CN108154031A - Recognition methods, device, storage medium and the electronic device of camouflage applications program - Google Patents

Recognition methods, device, storage medium and the electronic device of camouflage applications program Download PDF

Info

Publication number
CN108154031A
CN108154031A CN201810045938.3A CN201810045938A CN108154031A CN 108154031 A CN108154031 A CN 108154031A CN 201810045938 A CN201810045938 A CN 201810045938A CN 108154031 A CN108154031 A CN 108154031A
Authority
CN
China
Prior art keywords
picture
sectional drawing
application interface
template picture
region
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810045938.3A
Other languages
Chinese (zh)
Other versions
CN108154031B (en
Inventor
赵亚鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201810045938.3A priority Critical patent/CN108154031B/en
Publication of CN108154031A publication Critical patent/CN108154031A/en
Application granted granted Critical
Publication of CN108154031B publication Critical patent/CN108154031B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Image Analysis (AREA)

Abstract

The invention discloses a kind of recognition methods, device, storage medium and the electronic devices of camouflage applications program.Wherein, this method includes:The signature verification information of process where obtaining the template picture at intended application interface and intended application interface;Obtain the sectional drawing of the first application interface;Determine the similarity between the sectional drawing and the template picture;In the case where the similarity indicates the sectional drawing and the template picture for similar pictures and the signature verification information of corresponding first application program of first application interface and the signature verification information difference of the destination application, determine that first application interface is different from the intended application interface.The present invention solves the technical issues of wooden horse file is missed.

Description

Recognition methods, device, storage medium and the electronic device of camouflage applications program
Technical field
The present invention relates to data processing field, in particular to a kind of recognition methods of camouflage applications program, device, Storage medium and electronic device.
Background technology
For the prior art when wooden horse is gone fishing in identification, automatic identification goes out doubtful wooden horse text from a large amount of suspicious executable files Part by the doubtful wooden horse file of virus analysis teacher's manual analysis, verifies out real wooden horse sample, and extract several Trojan characteristics, For identifying this wooden horse, it is put into feature database.The characteristic matching in the file and feature database on user's machine is scanned, is identified Wooden horse file.
Conventional security software (such as antivirus software), often using the detections such as sample characteristics code, API sequences go fishing wooden horse, It has as a drawback that:
Feature is not general, often fails to report:One condition code can only often detect a wooden horse, when there is mutation in wooden horse, None- identified goes out mutation wooden horse, and fishing wooden horse is caused to be missed.
For it is above-mentioned the problem of, currently no effective solution has been proposed.
Invention content
An embodiment of the present invention provides a kind of recognition methods, device, storage medium and the electronic device of camouflage applications program, At least to solve the technical issues of wooden horse file is missed.
One side according to embodiments of the present invention provides a kind of recognition methods of camouflage applications program, including:It obtains The signature verification information of the corresponding destination application of the template picture at intended application interface and the intended application interface;It obtains The sectional drawing of first application interface;Determine the similarity between the sectional drawing and the template picture;Institute is indicated in the similarity State the signature verification of sectional drawing and the template picture for similar pictures and corresponding first application program of first application interface In the case of the signature verification information difference of process where information and the intended application interface, first application interface is determined It is different from the intended application interface.
Another aspect according to embodiments of the present invention additionally provides a kind of identification device of application interface, including:First obtains Unit is taken, for obtaining the label of the corresponding destination application of the template picture at intended application interface and the intended application interface Name verification information;Second acquisition unit, for obtaining the sectional drawing of the first application interface;First determination unit, it is described for determining Similarity between sectional drawing and the template picture;Second determination unit, for indicating the sectional drawing and institute in the similarity State template picture for similar pictures and the signature verification information of corresponding first application program of first application interface with it is described In the case of the signature verification information difference of process where intended application interface, first application interface and the target are determined Application interface is different.
Another aspect according to embodiments of the present invention, additionally provides a kind of storage medium, which is characterized in that the storage is situated between Computer program is stored in matter, wherein, the computer program is arranged to perform above-mentioned method during operation.
Another aspect according to embodiments of the present invention, additionally provides a kind of electronic device, including memory and processor, It is characterized in that, computer program is stored in the memory, and the processor is arranged to hold by the computer program The above-mentioned method of row.
What whether the mode that the present embodiment uses picture recognition and signature verification is combined was pretended to judge interface for wooden horse Interface, so as to identify trojan horse, when solving the prior art and detecting wooden horse originally according to virus-like, due to Virus Sample The technique effect of missing inspection caused by feature is not general.
Description of the drawings
Attached drawing described herein is used to provide further understanding of the present invention, and forms the part of the application, this hair Bright illustrative embodiments and their description do not constitute improper limitations of the present invention for explaining the present invention.In the accompanying drawings:
Fig. 1 is a kind of schematic diagram of hardware environment according to embodiments of the present invention;
Fig. 2 is the flow chart of the recognition methods of camouflage applications program according to embodiments of the present invention;
Fig. 3 is the schematic diagram at the interface of logger according to embodiments of the present invention;
Fig. 4 is the schematic diagram of traversal sectional drawing according to embodiments of the present invention;
Fig. 5 is the schematic diagram of determining similarity according to embodiments of the present invention;
Fig. 6 is the schematic diagram of the identification device of application interface according to embodiments of the present invention;
Fig. 7 is the structure diagram according to a kind of electronic device of inventive embodiments.
Specific embodiment
In order to which those skilled in the art is made to more fully understand the present invention program, below in conjunction in the embodiment of the present invention The technical solution in the embodiment of the present invention is clearly and completely described in attached drawing, it is clear that described embodiment is only The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people Member's all other embodiments obtained without making creative work should all belong to the model that the present invention protects It encloses.
It should be noted that term " first " in description and claims of this specification and above-mentioned attached drawing, " Two " etc. be the object for distinguishing similar, and specific sequence or precedence are described without being used for.It should be appreciated that it uses in this way Data can be interchanged in the appropriate case, so as to the embodiment of the present invention described herein can in addition to illustrating herein or Sequence other than those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, be not necessarily limited to for example, containing the process of series of steps or unit, method, system, product or equipment Those steps or unit clearly listed, but may include not listing clearly or for these processes, method, product Or the intrinsic other steps of equipment or unit.
One side according to embodiments of the present invention provides a kind of recognition methods of camouflage applications program.In this implementation In example, the recognition methods of above-mentioned camouflage applications program can be applied to terminal 101 as shown in Figure 1 and server 102 is formed Hardware environment in.As shown in Figure 1, terminal 101 is attached by network and server 102, above-mentioned network includes but unlimited In:Wide area network, Metropolitan Area Network (MAN) or LAN, terminal 101 can be mobile phone terminal or PC terminals, notebook terminal or flat Plate computer terminal.
Fig. 2 is the flow chart of the recognition methods of camouflage applications program according to embodiments of the present invention.As shown in Fig. 2, the puppet The recognition methods of dress application program includes the following steps:
Step S202 obtains the corresponding destination application of template picture and intended application interface at intended application interface Signature verification information.
Step S204 obtains the sectional drawing of the first application interface.
Intended application interface is the application interface for being really rather than the application interface of wooden horse camouflage.The application interface can be The logger interface of application, can also be Webpage of application etc., which can be the application installed in computer terminal, also It can be the application installed in the mobile terminals such as mobile phone, laptop.First application interface is to need to determine whether wooden horse The application interface of camouflage.The sectional drawing of first application interface can be obtained by performing shot operation to the first application interface, be one A picture.The template picture at intended application interface can be the picture of a region or multiple regions in intended application interface.
The signature verification information of the destination application can obtain in process where the destination application.It is obtaining Signature verification information that can be while the template picture for obtaining intended application interface in acquisition process during signature verification information.
Optionally, the template picture for obtaining intended application interface includes:It is at least one on interception intended application interface to be used for Represent the region of the feature at intended application interface as template picture.
Region for representing the feature at intended application interface can represent the application is what application or the interface Which application is the content of display belong to, and can also be the region for the common function that can represent the application interface.For example, the target Application interface is the interface of the logger of an instant messaging application, then, this is used to represent the feature at intended application interface Region can be the region where the mark that instant messaging is applied on the interface of logger, can also be on the interface of logger Region where " login " button.The target pages can also be the page of social network sites, then, this is used to represent intended application The region of the feature at interface can be used to log on region or the page on the page where the mark of the social network sites The latter registers the region where the mark of the social network sites.
It is illustrated by taking the interface of game logger shown in Fig. 3 as an example.As shown in figure 3, game name " CYHX " institute Region can be as representing the region of the feature at intended application interface, the picture in the region is just used as intended application circle One template picture in face.Region where " login " button of the game can also be used as to represent intended application interface The region of feature, the picture in the region where " login " button is just as a template picture at intended application interface.Similarly, A part for picture on the interface of the game logger can also represent the feature of the game application, for example, personage shown in Fig. 3 Hand or the regions such as face, therefore the region can be as representing the region of the feature at intended application interface, the picture A part of region picture just as a template picture at intended application interface.The template picture of the present embodiment can be with It is one or more.
Step S206 determines the similarity between sectional drawing and template picture.
Similarity between sectional drawing and template can determine whether the sectional drawing and template picture are similar pictures.It is optional Ground determines that the similarity between sectional drawing and template picture includes:Similarity between sectional drawing and template picture is more than or waits When predetermined threshold, determine that similarity instruction sectional drawing and template picture are similar pictures.
The similarity between sectional drawing and template picture is calculated, for usual similarity between 0~1, the numerical value of similarity is bigger, Represent that the similarity of sectional drawing and template picture is higher, sectional drawing is more likely similar pictures with template picture.Under normal conditions, when Similarity between sectional drawing and template picture determines sectional drawing when being more than or equal to predetermined threshold and template picture is similar pictures, The predetermined threshold can be obtained according to historical data analysis.For example, it can be determined when predetermined threshold is 0.8 under normal conditions Sectional drawing is similar pictures with template picture, then, which can be using value as 0.8.The predetermined threshold can be according to difference Scene and historical data be updated, be not intended as limiting herein.
When determining the similarity between sectional drawing and template picture, if measurement can finely miss very much the change of malicious code Kind, lead to not identify similar picture;If measurement can be roughly similar figure other dissimilar picture recognitions very much Piece;If recognition speed is slow, the application interface identified within the unit interval is fewer, may miss wooden horse camouflage Application interface, therefore, the present embodiment determine sectional drawing and Prototype drawing in a manner that template matches and Feature Points Matching are combined Similarity between piece.
That is, determine that the similarity of sectional drawing and template picture includes:The region to match with template picture is searched in sectional drawing, Obtain the region picture in sectional drawing;Extract the characteristic point of region picture and the characteristic point of template picture;Obtain region picture and mould The number of same characteristic features point in plate picture;By the sum of the number of same characteristic features point and the characteristic point extracted from template picture Ratio is as sectional drawing and the similarity of template picture.
Template picture is the picture in a region at intended application interface, is with the region that template picture matches in sectional drawing A region corresponding with template picture, shapes and sizes are identical with template picture.First by matched area locking and mould In the equally big region picture of plate image again, it is possible to reduce wrong report realizes that precisely matching reduces package space simultaneously, improves fortune Scanning frequency degree.In order to improve the speed of matching area picture, can gray proces first be carried out to region picture, i.e., turned region picture Gray-scale map is changed to, normalizated correlation coefficient matching method is recycled to search and the matched region picture of template picture.Carry out gray scale Treated when gray-scale map matched, and can eliminate the variation of color or brightness to matched influence.For example, in sectional drawing For background color to be light blue, the background color of template picture is light green, be converted to after gray-scale map the background color of sectional drawing and The background color of template picture is identical.
Specifically, the region to match with template picture is searched in sectional drawing, the region picture obtained in sectional drawing includes: Sectional drawing is traversed to search the region to match with template picture, and will be on the region that found as unit of reference zone in sectional drawing Picture as region picture, wherein, the size and shape of reference zone is identical with template picture, the size and shape of region picture Shape template picture is identical.
As shown in figure 4, the shapes and sizes of reference zone are all identical with template picture, it is matched with template picture searching During the picture of region, sectional drawing is traversed as unit of reference zone.The similarity of each region and template picture is determined when traversing sectional drawing, Using the picture where the reference zone of similarity maximum as region picture.The similarity is used for determining region picture, can not Illustrate that the region picture and template picture are similar pictures.For example, the similarity of the picture and template picture where reference zone It is 50%, is the region of similarity maximum in all reference zones, region picture can be used as, still, which is not For judge region picture whether with template picture for similar pictures.
After region picture is determined, using acceleration robust property characteristics algorithm (Speeded Up Robust Features, abbreviation SURF) extract characteristic point respectively from region picture and template picture, and calculate the matched characteristic point of the two Number.Using robust property characteristics algorithm is accelerated, the threshold value for extracting characteristic point can be first set:Lead between two characteristic points Similarity criteria of the Euclidean distance as Feature Points Matching is crossed, can threshold values be set according to practical application and pick out appropriate feature Point.In these characteristic points, using the exterior point of random sampling consistency (RANSAC) algorithm removal erroneous matching, retain correct It is interior, that is, eliminate noise.It eliminates noise and eliminates unsuitable characteristic point, calculated with the characteristic point after elimination noise similar Degree.
Assuming that A, B are masterplate picture and the set of the characteristic point of region picture respectively.If set C be two masterplate pictures with The set of characteristic points that region picture shares, i.e. C=A ∩ B, then similarity S=C/A, S intervals are worth bigger expression in [0,1] It is more similar.
The calculating process of the similarity is as shown in Figure 5:
A figures are the sectional drawing of the first application interface, and B figures are intended application interface, and the region in B figures where " login " button is Template picture intercepts the region picture of " login " button region, the template picture with B figures using template matches from A figures Carry out the calculating of similarity.Characteristic point is extracted from region picture and template picture respectively, searches region picture and template picture In identical characteristic point number, by the use of the ratio of the sum of characteristic point in identical feature point number and template picture as region The similarity of picture and template picture, if similarity is more than or equal to threshold value, it is determined that region picture and template picture are Similar pictures.
It is corresponding with multiple template picture in being determined from sectional drawing if intended application interface includes multiple template picture Multiple regions picture, when the similarity of each region picture and corresponding template picture is both greater than or equal to predetermined threshold value, Then determine that sectional drawing and template picture are similar pictures.
Step S208 indicates sectional drawing and template picture for similar pictures and the first application interface corresponding the in similarity In the case of the signature verification information of one application program and the signature verification information difference of destination application, the first application is determined Interface is different from intended application interface.
In the case where determining that sectional drawing is similar pictures with template picture, the signature of process where judging the first application interface Whether verification information is identical with the signature verification information of process where intended application interface, in the identical situation of signature verification information Under, it may be determined that the first application interface is identical with intended application interface;And in the case of signature verification information difference, is determined One application interface is differed with intended application interface.
When logger interface is in intended application interface, the intended application journey in process where can verifying logger interface The signature of sequence, when webpage is in intended application interface, the certificate of browser where can verifying webpage.Where intended application interface Signature verification information in interface is exactly the signature verification information of intended application.Intended application interface is to apply true interface, If the signature of the first corresponding application program of the first application interface is different from the signature of intended application, then, the first application The sectional drawing at interface the first application interface of just explanation identical with intended application interface template picture is the interface of wooden horse camouflage, may The account number and password of user is stolen at the interface pretended by the wooden horse, therefore, by identifying that sectional drawing and template picture are similar diagram The signature verification information of process where the signature verification information of process where piece and the first application interface and intended application interface is not With come determine the first application interface be wooden horse camouflage interface.
What whether the mode that the present embodiment uses picture recognition and signature verification is combined was pretended to judge interface for wooden horse Interface, so as to identify trojan horse, when solving the prior art and detecting wooden horse originally according to virus-like, due to Virus Sample The technique effect of missing inspection caused by feature is not general.
It should be noted that for aforementioned each method embodiment, in order to be briefly described, therefore it is all expressed as a series of Combination of actions, but those skilled in the art should know, the present invention is not limited by described sequence of movement because According to the present invention, certain steps may be used other sequences or be carried out at the same time.Secondly, those skilled in the art should also know It knows, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention It is necessary.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation The method of example can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but it is very much In the case of the former be more preferably embodiment.Based on such understanding, technical scheme of the present invention is substantially in other words to existing The part that technology contributes can be embodied in the form of software product, which is stored in a storage In medium (such as ROM/RAM, magnetic disc, CD), used including some instructions so that a station terminal equipment (can be mobile phone, calculate Machine, server or network equipment etc.) perform method described in each embodiment of the present invention.
Other side according to embodiments of the present invention additionally provides a kind of knowledge for being used to implement above-mentioned camouflage applications program The identification device of the application interface of other method.Fig. 6 is the schematic diagram of the identification device of application interface according to embodiments of the present invention. As shown in fig. 6, the device includes:First acquisition unit 62, second acquisition unit 64, the first determination unit 66 and second determine list Member 68.
First acquisition unit 62 is used to obtain the corresponding target of template picture and intended application interface at intended application interface The signature verification information of application program.
Second acquisition unit 64, for obtaining the sectional drawing of the first application interface;
Intended application interface is the application interface for being really rather than the application interface of wooden horse camouflage.The application interface can be The logger interface of application, can also be Webpage of application etc., which can be the application installed in computer terminal, also It can be the application installed in the mobile terminals such as mobile phone, laptop.First application interface is to need to determine whether wooden horse The application interface of camouflage.The sectional drawing of first application interface can be obtained by performing shot operation to the first application interface, be one A picture.The template picture at intended application interface can be the picture of a region or multiple regions in intended application interface.
Optionally, first acquisition unit includes:Interception module, it is at least one for table on intended application interface for intercepting Show the region of the feature at intended application interface as template picture.
Region for representing the feature at intended application interface can represent the application is what application or the interface Which application is the content of display belong to, and can also be the region for the common function that can represent the application interface.For example, the target Application interface is the interface of the logger of an instant messaging application, then, this is used to represent the feature at intended application interface Region can be the region where the mark that instant messaging is applied on the interface of logger, can also be on the interface of logger Region where " login " button.The target pages can also be the page of social network sites, then, this is used to represent intended application The region of the feature at interface can be used to log on region or the page on the page where the mark of the social network sites The latter registers the region where the mark of the social network sites.
It is illustrated by taking the interface of game logger shown in Fig. 3 as an example.As shown in figure 3, game name " CYHX " institute Region can be as representing the region of the feature at intended application interface, the picture in the region is just used as intended application circle One template picture in face.Region where " login " button of the game can also be used as to represent intended application interface The region of feature, the picture in the region where " login " button is just as a template picture at intended application interface.Similarly, A part for picture on the interface of the game logger can also represent the feature of the game application, for example, personage shown in Fig. 3 Hand or the regions such as face, therefore the region can be as representing the region of the feature at intended application interface, the picture A part of region picture just as a template picture at intended application interface.The template picture of the present embodiment can be with It is one or more.
First determination unit 64 is used to determine the similarity between sectional drawing and template picture;
Similarity between sectional drawing and template can determine whether the sectional drawing and template picture are similar pictures.It is optional Ground when the similarity that the first determination unit is additionally operable between sectional drawing and template picture is more than or equal to predetermined threshold, determines Similarity indicates sectional drawing and template picture is similar pictures.
The similarity between sectional drawing and template picture is calculated, for usual similarity between 0~1, the numerical value of similarity is bigger, Represent that the similarity of sectional drawing and template picture is higher, sectional drawing is more likely similar pictures with template picture.Under normal conditions, when Similarity between sectional drawing and template picture determines sectional drawing when being more than or equal to predetermined threshold and template picture is similar pictures, The predetermined threshold can be obtained according to historical data analysis.For example, it can be determined when predetermined threshold is 0.8 under normal conditions Sectional drawing is similar pictures with template picture, then, which can be using value as 0.8.The predetermined threshold can be according to difference Scene and historical data be updated, be not intended as limiting herein.
When determining the similarity between sectional drawing and template picture, if measurement can finely miss very much the change of malicious code Kind, lead to not identify similar picture;If measurement can be roughly similar figure other dissimilar picture recognitions very much Piece;If recognition speed is slow, the application interface identified within the unit interval is fewer, may miss wooden horse camouflage Application interface, therefore, the present embodiment determine sectional drawing and Prototype drawing in a manner that template matches and Feature Points Matching are combined Similarity between piece.
Optionally, the first determination unit includes:Searching module, for searching the area to match with template picture in sectional drawing Domain obtains the region picture in sectional drawing;Extraction module, for extracting the characteristic point of the characteristic point of region picture and template picture; Acquisition module, for obtaining the number of same characteristic features point in region picture and template picture;Ratio module, for by same characteristic features The ratio of the sum of the number of point and the characteristic point extracted from template picture is as sectional drawing and the similarity of template picture.
Template picture is the picture in a region at intended application interface, is with the region that template picture matches in sectional drawing A region corresponding with template picture, shapes and sizes are identical with template picture.First by matched area locking and mould In the equally big region picture of plate image again, it is possible to reduce wrong report realizes that precisely matching reduces package space simultaneously, improves fortune Scanning frequency degree.In order to improve the speed of matching area picture, can gray proces first be carried out to region picture, i.e., turned region picture Gray-scale map is changed to, normalizated correlation coefficient matching method is recycled to search and the matched region picture of template picture.Carry out gray scale Treated when gray-scale map matched, and can eliminate the variation of color or brightness to matched influence.For example, in sectional drawing For background color to be light blue, the background color of template picture is light green, be converted to after gray-scale map the background color of sectional drawing and The background color of template picture is identical.
Specifically, searching module includes:Submodule is searched, for traversing sectional drawing as unit of reference zone in sectional drawing The region to match with template picture is searched, and using the picture on the region found as region picture, wherein, reference zone Size and shape it is identical with template picture, the size and shape template picture of region picture is identical.
As shown in figure 4, the shapes and sizes of reference zone are all identical with template picture, it is matched with template picture searching During the picture of region, sectional drawing is traversed as unit of reference zone.The similarity of each region and template picture is determined when traversing sectional drawing, Using the picture where the reference zone of similarity maximum as region picture.The similarity is used for determining region picture, can not Illustrate that the region picture and template picture are similar pictures.For example, the similarity of the picture and template picture where reference zone It is 50%, is the region of similarity maximum in all reference zones, region picture can be used as, still, which is not For judge region picture whether with template picture for similar pictures.
After region picture is determined, using acceleration robust property characteristics algorithm (Speeded Up Robust Features, abbreviation SURF) extract characteristic point respectively from region picture and template picture, and calculate the matched characteristic point of the two Number.Using robust property characteristics algorithm is accelerated, the threshold value for extracting characteristic point can be first set:Lead between two characteristic points Similarity criteria of the Euclidean distance as Feature Points Matching is crossed, can threshold values be set according to practical application and pick out appropriate feature Point.In these characteristic points, using the exterior point of random sampling consistency (RANSAC) algorithm removal erroneous matching, retain correct It is interior, that is, eliminate noise.It eliminates noise and eliminates unsuitable characteristic point, calculated with the characteristic point after elimination noise similar Degree.
Assuming that A, B are masterplate picture and the set of the characteristic point of region picture respectively.If set C be two masterplate pictures with The set of characteristic points that region picture shares, i.e. C=A ∩ B, then similarity S=C/A, S intervals are worth bigger expression in [0,1] It is more similar.
Second determination unit 66 is used to indicate that sectional drawing and template picture are similar pictures and the first application interface in similarity In the case of the signature verification information of corresponding first application program and the signature verification information difference of destination application, determine First application interface is different from intended application interface.
In the case of including multiple template picture at intended application interface, the first determination unit includes:Determining module is used for The similarity between each template picture in sectional drawing and multiple template picture is determined respectively, obtains multiple similarities;The device It further includes:Judging unit, for after the similarity between sectional drawing and template picture is determined, sectional drawing to be indicated in multiple similarities In the case of all similar to multiple template picture, the signature verification information and intended application of process where judging the first application interface Whether the signature verification information of process is identical where interface.In the case of signature verification information difference, first is determined using boundary Face is differed with intended application interface.
When logger interface is in intended application interface, the intended application journey in process where can verifying logger interface The signature of sequence, when webpage is in intended application interface, the certificate of browser where can verifying webpage.Where intended application interface Signature verification information in interface is exactly the signature verification information of intended application.Intended application interface is to apply true interface, If the signature of the first corresponding application program of the first application interface is different from the signature of intended application, then, the first application The sectional drawing at interface the first application interface of just explanation identical with intended application interface template picture is the interface of wooden horse camouflage, may The account number and password of user is stolen at the interface pretended by the wooden horse, therefore, by identifying that sectional drawing and template picture are similar diagram The signature verification information of process where the signature verification information of process where piece and the first application interface and intended application interface is not With come determine the first application interface be wooden horse camouflage interface.
What whether the mode that the present embodiment uses picture recognition and signature verification is combined was pretended to judge interface for wooden horse Interface, so as to identify trojan horse, when solving the prior art and detecting wooden horse originally according to virus-like, due to Virus Sample The technique effect of missing inspection caused by feature is not general.
Another aspect according to embodiments of the present invention additionally provides a kind of knowledge for being used to implement above-mentioned camouflage applications program The electronic device of other method.Fig. 7 is the structure diagram according to a kind of electronic device of inventive embodiments.As shown in fig. 7, the electronics Device includes, one or more (one is only shown in figure) processor 71, at least one communication bus 72, user interface 73, At least one transmitting device 74, memory 75.Wherein, communication bus 72 is used to implement the connection communication between these components, uses Family interface 73 can include display 76 and keyboard 77.Transmitting device 74 can enter oneself for the examination the limited interface and wireless interface of writing.
Optionally, in the present embodiment, above-mentioned electronic device can be located in multiple network equipments of computer network At least one network equipment.
Optionally, in the present embodiment, above-mentioned processor can be set to perform following steps by computer program:
S1, the signature for obtaining the corresponding destination application of template picture and intended application interface at intended application interface are tested Demonstrate,prove information.
S2 obtains the sectional drawing of the first application interface.
S3 determines the similarity between the sectional drawing and the template picture;
S4 indicates that the sectional drawing and the template picture apply boundary for similar pictures and described first in the similarity The signature verification information of corresponding first application program in the face situation different from the signature verification information of the destination application Under, determine that first application interface is different from the intended application interface.
Optionally, in the present embodiment, above-mentioned processor can be set to perform following steps by computer program:
Make in the region for intercepting at least one feature for being used to represent the intended application interface on the intended application interface For the template picture.
Optionally, in the present embodiment, above-mentioned processor can be set to perform following steps by computer program:
When similarity between the sectional drawing and the template picture is more than or equal to predetermined threshold, the phase is determined Indicate that the sectional drawing and the template picture are similar pictures like degree.
Optionally, in the present embodiment, above-mentioned processor can be set to perform following steps by computer program:
The region to match with the template picture is searched in the sectional drawing, obtains the region picture in the sectional drawing; Extract the characteristic point of the region picture and the characteristic point of the template picture;Obtain the region picture and the template picture The number of middle same characteristic features point;By the number of the same characteristic features point and the sum of characteristic point extracted from the template picture Ratio as the sectional drawing and the similarity of the template picture.
Optionally, in the present embodiment, above-mentioned processor can be set to perform following steps by computer program:
The sectional drawing is traversed to search what is matched with the template picture as unit of reference zone in the sectional drawing Region, and using the picture on the region found as the region picture, wherein, the size and shape of the reference zone with The template picture is identical, and template picture described in the size and shape of the region picture is identical.
Optionally, it will appreciated by the skilled person that structure shown in Fig. 7 is only to illustrate, electronic device also may be used To be smart mobile phone (such as Android phone, iOS mobile phones), tablet computer, palm PC and mobile internet device The terminal devices such as (Mobile Internet Devices, MID), PAD.Fig. 7 it does not cause the structure of above-mentioned electronic device It limits.For example, electronic device may also include the component more or less than shown in Fig. 7 (such as network interface, display device Deng) or with the configuration different from shown in Fig. 7.
Wherein, memory 75 is for storing software program and module, such as the camouflage applications program in the embodiment of the present invention Recognition methods and the corresponding program instruction/module of device, processor 75 run be stored in memory 75 software program and Module so as to perform various functions application and data processing, that is, realizes the recognition methods of above-mentioned camouflage applications program.Storage Device 75 includes high speed random access memory, can also include nonvolatile memory, and such as one or more magnetic storage device dodges It deposits or other non-volatile solid state memories.In some instances, memory 75 further comprises remote relative to processor 71 The memory of journey setting, these remote memories can pass through network connection to terminal.The example of above-mentioned network includes but unlimited In internet, intranet, LAN, mobile radio communication and combinations thereof.
Above-mentioned transmitting device 74 is received via a network or transmission data.Above-mentioned network specific example may include Cable network and wireless network.In an example, transmitting device 74 includes a network adapter (Network Interface Controller, NIC), can be connected by cable with other network equipments with router so as to interconnection Net or LAN are communicated.In an example, transmitting device 74 is radio frequency (Radio Frequency, RF) module, is used In wirelessly being communicated with internet.
The embodiment of the present invention additionally provides a kind of storage medium, and computer program is stored in the storage medium, wherein, The computer program is arranged to perform the step in any of the above-described embodiment of the method during operation.
Optionally, in the present embodiment, above-mentioned storage medium can be set to store by performing based on following steps Calculation machine program:
S1, the signature for obtaining the corresponding destination application of template picture and intended application interface at intended application interface are tested Demonstrate,prove information;
S2 obtains the sectional drawing of the first application interface.
S3 determines the similarity between the sectional drawing and the template picture;
S4 indicates that the sectional drawing and the template picture apply boundary for similar pictures and described first in the similarity The signature verification information of corresponding first application program in the face situation different from the signature verification information of the destination application Under, determine that first application interface is different from the intended application interface.
Optionally, storage medium is also configured to store the step for performing included in the method in above-described embodiment Computer program, this is repeated no more in the present embodiment.
Optionally, in the present embodiment, one of ordinary skill in the art will appreciate that in the various methods of above-described embodiment All or part of step be that can be completed by program come command terminal device-dependent hardware, which can be stored in In one computer readable storage medium, storage medium can include:Flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random Access Memory, RAM), disk or CD etc..
If the integrated unit in above-described embodiment is realized in the form of SFU software functional unit and is independent product Sale or in use, the storage medium that above computer can be read can be stored in.Based on such understanding, skill of the invention The part or all or part of the technical solution that art scheme substantially in other words contributes to the prior art can be with soft The form of part product embodies, which is stored in storage medium, is used including some instructions so that one Platform or multiple stage computers equipment (can be personal computer, server or network equipment etc.) perform each embodiment institute of the present invention State all or part of step of method.
In the above embodiment of the present invention, all emphasize particularly on different fields to the description of each embodiment, do not have in some embodiment The part of detailed description may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed client, it can be by others side Formula is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, and only one Kind of division of logic function, can there is an other dividing mode in actual implementation, for example, multiple units or component can combine or It is desirably integrated into another system or some features can be ignored or does not perform.Another point, it is shown or discussed it is mutual it Between coupling, direct-coupling or communication connection can be INDIRECT COUPLING or communication link by some interfaces, unit or module It connects, can be electrical or other forms.
The unit illustrated as separating component may or may not be physically separate, be shown as unit The component shown may or may not be physical unit, you can be located at a place or can also be distributed to multiple In network element.Some or all of unit therein can be selected according to the actual needs to realize the mesh of this embodiment scheme 's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also That each unit is individually physically present, can also two or more units integrate in a unit.Above-mentioned integrated list The form that hardware had both may be used in member is realized, can also be realized in the form of SFU software functional unit.
The above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims (14)

1. a kind of recognition methods of camouflage applications program, which is characterized in that including:
Obtain the signature verification of the corresponding destination application of template picture and the intended application interface at intended application interface Information;
Obtain the sectional drawing of the first application interface;
Determine the similarity between the sectional drawing and the template picture;
The sectional drawing is indicated in the similarity and the template picture is similar pictures and first application interface is corresponding In the case of the signature verification information of first application program and the signature verification information difference of the destination application, institute is determined It is different from the intended application interface to state the first application interface.
2. according to the method described in claim 1, it is characterized in that, the template picture for obtaining intended application interface includes:
The region of at least one feature for being used to represent the intended application interface on the intended application interface is intercepted as institute State template picture.
3. according to the method described in claim 2, it is characterized in that,
In the case of including multiple template pictures at the intended application interface, the sectional drawing and the template picture are determined Between similarity include:Respectively between each template picture in the determining sectional drawing and multiple template pictures Similarity obtains multiple similarities;
After the similarity between the sectional drawing and the template picture is determined, the method further includes:In the multiple phase In the case of indicating that the sectional drawing and multiple template pictures are all similar like degree, judge that the signature of first application program is tested It is whether identical with the signature verification information of the destination application to demonstrate,prove information.
4. it according to the method described in claim 1, it is characterized in that, determines similar between the sectional drawing and the template picture Degree includes:
When similarity between the sectional drawing and the template picture is more than or equal to predetermined threshold, the similarity is determined Indicate that the sectional drawing and the template picture are similar pictures.
5. method according to any one of claim 1 to 4, which is characterized in that determine the sectional drawing and the Prototype drawing The similarity of piece includes:
The region to match with the template picture is searched in the sectional drawing, obtains the region picture in the sectional drawing;
Extract the characteristic point of the region picture and the characteristic point of the template picture;
Obtain the number of same characteristic features point in the region picture and the template picture;
Using the ratio of the number of the same characteristic features point and the sum for the characteristic point extracted from the template picture as described in The similarity of sectional drawing and the template picture.
6. according to the method described in claim 5, match it is characterized in that, being searched in the sectional drawing with the template picture Region, the region picture obtained in the sectional drawing includes:
The sectional drawing is traversed to search the region to match with the template picture as unit of reference zone in the sectional drawing, And using the picture on the region found as the region picture, wherein, the size and shape of the reference zone with it is described Template picture is identical, and template picture described in the size and shape of the region picture is identical.
7. a kind of identification device of application interface, which is characterized in that including:
First acquisition unit, for obtaining the template picture at intended application interface target corresponding with the intended application interface The signature verification information of application program;
Second acquisition unit, for obtaining the sectional drawing of the first application interface;
First determination unit, for determining the similarity between the sectional drawing and the template picture;
Second determination unit, for indicating the sectional drawing and the template picture for similar pictures and described in the similarity The signature of the signature verification information of corresponding first application program of first application interface and process where the intended application interface In the case of verification information difference, determine that first application interface is different from the intended application interface.
8. device according to claim 7, which is characterized in that the first acquisition unit includes:
Interception module, for intercepting at least one feature for being used to represent the intended application interface on the intended application interface Region as the template picture.
9. device according to claim 8, which is characterized in that
In the case of including multiple template pictures at the intended application interface, first determination unit includes:It determines Module, for determining the similarity between each template picture in the sectional drawing and multiple template pictures respectively, Obtain multiple similarities;
Described device further includes:Judging unit, for after the similarity between the sectional drawing and the template picture is determined, In the case where the multiple similarity indicates that the sectional drawing and multiple template pictures are all similar, judge that described first applies Whether the signature verification information of program and the signature verification information of the destination application are identical.
10. device according to claim 7, which is characterized in that first determination unit be additionally operable to the sectional drawing with When similarity between the template picture is more than or equal to predetermined threshold, determine that the similarity indicates the sectional drawing and institute Template picture is stated as similar pictures.
11. the device according to any one of claim 7 to 10, which is characterized in that first determination unit includes:
Searching module for searching the region to match with the template picture in the sectional drawing, is obtained in the sectional drawing Region picture;
Extraction module, for extracting the characteristic point of the characteristic point of the region picture and the template picture;
Acquisition module, for obtaining the number of same characteristic features point in the region picture and the template picture;
Ratio module, for by the number of the same characteristic features point and the sum of characteristic point that extracts from the template picture Ratio is as the sectional drawing and the similarity of the template picture.
12. according to the devices described in claim 11, which is characterized in that the searching module includes:
Submodule is searched, is searched and the Prototype drawing in the sectional drawing traversing the sectional drawing as unit of reference zone The region that piece matches, and using the picture on the region found as the region picture, wherein, the reference zone it is big Small and shape is identical with the template picture, and template picture described in the size and shape of the region picture is identical.
13. a kind of storage medium, which is characterized in that computer program is stored in the storage medium, wherein, the computer Program is arranged to perform the method described in any one of claim 1 to 6 during operation.
14. a kind of electronic device, including memory and processor, which is characterized in that computer journey is stored in the memory Sequence, the processor are arranged to perform the side described in any one of claim 1 to 6 by the computer program Method.
CN201810045938.3A 2018-01-17 2018-01-17 Method, device, storage medium and electronic device for identifying disguised application Active CN108154031B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810045938.3A CN108154031B (en) 2018-01-17 2018-01-17 Method, device, storage medium and electronic device for identifying disguised application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810045938.3A CN108154031B (en) 2018-01-17 2018-01-17 Method, device, storage medium and electronic device for identifying disguised application

Publications (2)

Publication Number Publication Date
CN108154031A true CN108154031A (en) 2018-06-12
CN108154031B CN108154031B (en) 2021-08-06

Family

ID=62461775

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810045938.3A Active CN108154031B (en) 2018-01-17 2018-01-17 Method, device, storage medium and electronic device for identifying disguised application

Country Status (1)

Country Link
CN (1) CN108154031B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108984399A (en) * 2018-06-29 2018-12-11 上海连尚网络科技有限公司 Detect method, electronic equipment and the computer-readable medium of interface difference
CN109067566A (en) * 2018-07-09 2018-12-21 北京奇安信科技有限公司 A kind of method, terminal and the monitoring equipment of the screenshot under silent mode
CN111400132A (en) * 2020-03-09 2020-07-10 北京版信通技术有限公司 Automatic monitoring method and system for on-shelf APP
CN112016606A (en) * 2020-08-20 2020-12-01 恒安嘉新(北京)科技股份公司 Detection method, device and equipment for application program APP and storage medium
CN112348104A (en) * 2020-11-17 2021-02-09 百度在线网络技术(北京)有限公司 Counterfeit program identification method, apparatus, device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090210793A1 (en) * 2008-02-14 2009-08-20 Palo Alto Research Center Incorporated Method and system for traversing digital records with multiple dimensional attributes
CN103179095A (en) * 2011-12-22 2013-06-26 阿里巴巴集团控股有限公司 Method and client device for detecting phishing websites
CN103942543A (en) * 2014-04-29 2014-07-23 Tcl集团股份有限公司 Image recognition method and device
CN104462152A (en) * 2013-09-23 2015-03-25 深圳市腾讯计算机系统有限公司 Webpage recognition method and device
CN106560840A (en) * 2015-09-30 2017-04-12 腾讯科技(深圳)有限公司 Recognition processing method and device of image information
CN106815522A (en) * 2015-11-27 2017-06-09 中兴通讯股份有限公司 Mobile terminal software vacation interface identification method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090210793A1 (en) * 2008-02-14 2009-08-20 Palo Alto Research Center Incorporated Method and system for traversing digital records with multiple dimensional attributes
CN103179095A (en) * 2011-12-22 2013-06-26 阿里巴巴集团控股有限公司 Method and client device for detecting phishing websites
CN104462152A (en) * 2013-09-23 2015-03-25 深圳市腾讯计算机系统有限公司 Webpage recognition method and device
CN103942543A (en) * 2014-04-29 2014-07-23 Tcl集团股份有限公司 Image recognition method and device
CN106560840A (en) * 2015-09-30 2017-04-12 腾讯科技(深圳)有限公司 Recognition processing method and device of image information
CN106815522A (en) * 2015-11-27 2017-06-09 中兴通讯股份有限公司 Mobile terminal software vacation interface identification method and device

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108984399A (en) * 2018-06-29 2018-12-11 上海连尚网络科技有限公司 Detect method, electronic equipment and the computer-readable medium of interface difference
CN109067566A (en) * 2018-07-09 2018-12-21 北京奇安信科技有限公司 A kind of method, terminal and the monitoring equipment of the screenshot under silent mode
CN109067566B (en) * 2018-07-09 2021-08-17 奇安信科技集团股份有限公司 Method, terminal and monitoring equipment for screenshot in silent mode
CN111400132A (en) * 2020-03-09 2020-07-10 北京版信通技术有限公司 Automatic monitoring method and system for on-shelf APP
CN111400132B (en) * 2020-03-09 2023-08-18 北京版信通技术有限公司 Automatic monitoring method and system for on-shelf APP
CN112016606A (en) * 2020-08-20 2020-12-01 恒安嘉新(北京)科技股份公司 Detection method, device and equipment for application program APP and storage medium
CN112348104A (en) * 2020-11-17 2021-02-09 百度在线网络技术(北京)有限公司 Counterfeit program identification method, apparatus, device and storage medium
CN112348104B (en) * 2020-11-17 2023-08-18 百度在线网络技术(北京)有限公司 Identification method, device, equipment and storage medium for counterfeit program

Also Published As

Publication number Publication date
CN108154031B (en) 2021-08-06

Similar Documents

Publication Publication Date Title
CN108154031A (en) Recognition methods, device, storage medium and the electronic device of camouflage applications program
CN104978522B (en) A kind of method and apparatus for detecting malicious code
CN108229156A (en) URL attack detection methods, device and electronic equipment
CN112329888B (en) Image processing method, device, electronic equipment and storage medium
CN109190470B (en) Pedestrian re-identification method and device
CN109922065B (en) Quick identification method for malicious website
CN108111489A (en) URL attack detection methods, device and electronic equipment
CN111191067A (en) Picture book identification method, terminal device and computer readable storage medium
CN110782333B (en) Equipment risk control method, device, equipment and medium
CN110929203B (en) Abnormal user identification method, device, equipment and storage medium
US10528844B2 (en) Method and apparatus for distance measurement
Sahay et al. Leaf analysis for plant recognition
CN112465517A (en) Anti-counterfeiting verification method and device and computer readable storage medium
CN114448664B (en) Method and device for identifying phishing webpage, computer equipment and storage medium
US9875386B2 (en) System and method for randomized point set geometry verification for image identification
CN110855635B (en) URL (Uniform resource locator) identification method and device and data processing equipment
CN110472410B (en) Method and device for identifying data and data processing method
CN111553241A (en) Method, device and equipment for rejecting mismatching points of palm print and storage medium
CN112579907B (en) Abnormal task detection method and device, electronic equipment and storage medium
CN105302715B (en) The acquisition methods and device of application program user interface
CN109389014B (en) Detection method and device for license plate-applied vehicle and electronic equipment
CN110097258B (en) User relationship network establishment method, device and computer readable storage medium
CN116912881A (en) Animal species identification method, computer equipment and identification system
CN116109864A (en) Garment detection and identification method, device, terminal and computer readable storage medium
CN109726648A (en) A kind of facial image recognition method and device based on machine learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant