the file in the terminal of different operating system.Therefore, it can the domain name is corresponding all
Application program to be measured is defined as suspect application programs, so that follow-up emphasis carries out checking and killing virus operation to these application programs.
Exemplary, if domain name 1 is malice domain name, and the corresponding application program to be measured of the domain name is followed successively by Windows systems
The application program 3 under the application program 2, (SuSE) Linux OS under application program 1, Android system under system, then can determine should
Suspect application programs are with program 1, application program 2 and application program 3.
You need to add is that, when in pre-set programs blacklist containing the malicious application for accessing certain domain name, if should
The corresponding application program to be measured of domain name is one, and the operating system that application program to be measured is applied is with malicious application not
Together, then be likely to be hacker using the malicious application and application program to be measured while stealing or damaging different operating
File in the terminal of system, therefore, it can for the application program to be measured to be determined directly as suspect application programs.
The method of detection suspect application programs provided in an embodiment of the present invention, application program to be measured is obtained and can treat
After surveying the domain name that application program is accessed, according to default blacklist, judge whether each domain name is malice domain name or suspicious respectively
Domain name;When it is determined that certain domain name is malice domain name or suspicious domain name, and the corresponding application program to be measured of the domain name be applied to
During few two kinds of operating system, it may be determined that exist the application program under different operating system access same malicious server or
The phenomenon of suspicious server, may thereby determine that the server be likely to using different application programs while damaging or stealing
File in the terminal of different operating system, and then the corresponding all application programs to be measured of the domain name are defined as into suspicious application journey
Sequence, to carry out secondary-confirmation subsequently through the mode of checking and killing virus.It follows that with prior art in individually for certain should
Detection is carried out with program to compare, the present invention can be by carrying out comprehensive detection, therefrom to the application program under multiple operating systems
Hiding suspect application programs are identified, so as to improve the validity of detection suspect application programs.
Further, above-mentioned steps 102 can specifically be refined as following steps a-d:
A, domain name is matched with default domain name blacklist.
If domain name is defined as malice domain name by b, domain name in the default domain name blacklist.
If c, domain name be not in the default domain name blacklist, whether search in pre-set programs blacklist containing visit
Asked the malicious application of domain name.
In actual applications, if certain malicious application accessed certain domain name, the corresponding server of the domain name is likely to
The malice domain name for damaging or stealing terminal document, therefore, it is determined that domain name not in default domain name blacklist after, safety inspection
Whether measurement equipment can once have malicious application to access the domain name by pre-set programs blacklist before determining, so as to
Know and once have that malicious application was accessed after the domain name, the domain name is defined as into suspicious domain name.
Because the domain name in default domain name white list is safe domain name, so domain in access preset domain name white list
The application program of name is often the application program of safety.In order to improve the efficiency of detection suspect application programs, security detection equipment
When it is determined that whether certain domain name is malice domain name or suspicious domain name, can first determine whether the domain name is secure domain name, if not
It is that secure domain name recycles default domain name blacklist and pre-set programs blacklist subsequently to be judged.Specifically, safety detection
Equipment can first search domain name whether in default domain name white list;If domain name is in the default domain name white list
In, it is determined that domain name is secure domain name, and the corresponding application program to be measured of domain name is safe application program;If described
Whether domain name is not in the default domain name white list, then search in pre-set programs blacklist containing the evil for accessing domain name
Meaning application program.
Further, since the application program in pre-set programs white list is safe application program, so in default white list
The domain name of server that accessed of application program be safe domain name, so as to access the domain name other application programs similarly
For the application program of safety.Therefore, in order to further improve the efficiency for detecting suspect application programs, it is determined that certain domain name is not pre-
If after domain name white list, can directly judge the corresponding application program to be measured of the domain name whether in pre-set programs white list, if
The corresponding a certain application program to be measured of the domain name directly determines that the domain name is corresponding all to be measured in pre-set programs white list, then
Application program is safe application program.
If containing the malicious application for accessing domain name in d, the pre-set programs blacklist, by domain name
It is defined as suspicious domain name.
When security detection equipment finds the malicious application for accessing certain domain name from pre-set programs blacklist, peace
Full inspection measurement equipment can know that the corresponding server of the domain name there may be damage, steal the malicious acts such as terminal document, therefore
Security detection equipment can determine that the domain name is suspicious domain name.
Further, when it is determined that certain application program to be measured be suspect application programs, and its access domain name and pre-set programs
When the domain name of certain malicious application access is identical in blacklist, the suspect application programs are likely to and the malicious application
The same or like rogue program being applied in different operating system, so in order to determine whether the suspect application programs are evil
Meaning application program, security detection equipment can be sentenced by the way that malicious application and suspect application programs are analyzed
Whether the suspect application programs of breaking are malicious application.
Further, in actual applications, for the application program of popular popularization is often subject to various safety detection systems
The detection of system, and after virus is detected, also can quickly carry out killing.But for those are for particular group, specific
For department, the even application program of unique individual's object, even if there is virus, also it is not easy to be found or reported by user.
Therefore, malicious application is frequently found in the relatively low Unknown Applications of queries.In order to improve the suspicious application journey of identification
The efficiency of sequence, the specific implementation of application program to be measured is obtained in above-mentioned steps 101 can be:Obtain Unknown Applications
Queries;If the queries of the Unknown Applications determines the Unknown Applications less than default queries threshold value
For application program to be measured.
Further, because the application program for having signature in actual applications is often the application program of safety, so
In order to further improve the efficiency of identification suspect application programs, look into less than default queries is filtered out from Unknown Applications
After the application program of inquiry amount threshold value, can also again judge that whether the less Unknown Applications of these queries are containing label
The Unknown Applications if certain Unknown Applications is not signed, then are defined as application program to be measured by name.
Further, according to said method embodiment, an alternative embodiment of the invention additionally provides a kind of detection
The device of suspect application programs, as shown in Fig. 2 the device mainly includes:Acquiring unit 21, judging unit 22 and determining unit
23.Wherein,
Acquiring unit 21, for obtaining the domain name that application program to be measured and the application program to be measured are accessed;
Judging unit 22, for according to default blacklist, judging that whether the domain name of the acquisition of the acquiring unit 21 be
Malice domain name or suspicious domain name;
Determining unit 23, it is malice domain name or suspicious that the judged result for working as the judging unit 22 is domain name
Domain name, and domain name corresponding application program to be measured is when being applied at least two operating system, treats domain name is corresponding
Survey application program and be defined as suspect application programs.
Further, as shown in figure 3, the judging unit 22 includes:
Matching module 221, for domain name to be matched with default domain name blacklist;
First determining module 222, the matching result for working as the matching module 221 is domain name in the default domain
When in name blacklist, domain name is defined as into malice domain name;
Searching modul 223, the matching result for working as the matching module 221 is domain name not in the default domain name
When in blacklist, whether search in pre-set programs blacklist containing the malicious application for accessing domain name;
First determining module 222 is additionally operable to when the lookup result of the searching modul 223 is that the pre-set programs are black
When in list containing the malicious application for accessing domain name, domain name is defined as into suspicious domain name.
Further, the determining unit 23 is additionally operable to work as contain in the pre-set programs blacklist and accessed domain name
Malicious application when, if the corresponding application program to be measured of domain name is one, and the application program to be measured applied
Operating system it is different from the malicious application, then the corresponding application program to be measured of domain name is defined as into suspicious application
Program.
Further, as shown in figure 3, the searching modul 223 includes:
Submodule 2231 is searched, for searching domain name whether in default domain name white list;
Matched sub-block 2232, the lookup result for working as the lookup submodule 2231 is domain name not described pre-
If when in domain name white list, domain name is matched with default domain name blacklist.
Further, the judging unit 22, is additionally operable to work as in the pre-set programs blacklist containing accessing the domain
During the malicious application of name, after it is determined that the corresponding application program to be measured of domain name is suspect application programs, by inciting somebody to action
The malicious application is analyzed with the suspect application programs, judges whether the suspect application programs are malice
Application program.
Further, as shown in figure 3, the acquiring unit 21 includes:
First acquisition module 211, for obtaining the queries of Unknown Applications;
Second determining module 212, the inquiry of the Unknown Applications for obtaining when first acquisition module 211
When amount is less than default queries threshold value, the Unknown Applications are defined as into application program to be measured.
Further, as shown in figure 3, second determining module 212 includes:
Judging submodule 2121, for judging the Unknown Applications whether containing signature;
Determination sub-module 2122, does not have for the judged result when the judging submodule 2121 for the Unknown Applications
When having signature, the Unknown Applications are defined as into application program to be measured.
Further, as shown in figure 3, the acquiring unit 21 includes:
Second acquisition module 213, for obtaining the log information of the application program to be measured;
Parsing module 214, for parsing to the log information that second acquisition module 213 is obtained, obtains
The domain name that the application program to be measured is accessed.
The device of detection suspect application programs provided in an embodiment of the present invention, application program to be measured is obtained and can treat
After surveying the domain name that application program is accessed, according to default blacklist, judge whether each domain name is malice domain name or suspicious respectively
Domain name;When it is determined that certain domain name is malice domain name or suspicious domain name, and the corresponding application program to be measured of the domain name be applied to
During few two kinds of operating system, it may be determined that exist the application program under different operating system access same malicious server or
The phenomenon of suspicious server, may thereby determine that the server be likely to using different application programs while damaging or stealing
File in the terminal of different operating system, and then the corresponding all application programs to be measured of the domain name are defined as into suspicious application journey
Sequence, to carry out secondary-confirmation subsequently through the mode of checking and killing virus.It follows that with prior art in individually for certain should
Detection is carried out with program to compare, the present invention can be by carrying out comprehensive detection, therefrom to the application program under multiple operating systems
Hiding suspect application programs are identified, so as to improve the validity of detection suspect application programs.
The embodiment of the present invention is additionally provided:
A kind of A1, method of detection suspect application programs, methods described includes:
Obtain the domain name that application program to be measured and the application program to be measured are accessed;
According to default blacklist, judge whether domain name is malice domain name or suspicious domain name;
If domain name is malice domain name or suspicious domain name, and the corresponding application program to be measured of domain name be applied to
Few two kinds of operating systems, then be defined as suspect application programs by the corresponding application program to be measured of domain name.
A2, the method according to A1, according to default blacklist, judge whether domain name is malice domain name or suspicious
Domain name includes:
Domain name is matched with default domain name blacklist;
If domain name is defined as malice domain name by domain name in the default domain name blacklist;
If domain name is not in the default domain name blacklist, whether search in pre-set programs blacklist containing access
Cross the malicious application of domain name;
If containing the malicious application for accessing domain name in the pre-set programs blacklist, domain name is true
It is set to suspicious domain name.
A3, the method according to A2, if should containing the malice for accessing domain name in the pre-set programs blacklist
With program, then methods described also includes:
If the corresponding application program to be measured of domain name is one, and the operating system that the application program to be measured is applied
It is different from the malicious application, then the corresponding application program to be measured of domain name is defined as into suspect application programs.
A4, the method according to A2, by domain name and default domain name blacklist carry out matching including:
Whether lookup domain name is in default domain name white list;
If domain name is not in the default domain name white list, domain name and default domain name blacklist are carried out
Match somebody with somebody.
A5, the method according to A2, if should containing the malice for accessing domain name in the pre-set programs blacklist
With program, then after it is determined that the corresponding application program to be measured of domain name is suspect application programs, methods described also includes:
By the way that the malicious application is analyzed with the suspect application programs, the suspicious application is judged
Whether program is malicious application.
A6, the method according to A1, obtaining application program to be measured includes:
Obtain the queries of Unknown Applications;
If the queries of the Unknown Applications determines the Unknown Applications less than default queries threshold value
For application program to be measured.
A7, the method according to A6, the Unknown Applications are defined as into application program to be measured includes:
Judge the Unknown Applications whether containing signature;
If the Unknown Applications are not signed, the Unknown Applications are defined as into application program to be measured.
A8, the method according to any one of A1 to A7, obtaining the domain name of the application program access to be measured includes:
Obtain the log information of the application program to be measured;
The log information is parsed, the domain name that the application program to be measured is accessed is obtained.
A kind of B9, device of detection suspect application programs, described device includes:
Acquiring unit, for obtaining the domain name that application program to be measured and the application program to be measured are accessed;
Judging unit, for according to default blacklist, judging whether the domain name that the acquiring unit is obtained is malice
Domain name or suspicious domain name;
Determining unit, it is malice domain name or region of doubt that the judged result for working as the judging unit is domain name
Name, and domain name corresponding application program to be measured is when being applied at least two operating system, domain name is corresponding to be measured
Application program is defined as suspect application programs.
B10, the device according to B9, the judging unit includes:
Matching module, for domain name to be matched with default domain name blacklist;
First determining module, for being domain name in the black name of the default domain name when the matching result of the matching module
When in list, domain name is defined as into malice domain name;
Searching modul, the matching result for working as the matching module is domain name not in the default domain name blacklist
When middle, whether search in pre-set programs blacklist containing the malicious application for accessing domain name;
First determining module is additionally operable in the lookup result of the searching modul is for the pre-set programs blacklist
During containing the malicious application for accessing domain name, domain name is defined as into suspicious domain name.
B11, the device according to B10, the determining unit is additionally operable to work as in the pre-set programs blacklist containing visit
When asking the malicious application of domain name, if the corresponding application program to be measured of domain name be one, and it is described it is to be measured should
The operating system applied with program is different from the malicious application, then the corresponding application program to be measured of domain name is true
It is set to suspect application programs.
B12, the device according to B10, the matching module includes:
Submodule is searched, for searching domain name whether in default domain name white list;
Matched sub-block, the lookup result for working as the lookup submodule is that domain name is not white in the default domain name
When in list, domain name is matched with default domain name blacklist.
B13, the device according to B10, the judging unit is additionally operable to work as in the pre-set programs blacklist containing visit
When asking the malicious application of domain name, it is determined that the corresponding application program to be measured of domain name be suspect application programs it
Afterwards, by the way that the malicious application is analyzed with the suspect application programs, the suspect application programs are judged
Whether it is malicious application.
B14, the device according to B9, the acquiring unit includes:
First acquisition module, for obtaining the queries of Unknown Applications;
Second determining module, the queries of the Unknown Applications for obtaining when first acquisition module is less than
During default queries threshold value, the Unknown Applications are defined as into application program to be measured.
B15, the device according to B14, second determining module includes:
Judging submodule, for judging the Unknown Applications whether containing signature;
Determination sub-module, does not sign for the judged result when the judging submodule for the Unknown Applications
When, the Unknown Applications are defined as into application program to be measured.
B16, the device according to any one of B9 to B15, the acquiring unit includes:
Second acquisition module, for obtaining the log information of the application program to be measured;
Parsing module, for parsing to the log information that second acquisition module is obtained, treats described in acquisition
Survey the domain name that application program is accessed.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, without the portion described in detail in certain embodiment
Point, may refer to the associated description of other embodiment.
It is understood that said method and the correlated characteristic in device can be referred to mutually.In addition, in above-described embodiment
" first ", " second " etc. be, for distinguishing each embodiment, and not represent the quality of each embodiment.
Those skilled in the art can be understood that, for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be described here.
Provided herein algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment.
Various general-purpose systems can also be used together based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this
Bright preferred forms.
In specification mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention
Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist
Above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The more features of feature that the application claims ratio of shield is expressly recited in each claim.More precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as the separate embodiments of the present invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Unit or component are combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any
Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can it is identical by offers, be equal to or the alternative features of similar purpose carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint
One of meaning can in any combination mode using.
The present invention all parts embodiment can be realized with hardware, or with one or more processor operation
Software module realize, or with combinations thereof realization.It will be understood by those of skill in the art that can use in practice
The method of microprocessor or digital signal processor (DSP) to realize detection suspect application programs according to embodiments of the present invention
And some or all functions of some or all parts in device.The present invention is also implemented as performing institute here
(for example, computer program and computer program are produced for some or all equipment of the method for description or program of device
Product).Such program for realizing the present invention can be stored on a computer-readable medium, or can have one or more
The form of signal.Such signal can be downloaded from internet website and obtained, or be provided on carrier signal, or to appoint
What other forms is provided.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability
Field technique personnel can design without departing from the scope of the appended claims alternative embodiment.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame
Claim.
Claims (10)
1. it is a kind of detection suspect application programs method, it is characterised in that methods described includes:
Obtain the domain name that application program to be measured and the application program to be measured are accessed;
According to default blacklist, judge whether domain name is malice domain name or suspicious domain name;
If domain name is malice domain name or suspicious domain name, and the corresponding application program to be measured of domain name is applied at least two
Operating system is planted, then the corresponding application program to be measured of domain name is defined as into suspect application programs.
2. method according to claim 1, it is characterised in that according to default blacklist, judge whether domain name is evil
Meaning domain name or suspicious domain name include:
Domain name is matched with default domain name blacklist;
If domain name is defined as malice domain name by domain name in the default domain name blacklist;
If domain name is not in the default domain name blacklist, whether contains in lookup pre-set programs blacklist and accessed institute
State the malicious application of domain name;
If in the pre-set programs blacklist domain name is defined as containing the malicious application for accessing domain name
Suspicious domain name.
3. method according to claim 2, it is characterised in that if containing accessing described in the pre-set programs blacklist
The malicious application of domain name, then methods described also include:
If the corresponding application program to be measured of domain name is one, and the operating system applied of the application program to be measured and institute
State malicious application different, then the corresponding application program to be measured of domain name is defined as into suspect application programs.
4. method according to claim 2, it is characterised in that carry out matching bag with default domain name blacklist by domain name
Include:
Whether lookup domain name is in default domain name white list;
If domain name in the default domain name white list, domain name is not matched with default domain name blacklist.
5. method according to claim 2, it is characterised in that if containing accessing described in the pre-set programs blacklist
The malicious application of domain name, then it is described after it is determined that the corresponding application program to be measured of domain name is suspect application programs
Method also includes:
By the way that the malicious application is analyzed with the suspect application programs, the suspect application programs are judged
Whether it is malicious application.
6. method according to claim 1, it is characterised in that obtaining application program to be measured includes:
Obtain the queries of Unknown Applications;
If the Unknown Applications are defined as treating by the queries of the Unknown Applications less than default queries threshold value
Survey application program.
7. method according to claim 6, it is characterised in that the Unknown Applications are defined as into application program to be measured
Including:
Judge the Unknown Applications whether containing signature;
If the Unknown Applications are not signed, the Unknown Applications are defined as into application program to be measured.
8. method according to any one of claim 1 to 7, it is characterised in that obtain the application program to be measured and access
Domain name include:
Obtain the log information of the application program to be measured;
The log information is parsed, the domain name that the application program to be measured is accessed is obtained.
9. it is a kind of detection suspect application programs device, it is characterised in that described device includes:
Acquiring unit, for obtaining the domain name that application program to be measured and the application program to be measured are accessed;
Judging unit, for according to default blacklist, judging whether the domain name that the acquiring unit is obtained is malice domain name
Or suspicious domain name;
Determining unit, for being that domain name is malice domain name or suspicious domain name when the judged result of the judging unit, and
When the corresponding application program to be measured of domain name is applied at least two operating system, by the corresponding application journey to be measured of domain name
Sequence is defined as suspect application programs.
10. device according to claim 9, it is characterised in that the judging unit includes:
Matching module, for domain name to be matched with default domain name blacklist;
First determining module, the matching result for working as the matching module is domain name in the default domain name blacklist
When, domain name is defined as into malice domain name;
Searching modul, the matching result for working as the matching module is domain name not in the default domain name blacklist
When, whether search in pre-set programs blacklist containing the malicious application for accessing domain name;
First determining module is additionally operable to contain in the lookup result of the searching modul is for the pre-set programs blacklist
When accessing the malicious application of domain name, domain name is defined as into suspicious domain name.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610875626.6A CN106650439A (en) | 2016-09-30 | 2016-09-30 | Suspicious application program detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610875626.6A CN106650439A (en) | 2016-09-30 | 2016-09-30 | Suspicious application program detection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106650439A true CN106650439A (en) | 2017-05-10 |
Family
ID=58854158
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610875626.6A Pending CN106650439A (en) | 2016-09-30 | 2016-09-30 | Suspicious application program detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106650439A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107395650A (en) * | 2017-09-07 | 2017-11-24 | 杭州安恒信息技术有限公司 | Even method and device is returned based on sandbox detection file identification wooden horse |
CN110135153A (en) * | 2018-11-01 | 2019-08-16 | 哈尔滨安天科技股份有限公司 | The credible detection method and device of software |
CN111368300A (en) * | 2020-03-02 | 2020-07-03 | 深信服科技股份有限公司 | Malicious file handling method, device, equipment and storage medium |
CN113691492A (en) * | 2021-06-11 | 2021-11-23 | 杭州安恒信息安全技术有限公司 | Method, system, device and readable storage medium for determining illegal application program |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102841990A (en) * | 2011-11-14 | 2012-12-26 | 哈尔滨安天科技股份有限公司 | Method and system for detecting malicious codes based on uniform resource locator |
CN105072119A (en) * | 2015-08-14 | 2015-11-18 | 中国传媒大学 | Domain name resolution conversation mode analysis-based method and device for detecting malicious domain name |
CN103559441B (en) * | 2013-10-28 | 2016-04-27 | 中国科学院信息工程研究所 | Cross-platform detection method and system under a kind of malicious file cloud environment |
CN105721445A (en) * | 2016-01-25 | 2016-06-29 | 汉柏科技有限公司 | Embedded Trojan precaution method and system |
-
2016
- 2016-09-30 CN CN201610875626.6A patent/CN106650439A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102841990A (en) * | 2011-11-14 | 2012-12-26 | 哈尔滨安天科技股份有限公司 | Method and system for detecting malicious codes based on uniform resource locator |
CN103559441B (en) * | 2013-10-28 | 2016-04-27 | 中国科学院信息工程研究所 | Cross-platform detection method and system under a kind of malicious file cloud environment |
CN105072119A (en) * | 2015-08-14 | 2015-11-18 | 中国传媒大学 | Domain name resolution conversation mode analysis-based method and device for detecting malicious domain name |
CN105721445A (en) * | 2016-01-25 | 2016-06-29 | 汉柏科技有限公司 | Embedded Trojan precaution method and system |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107395650A (en) * | 2017-09-07 | 2017-11-24 | 杭州安恒信息技术有限公司 | Even method and device is returned based on sandbox detection file identification wooden horse |
CN110135153A (en) * | 2018-11-01 | 2019-08-16 | 哈尔滨安天科技股份有限公司 | The credible detection method and device of software |
CN111368300A (en) * | 2020-03-02 | 2020-07-03 | 深信服科技股份有限公司 | Malicious file handling method, device, equipment and storage medium |
CN111368300B (en) * | 2020-03-02 | 2024-05-24 | 深信服科技股份有限公司 | Malicious file handling method, device, equipment and storage medium |
CN113691492A (en) * | 2021-06-11 | 2021-11-23 | 杭州安恒信息安全技术有限公司 | Method, system, device and readable storage medium for determining illegal application program |
CN113691492B (en) * | 2021-06-11 | 2023-04-07 | 杭州安恒信息安全技术有限公司 | Method, system, device and readable storage medium for determining illegal application program |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101265173B1 (en) | Apparatus and method for inspecting non-portable executable files | |
CN104517054B (en) | Method, device, client and server for detecting malicious APK | |
EP3371953B1 (en) | System and methods for detecting domain generation algorithm (dga) malware | |
CN106845223B (en) | Method and apparatus for detecting malicious code | |
WO2016135729A1 (en) | A method to identify known compilers functions, libraries and objects inside files and data items containing an executable code | |
Van Overveldt et al. | FlashDetect: ActionScript 3 malware detection | |
CN106650439A (en) | Suspicious application program detection method and device | |
CN105550581B (en) | A kind of malicious code detecting method and device | |
US9910983B2 (en) | Malware detection | |
CN112632531A (en) | Malicious code identification method and device, computer equipment and medium | |
CN104462985A (en) | Detecting method and device of bat loopholes | |
CN107247902A (en) | Malware categorizing system and method | |
IL265518B2 (en) | Management of security vulnerabilities | |
CN104331663A (en) | Detection method of web shell and web server | |
CN105354494A (en) | Detection method and apparatus for web page data tampering | |
CN114386032A (en) | Firmware detection system and method for power Internet of things equipment | |
CN113158197A (en) | SQL injection vulnerability detection method and system based on active IAST | |
CN105791250B (en) | Application program detection method and device | |
CN115391230A (en) | Test script generation method, test script penetration method, test script generation device, test penetration device, test equipment and test medium | |
CN103713945B (en) | The recognition methods of game and device | |
CN117579395B (en) | Method and system for scanning network security vulnerabilities by applying artificial intelligence | |
CN104239801B (en) | The recognition methods of 0day leaks and device | |
KR101311367B1 (en) | Method and apparatus for diagnosing attack that bypass the memory protection | |
CN112395603B (en) | Vulnerability attack identification method and device based on instruction execution sequence characteristics and computer equipment | |
CN106411899A (en) | Security detection method and device for data files |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170510 |