CN108154031B - Method, device, storage medium and electronic device for identifying disguised application - Google Patents

Method, device, storage medium and electronic device for identifying disguised application Download PDF

Info

Publication number
CN108154031B
CN108154031B CN201810045938.3A CN201810045938A CN108154031B CN 108154031 B CN108154031 B CN 108154031B CN 201810045938 A CN201810045938 A CN 201810045938A CN 108154031 B CN108154031 B CN 108154031B
Authority
CN
China
Prior art keywords
picture
screenshot
application interface
template
target application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810045938.3A
Other languages
Chinese (zh)
Other versions
CN108154031A (en
Inventor
赵亚鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201810045938.3A priority Critical patent/CN108154031B/en
Publication of CN108154031A publication Critical patent/CN108154031A/en
Application granted granted Critical
Publication of CN108154031B publication Critical patent/CN108154031B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Image Analysis (AREA)

Abstract

The invention discloses a method and a device for identifying a disguised application program, a storage medium and an electronic device. Wherein, the method comprises the following steps: acquiring a template picture of a target application interface and signature verification information of a process in which the target application interface is located; acquiring a screenshot of a first application interface; determining the similarity between the screenshot and the template picture; and determining that the first application interface is different from the target application interface under the condition that the similarity indicates that the screenshot and the template picture are similar pictures and the signature verification information of the first application program corresponding to the first application interface is different from the signature verification information of the target application program. The invention solves the technical problem that the Trojan file is missed to be checked.

Description

Method, device, storage medium and electronic device for identifying disguised application
Technical Field
The invention relates to the field of data processing, in particular to a method and a device for identifying a disguised application program, a storage medium and an electronic device.
Background
In the prior art, when a phishing trojan is identified, suspected trojan files are automatically identified from a large number of suspected executable files, a virus analyst manually analyzes the suspected trojan files, verifies a real trojan sample, extracts a plurality of trojan characteristics for identifying the trojan and puts the trojan into a characteristic library. And scanning the file on the user machine, matching the file with the features in the feature library, and identifying the Trojan file.
Traditional safety software (such as antivirus software) often uses sample feature codes, API sequences and the like to detect phishing trojans, and has the following disadvantages:
the characteristics are not universal, and report missing is often caused: one feature code can only detect one Trojan horse, and when the Trojan horse has a variety, the variety Trojan horse cannot be identified, so that the phishing Trojan horse is missed to be detected.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a method, a device, a storage medium and an electronic device for identifying a disguised application program, which are used for at least solving the technical problem that a Trojan file is missed to be detected.
According to an aspect of an embodiment of the present invention, there is provided a method for identifying a masquerading application, including: acquiring a template picture of a target application interface and signature verification information of a target application program corresponding to the target application interface; acquiring a screenshot of a first application interface; determining the similarity between the screenshot and the template picture; and under the condition that the similarity indicates that the screenshot and the template picture are similar pictures and the signature verification information of the first application program corresponding to the first application interface is different from the signature verification information of the process where the target application interface is located, determining that the first application interface is different from the target application interface.
According to another aspect of the embodiments of the present invention, there is also provided an apparatus for identifying an application interface, including: the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a template picture of a target application interface and signature verification information of a target application program corresponding to the target application interface; the second acquisition unit is used for acquiring a screenshot of the first application interface; the first determining unit is used for determining the similarity between the screenshot and the template picture; and a second determining unit, configured to determine that the first application interface is different from the target application interface when the similarity indicates that the screenshot and the template picture are similar pictures and signature verification information of a first application corresponding to the first application interface is different from signature verification information of a process in which the target application interface is located.
According to yet another aspect of the embodiments of the present invention, there is also provided a storage medium, characterized in that the storage medium stores therein a computer program, wherein the computer program is configured to execute the above method when running.
According to yet another aspect of the embodiments of the present invention, there is also provided an electronic apparatus, including a memory and a processor, wherein the memory stores therein a computer program, and the processor is configured to execute the above method through the computer program.
In the embodiment, whether the interface is a Trojan disguised interface is judged by combining picture identification and signature verification, so that Trojan viruses are identified, and the technical effect of omission caused by the fact that the characteristics of the virus samples are not universal when the Trojan is detected according to the virus samples in the prior art is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of a hardware environment according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method of identifying a masquerading application according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an interface of a logger in accordance with an embodiment of the present invention;
FIG. 4 is a schematic diagram of a traversal screenshot in accordance with an embodiment of the invention;
FIG. 5 is a schematic illustration of determining similarity according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of an identification apparatus of an application interface according to an embodiment of the invention;
fig. 7 is a block diagram of an electronic device according to an embodiment of the invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an aspect of an embodiment of the present invention, there is provided a method of recognizing a masquerading application. In this embodiment, the above-described method for recognizing the masquerading application can be applied to a hardware environment constituted by the terminal 101 and the server 102 as shown in fig. 1. As shown in fig. 1, a terminal 101 is connected to a server 102 via a network, including but not limited to: the terminal 101 may be a mobile phone terminal, or may also be a PC terminal, a notebook terminal, or a tablet terminal.
Fig. 2 is a flowchart of a recognition method of a masquerading application according to an embodiment of the present invention. As shown in fig. 2, the method for identifying the masquerading application includes the following steps:
step S202, acquiring a template picture of the target application interface and signature verification information of a target application program corresponding to the target application interface.
Step S204, a screenshot of the first application interface is obtained.
The target application interface is a true application interface, not a trojan masquerading application interface. The application interface may be a logger interface of an application, or a web page of the application, or the like, and the application may be an application installed in a computer terminal, or an application installed in a mobile terminal such as a mobile phone or a notebook computer. The first application interface is an application interface which needs to be judged whether the Trojan horse is disguised. The screenshot of the first application interface can be obtained by executing screenshot operation on the first application interface and is a picture. The template picture of the target application interface can be a picture of one area or a plurality of areas in the target application interface.
The signature verification information for the target application may be obtained during the process in which the target application resides. When the signature verification information is obtained, the signature verification information in the process can be obtained while the template picture of the target application interface is obtained.
Optionally, the obtaining of the template picture of the target application interface includes: and intercepting at least one area which is used for representing the characteristics of the target application interface on the target application interface as a template picture.
The area for representing the characteristics of the target application interface may be an area indicating what application the application is or to which application the content displayed by the interface belongs, and may also be an area capable of representing the usual functions of the application interface. For example, the target application interface is an interface of a logger of an instant messaging application, and the area for representing the characteristics of the target application interface may be an area where an identifier of the instant messaging application is located on the interface of the logger, or an area where a "log in" button is located on the interface of the logger. The target page may also be a page of a social networking site, and the region representing the feature of the target application interface may be a region of the page where the identity of the social networking site is located, or a region of the page where the identity of the social networking site is registered for logging in by the latter.
The interface of the game register shown in fig. 3 will be described as an example. As shown in fig. 3, the area where the game name "CYHX" is located may be an area for representing features of the target application interface, and a picture of the area is used as a template picture of the target application interface. The area of the game where the login button is located can also be used as an area for representing the characteristics of the target application interface, and the picture of the area where the login button is located is used as a template picture of the target application interface. Similarly, a part of the drawing on the interface of the game register may also represent the characteristics of the game application, for example, the area such as the hand or face of the character shown in fig. 3, so that the area may be used as the area for representing the characteristics of the target application interface, and the picture of the area where the part of the drawing is located is used as a template picture of the target application interface. The template pictures of the embodiment may be one or more.
And step S206, determining the similarity between the screenshot and the template picture.
The similarity between the screenshot and the template can determine whether the screenshot and the template picture are similar pictures. Optionally, determining the similarity between the screenshot and the template picture includes: and when the similarity between the screenshot and the template picture is greater than or equal to a preset threshold value, determining that the similarity indicates that the screenshot and the template picture are similar pictures.
And calculating the similarity between the screenshot and the template picture, wherein the similarity is usually between 0 and 1, the larger the value of the similarity is, the higher the similarity between the screenshot and the template picture is, and the more likely the screenshot and the template picture are similar pictures. In general, when the similarity between the screenshot and the template picture is greater than or equal to a predetermined threshold, the screenshot and the template picture are determined to be similar pictures, and the predetermined threshold can be obtained according to historical data analysis. For example, in a general case, when the predetermined threshold is 0.8, it may be determined that the screenshot and the template picture are similar pictures, and then the predetermined threshold may be 0.8. The predetermined threshold may be updated according to different scenarios and historical data, and is not limited herein.
When the similarity between the screenshot and the template picture is determined, if the measurement is too fine, variants of malicious codes can be missed, and similar pictures cannot be identified; identifying other dissimilar pictures as similar pictures if the metric is too coarse; if the recognition speed is low, the application interfaces recognized in unit time are few, and the application interfaces disguised by trojans may be missed, so that the similarity between the screenshot and the template picture is determined by combining template matching and feature point matching.
Namely, the step of determining the similarity between the screenshot and the template picture comprises the following steps: searching a region matched with the template picture in the screenshot to obtain a region picture in the screenshot; extracting the characteristic points of the area picture and the characteristic points of the template picture; acquiring the number of the same characteristic points in the area picture and the template picture; and taking the ratio of the number of the same characteristic points to the total number of the characteristic points extracted from the template picture as the similarity of the screenshot and the template picture.
The template picture is a picture of an area of the target application interface, and the area in the screenshot, which is matched with the template picture, is an area corresponding to the template picture, and the shape and the size of the area are the same as those of the template picture. The matched area is locked in the area picture as large as the template picture, so that false alarm can be reduced, accurate matching is realized, the matching space is reduced, and the running speed is increased. In order to increase the speed of matching the area picture, the area picture may be subjected to gray processing, that is, the area picture is converted into a gray image, and then the area picture matched with the template picture is searched by using a normalized correlation coefficient matching method. When the gray-scale images after the gray-scale processing are matched, the influence of the change of color or brightness on the matching can be eliminated. For example, the background color in the screenshot is light blue, the background color of the template picture is light green, and the background color of the screenshot after conversion into the grayscale image is the same as the background color of the template picture.
Specifically, searching for an area matched with the template picture in the screenshot, and obtaining the area picture in the screenshot includes: and traversing the screenshot by taking the reference area as a unit in the screenshot to search an area matched with the template picture, and taking the picture on the searched area as an area picture, wherein the size and the shape of the reference area are the same as those of the template picture, and the size and the shape of the area picture are the same as those of the template picture.
As shown in fig. 4, the shape and size of the reference region are the same as those of the template picture, and when a region picture matching the template picture is searched, the screenshot is traversed by taking the reference region as a unit. And determining the similarity between each region and the template picture during traversal of the screenshot, and taking the picture of the reference region with the maximum similarity as the region picture. The similarity is used to determine the region picture, and it cannot be said that the region picture and the template picture are similar pictures. For example, the picture in which the reference region is located has a similarity of 50% with the template picture, and is the region with the highest similarity among all the reference regions, and the region picture may be used as the region picture.
After the region picture is determined, feature points are respectively extracted from the region picture and the template picture by adopting a Speeded Up Robust Features algorithm (SURF for short), and the number of the feature points matched with the region picture and the template picture is calculated. The threshold used for extracting the feature points can be set firstly by adopting an accelerated robust feature algorithm: the two feature points are used as a similarity criterion for matching the feature points through Euclidean distance, and proper feature points can be selected according to the set threshold value of practical application. In these feature points, the random sample consensus (RANSAC) algorithm is used to remove the outer points of the mismatch, and the correct inner points are retained, i.e. noise is eliminated. And eliminating the noise, namely eliminating improper feature points, and calculating the similarity by using the feature points after the noise is eliminated.
Let A, B be the set of feature points of the template picture and the region picture, respectively. If the set C is a feature point set shared by the two template pictures and the region picture, that is, C ═ a ∞ B, the similarity S is equal to C/a, the S value interval is [0,1], and the larger the value is, the more similar the similarity is.
The calculation process of the similarity is shown in fig. 5:
the image A is a screenshot of a first application interface, the image B is a target application interface, the area where the login button is located in the image B is a template image, the area image of the area where the login button is located is intercepted from the image A by utilizing template matching, and similarity calculation is carried out between the area image and the template image of the image B. Extracting feature points from the area picture and the template picture respectively, searching the number of the same feature points in the area picture and the template picture, using the ratio of the number of the same feature points to the total number of the feature points in the template picture as the similarity of the area picture and the template picture, and if the similarity is greater than or equal to a threshold value, determining that the area picture and the template picture are similar pictures.
If the target application interface comprises a plurality of template pictures, determining a plurality of area pictures corresponding to the template pictures from the screenshot, and determining the screenshot and the template pictures as similar pictures when the similarity between each area picture and the corresponding template picture is greater than or equal to a preset threshold value.
Step S208, under the condition that the similarity indication screenshot and the template picture are similar pictures and the signature verification information of the first application program corresponding to the first application interface is different from the signature verification information of the target application program, determining that the first application interface is different from the target application interface.
Under the condition that the screenshot and the template picture are determined to be similar pictures, judging whether signature verification information of a process where the first application interface is located is the same as signature verification information of a process where the target application interface is located, and under the condition that the signature verification information is the same, determining that the first application interface is the same as the target application interface; and under the condition that the signature verification information is different, determining that the first application interface is different from the target application interface.
When the target application interface is the logger interface, the signature of the target application program in the process of the logger interface can be verified, and when the target application interface is a webpage, the certificate of the browser where the webpage is located can be verified. The signature verification information in the interface where the target application interface is located is the signature verification information of the target application. The target application interface is an application real interface, if the signature of the first application program corresponding to the first application interface is different from the signature of the target application, the screenshot of the first application interface is identical to the target application interface template picture, which means that the first application interface is a Trojan masquerading interface, and the account and the password of the user may be stolen through the Trojan masquerading interface, so that the first application interface is determined to be the Trojan masquerading interface by identifying that the screenshot and the template picture are similar pictures and the signature verification information of the process in which the first application interface is located is different from the signature verification information of the process in which the target application interface is located.
In the embodiment, whether the interface is a Trojan disguised interface is judged by combining picture identification and signature verification, so that Trojan viruses are identified, and the technical effect of omission caused by the fact that the characteristics of the virus samples are not universal when the Trojan is detected according to the virus samples in the prior art is solved.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
According to another aspect of the embodiment of the invention, an application interface recognition device for implementing the recognition method of the disguised application program is further provided. Fig. 6 is a schematic diagram of an identification apparatus of an application interface according to an embodiment of the present invention. As shown in fig. 6, the apparatus includes: a first acquisition unit 62, a second acquisition unit 64, a first determination unit 66, and a second determination unit 68.
The first obtaining unit 62 is configured to obtain a template picture of a target application interface and signature verification information of a target application program corresponding to the target application interface.
A second obtaining unit 64, configured to obtain a screenshot of the first application interface;
the target application interface is a true application interface, not a trojan masquerading application interface. The application interface may be a logger interface of an application, or a web page of the application, or the like, and the application may be an application installed in a computer terminal, or an application installed in a mobile terminal such as a mobile phone or a notebook computer. The first application interface is an application interface which needs to be judged whether the Trojan horse is disguised. The screenshot of the first application interface can be obtained by executing screenshot operation on the first application interface and is a picture. The template picture of the target application interface can be a picture of one area or a plurality of areas in the target application interface.
Optionally, the first obtaining unit includes: and the intercepting module is used for intercepting at least one area which is used for representing the characteristics of the target application interface on the target application interface as a template picture.
The area for representing the characteristics of the target application interface may be an area indicating what application the application is or to which application the content displayed by the interface belongs, and may also be an area capable of representing the usual functions of the application interface. For example, the target application interface is an interface of a logger of an instant messaging application, and the area for representing the characteristics of the target application interface may be an area where an identifier of the instant messaging application is located on the interface of the logger, or an area where a "log in" button is located on the interface of the logger. The target page may also be a page of a social networking site, and the region representing the feature of the target application interface may be a region of the page where the identity of the social networking site is located, or a region of the page where the identity of the social networking site is registered for logging in by the latter.
The interface of the game register shown in fig. 3 will be described as an example. As shown in fig. 3, the area where the game name "CYHX" is located may be an area for representing features of the target application interface, and a picture of the area is used as a template picture of the target application interface. The area of the game where the login button is located can also be used as an area for representing the characteristics of the target application interface, and the picture of the area where the login button is located is used as a template picture of the target application interface. Similarly, a part of the drawing on the interface of the game register may also represent the characteristics of the game application, for example, the area such as the hand or face of the character shown in fig. 3, so that the area may be used as the area for representing the characteristics of the target application interface, and the picture of the area where the part of the drawing is located is used as a template picture of the target application interface. The template pictures of the embodiment may be one or more.
The first determining unit 64 is configured to determine similarity between the screenshot and the template picture;
the similarity between the screenshot and the template can determine whether the screenshot and the template picture are similar pictures. Optionally, the first determining unit is further configured to determine that the screenshot and the template picture are similar pictures when the similarity between the screenshot and the template picture is greater than or equal to a predetermined threshold.
And calculating the similarity between the screenshot and the template picture, wherein the similarity is usually between 0 and 1, the larger the value of the similarity is, the higher the similarity between the screenshot and the template picture is, and the more likely the screenshot and the template picture are similar pictures. In general, when the similarity between the screenshot and the template picture is greater than or equal to a predetermined threshold, the screenshot and the template picture are determined to be similar pictures, and the predetermined threshold can be obtained according to historical data analysis. For example, in a general case, when the predetermined threshold is 0.8, it may be determined that the screenshot and the template picture are similar pictures, and then the predetermined threshold may be 0.8. The predetermined threshold may be updated according to different scenarios and historical data, and is not limited herein.
When the similarity between the screenshot and the template picture is determined, if the measurement is too fine, variants of malicious codes can be missed, and similar pictures cannot be identified; identifying other dissimilar pictures as similar pictures if the metric is too coarse; if the recognition speed is low, the application interfaces recognized in unit time are few, and the application interfaces disguised by trojans may be missed, so that the similarity between the screenshot and the template picture is determined by combining template matching and feature point matching.
Optionally, the first determination unit includes: the searching module is used for searching the area matched with the template picture in the screenshot to obtain the area picture in the screenshot; the extraction module is used for extracting the characteristic points of the region picture and the characteristic points of the template picture; the acquisition module is used for acquiring the number of the same characteristic points in the area picture and the template picture; and the ratio module is used for taking the ratio of the number of the same characteristic points to the total number of the characteristic points extracted from the template picture as the similarity of the screenshot and the template picture.
The template picture is a picture of an area of the target application interface, and the area in the screenshot, which is matched with the template picture, is an area corresponding to the template picture, and the shape and the size of the area are the same as those of the template picture. The matched area is locked in the area picture as large as the template picture, so that false alarm can be reduced, accurate matching is realized, the matching space is reduced, and the running speed is increased. In order to increase the speed of matching the area picture, the area picture may be subjected to gray processing, that is, the area picture is converted into a gray image, and then the area picture matched with the template picture is searched by using a normalized correlation coefficient matching method. When the gray-scale images after the gray-scale processing are matched, the influence of the change of color or brightness on the matching can be eliminated. For example, the background color in the screenshot is light blue, the background color of the template picture is light green, and the background color of the screenshot after conversion into the grayscale image is the same as the background color of the template picture.
Specifically, the search module includes: and the searching submodule is used for traversing the screenshot by taking the reference area as a unit in the screenshot to search the area matched with the template picture and taking the picture on the searched area as the area picture, wherein the size and the shape of the reference area are the same as those of the template picture, and the size and the shape of the area picture are the same as those of the template picture.
As shown in fig. 4, the shape and size of the reference region are the same as those of the template picture, and when a region picture matching the template picture is searched, the screenshot is traversed by taking the reference region as a unit. And determining the similarity between each region and the template picture during traversal of the screenshot, and taking the picture of the reference region with the maximum similarity as the region picture. The similarity is used to determine the region picture, and it cannot be said that the region picture and the template picture are similar pictures. For example, the picture in which the reference region is located has a similarity of 50% with the template picture, and is the region with the highest similarity among all the reference regions, and the region picture may be used as the region picture.
After the region picture is determined, feature points are respectively extracted from the region picture and the template picture by adopting a Speeded Up Robust Features algorithm (SURF for short), and the number of the feature points matched with the region picture and the template picture is calculated. The threshold used for extracting the feature points can be set firstly by adopting an accelerated robust feature algorithm: the two feature points are used as a similarity criterion for matching the feature points through Euclidean distance, and proper feature points can be selected according to the set threshold value of practical application. In these feature points, the random sample consensus (RANSAC) algorithm is used to remove the outer points of the mismatch, and the correct inner points are retained, i.e. noise is eliminated. And eliminating the noise, namely eliminating improper feature points, and calculating the similarity by using the feature points after the noise is eliminated.
Let A, B be the set of feature points of the template picture and the region picture, respectively. If the set C is a feature point set shared by the two template pictures and the region picture, that is, C ═ a ∞ B, the similarity S is equal to C/a, the S value interval is [0,1], and the larger the value is, the more similar the similarity is.
The second determining unit 66 is configured to determine that the first application interface is different from the target application interface when the similarity indicates that the screenshot and the template picture are similar pictures and the signature verification information of the first application corresponding to the first application interface is different from the signature verification information of the target application.
In a case where the target application interface includes a plurality of template pictures, the first determining unit includes: the determining module is used for respectively determining the similarity between the screenshot and each template picture in the template pictures to obtain a plurality of similarities; the device also includes: and the judging unit is used for judging whether the signature verification information of the process where the first application interface is positioned is the same as the signature verification information of the process where the target application interface is positioned or not under the condition that the plurality of similarity indication screenshots are similar to the plurality of template pictures after the similarity between the screenshot and the template pictures is determined. And determining that the first application interface is different from the target application interface under the condition that the signature verification information is different.
When the target application interface is the logger interface, the signature of the target application program in the process of the logger interface can be verified, and when the target application interface is a webpage, the certificate of the browser where the webpage is located can be verified. The signature verification information in the interface where the target application interface is located is the signature verification information of the target application. The target application interface is an application real interface, if the signature of the first application program corresponding to the first application interface is different from the signature of the target application, the screenshot of the first application interface is identical to the target application interface template picture, which means that the first application interface is a Trojan masquerading interface, and the account and the password of the user may be stolen through the Trojan masquerading interface, so that the first application interface is determined to be the Trojan masquerading interface by identifying that the screenshot and the template picture are similar pictures and the signature verification information of the process in which the first application interface is located is different from the signature verification information of the process in which the target application interface is located.
In the embodiment, whether the interface is a Trojan disguised interface is judged by combining picture identification and signature verification, so that Trojan viruses are identified, and the technical effect of omission caused by the fact that the characteristics of the virus samples are not universal when the Trojan is detected according to the virus samples in the prior art is solved.
According to another aspect of the embodiment of the present invention, there is also provided an electronic device for implementing the method for recognizing a disguised application. Fig. 7 is a block diagram of an electronic device according to an embodiment of the invention. As shown in fig. 7, the electronic device comprises one or more processors 71 (only one is shown), at least one communication bus 72, a user interface 73, at least one transmission device 74, and a memory 75. Wherein a communication bus 72 is used to enable connectivity communication between these components, a user interface 73 may include a display 76 and a keyboard 77. The transmission means 74 may comprise a standard wired interface and a wireless interface.
Optionally, in this embodiment, the electronic apparatus may be located in at least one network device of a plurality of network devices of a computer network.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
and S1, acquiring the template picture of the target application interface and the signature verification information of the target application program corresponding to the target application interface.
And S2, acquiring a screenshot of the first application interface.
S3, determining the similarity between the screenshot and the template picture;
s4, determining that the first application interface is different from the target application interface when the similarity indicates that the screenshot and the template picture are similar pictures and the signature verification information of the first application corresponding to the first application interface is different from the signature verification information of the target application.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
and intercepting at least one area which is used for representing the characteristics of the target application interface on the target application interface as the template picture.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
and when the similarity between the screenshot and the template picture is greater than or equal to a preset threshold value, determining that the similarity indicates that the screenshot and the template picture are similar pictures.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
searching a region matched with the template picture in the screenshot to obtain a region picture in the screenshot; extracting the characteristic points of the area picture and the characteristic points of the template picture; acquiring the number of the same feature points in the area picture and the template picture; and taking the ratio of the number of the same characteristic points to the total number of the characteristic points extracted from the template picture as the similarity of the screenshot and the template picture.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
and traversing the screenshot by taking a reference area as a unit in the screenshot to search an area matched with the template picture, and taking a picture on the searched area as the area picture, wherein the size and the shape of the reference area are the same as those of the template picture, and the size and the shape of the area picture are the same as those of the template picture.
Alternatively, it can be understood by those skilled in the art that the structure shown in fig. 7 is only an illustration, and the electronic device may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 7 is a diagram illustrating a structure of the electronic device. For example, the electronic device may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 7, or have a different configuration than shown in FIG. 7.
The memory 75 is used for storing software programs and modules, such as program instructions/modules corresponding to the identification method and apparatus of the masquerading application program in the embodiment of the present invention, and the processor 71 runs the software programs and modules stored in the memory 75, so as to execute various functional applications and data processing, that is, to implement the identification method of the masquerading application program. The memory 75 includes high speed random access memory and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 75 further includes memory located remotely from the processor 71, and these remote memories may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 74 receives or transmits data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 74 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmission device 74 is a Radio Frequency (RF) module, which is used to communicate with the internet by wireless means.
Embodiments of the present invention also provide a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, acquiring a template picture of the target application interface and signature verification information of a target application program corresponding to the target application interface;
and S2, acquiring a screenshot of the first application interface.
S3, determining the similarity between the screenshot and the template picture;
s4, determining that the first application interface is different from the target application interface when the similarity indicates that the screenshot and the template picture are similar pictures and the signature verification information of the first application corresponding to the first application interface is different from the signature verification information of the target application.
Optionally, the storage medium is further configured to store a computer program for executing the steps included in the method in the foregoing embodiment, which is not described in detail in this embodiment.
Alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (8)

1. A method for identifying a masquerading application, comprising:
acquiring a template picture of a target application interface and signature verification information of a target application program corresponding to the target application interface;
carrying out gray processing on the acquired screenshot of the first application interface to obtain a gray screenshot;
traversing the grayscale screenshot by taking a reference region as a unit in the grayscale screenshot to find a region matched with the template picture, and taking a picture on the found region as a region picture, wherein the size and the shape of the reference region are the same as those of the template picture, and the size and the shape of the region picture are the same as those of the template picture;
extracting the characteristic points of the area picture and the characteristic points of the template picture;
acquiring the number of the same feature points in the area picture and the template picture;
taking the ratio of the number of the same characteristic points to the total number of the characteristic points extracted from the template picture as the similarity of the gray-scale screenshot and the template picture;
when the similarity is larger than or equal to a preset threshold value, determining that the similarity indicates that the gray-scale screenshot and the template picture are similar pictures;
and determining that the first application interface is different from the target application interface under the condition that the similarity indicates that the grayscale screenshot and the template picture are similar pictures and the signature verification information of the first application program corresponding to the first application interface is different from the signature verification information of the target application program.
2. The method of claim 1, wherein obtaining a template picture of a target application interface comprises:
and intercepting at least one area which is used for representing the characteristics of the target application interface on the target application interface as the template picture.
3. The method of claim 2,
in a case that the target application interface includes a plurality of the template pictures, determining a similarity between the grayscale screenshot and the template pictures includes: respectively determining the similarity between the grayscale screenshot and each template picture in a plurality of template pictures to obtain a plurality of similarities;
after determining the similarity between the grayscale screenshot and the template picture, the method further comprises: and under the condition that the similarity degrees indicate that the grayscale screenshot is similar to the template pictures, judging whether the signature verification information of the first application program is the same as the signature verification information of the target application program.
4. An apparatus for identifying an application interface, comprising:
the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a template picture of a target application interface and signature verification information of a target application program corresponding to the target application interface;
the second acquisition unit is used for carrying out gray processing on the acquired screenshot of the first application interface to obtain a gray screenshot;
the first determining unit is used for determining the similarity between the grayscale screenshot and the template picture;
wherein the first determination unit includes:
the searching submodule is used for traversing the grayscale screenshot by taking a reference region as a unit in the grayscale screenshot to search a region matched with the template picture and taking a picture on the searched region as a region picture, wherein the size and the shape of the reference region are the same as those of the template picture, and the size and the shape of the region picture are the same as those of the template picture;
the extraction module is used for extracting the characteristic points of the region picture and the characteristic points of the template picture;
the acquisition module is used for acquiring the number of the same characteristic points in the area picture and the template picture;
a ratio module, configured to use a ratio of the number of the same feature points to a total number of feature points extracted from the template picture as a similarity between the grayscale screenshot and the template picture; when the similarity between the grayscale screenshot and the template picture is greater than or equal to a preset threshold value, determining that the similarity indicates that the grayscale screenshot and the template picture are similar pictures;
and a second determining unit, configured to determine that the first application interface is different from the target application interface when the similarity indicates that the grayscale screenshot and the template picture are similar pictures and signature verification information of a first application corresponding to the first application interface is different from signature verification information of a process in which the target application interface is located.
5. The apparatus of claim 4, wherein the first obtaining unit comprises:
and the intercepting module is used for intercepting at least one area which is used for representing the characteristics of the target application interface on the target application interface as the template picture.
6. The apparatus of claim 5,
in a case where the target application interface includes a plurality of the template pictures, the first determining unit includes: the determining module is used for respectively determining the similarity between the grayscale screenshot and each template picture in the template pictures to obtain a plurality of similarities;
the device further comprises: a determining unit, configured to determine, after determining a similarity between the grayscale screenshot and the template picture, whether signature verification information of the first application is the same as signature verification information of the target application when the plurality of similarities indicate that the grayscale screenshot is similar to the plurality of template pictures.
7. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 3 when executed.
8. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method of any of claims 1 to 3 by means of the computer program.
CN201810045938.3A 2018-01-17 2018-01-17 Method, device, storage medium and electronic device for identifying disguised application Active CN108154031B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810045938.3A CN108154031B (en) 2018-01-17 2018-01-17 Method, device, storage medium and electronic device for identifying disguised application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810045938.3A CN108154031B (en) 2018-01-17 2018-01-17 Method, device, storage medium and electronic device for identifying disguised application

Publications (2)

Publication Number Publication Date
CN108154031A CN108154031A (en) 2018-06-12
CN108154031B true CN108154031B (en) 2021-08-06

Family

ID=62461775

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810045938.3A Active CN108154031B (en) 2018-01-17 2018-01-17 Method, device, storage medium and electronic device for identifying disguised application

Country Status (1)

Country Link
CN (1) CN108154031B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108984399A (en) * 2018-06-29 2018-12-11 上海连尚网络科技有限公司 Detect method, electronic equipment and the computer-readable medium of interface difference
CN109067566B (en) * 2018-07-09 2021-08-17 奇安信科技集团股份有限公司 Method, terminal and monitoring equipment for screenshot in silent mode
CN111400132B (en) * 2020-03-09 2023-08-18 北京版信通技术有限公司 Automatic monitoring method and system for on-shelf APP
CN112016606A (en) * 2020-08-20 2020-12-01 恒安嘉新(北京)科技股份公司 Detection method, device and equipment for application program APP and storage medium
CN112348104B (en) * 2020-11-17 2023-08-18 百度在线网络技术(北京)有限公司 Identification method, device, equipment and storage medium for counterfeit program

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103179095A (en) * 2011-12-22 2013-06-26 阿里巴巴集团控股有限公司 Method and client device for detecting phishing websites
CN104462152A (en) * 2013-09-23 2015-03-25 深圳市腾讯计算机系统有限公司 Webpage recognition method and device
CN106560840A (en) * 2015-09-30 2017-04-12 腾讯科技(深圳)有限公司 Recognition processing method and device of image information
CN106815522A (en) * 2015-11-27 2017-06-09 中兴通讯股份有限公司 Mobile terminal software vacation interface identification method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8099679B2 (en) * 2008-02-14 2012-01-17 Palo Alto Research Center Incorporated Method and system for traversing digital records with multiple dimensional attributes
CN103942543B (en) * 2014-04-29 2018-11-06 Tcl集团股份有限公司 A kind of image-recognizing method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103179095A (en) * 2011-12-22 2013-06-26 阿里巴巴集团控股有限公司 Method and client device for detecting phishing websites
CN104462152A (en) * 2013-09-23 2015-03-25 深圳市腾讯计算机系统有限公司 Webpage recognition method and device
CN106560840A (en) * 2015-09-30 2017-04-12 腾讯科技(深圳)有限公司 Recognition processing method and device of image information
CN106815522A (en) * 2015-11-27 2017-06-09 中兴通讯股份有限公司 Mobile terminal software vacation interface identification method and device

Also Published As

Publication number Publication date
CN108154031A (en) 2018-06-12

Similar Documents

Publication Publication Date Title
CN108154031B (en) Method, device, storage medium and electronic device for identifying disguised application
US10805346B2 (en) Phishing attack detection
AU2015380394B2 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
CN102222199B (en) Method and system for identifying identification of application program
US11165793B2 (en) Method and system for detecting credential stealing attacks
CN107332804B (en) Method and device for detecting webpage bugs
US20200012784A1 (en) Profile generation device, attack detection device, profile generation method, and profile generation computer program
CN111385270A (en) WAF-based network attack detection method and device
JP6674036B2 (en) Classification device, classification method and classification program
CN113032792A (en) System service vulnerability detection method, system, equipment and storage medium
CN106982188B (en) Malicious propagation source detection method and device
CN114448664B (en) Method and device for identifying phishing webpage, computer equipment and storage medium
CN111581661A (en) Terminal management method and device based on biological feature recognition and computer equipment
CN105959294A (en) Malicious domain name identification method and device
JP6322240B2 (en) System and method for detecting phishing scripts
CN110472410B (en) Method and device for identifying data and data processing method
CN107786529B (en) Website detection method, device and system
CN117609992A (en) Data disclosure detection method, device and storage medium
CN113079157A (en) Method and device for acquiring network attacker position and electronic equipment
CN113765850A (en) Internet of things anomaly detection method and device, computing equipment and computer storage medium
CN108171053B (en) Rule discovery method and system
CN107844702B (en) Website trojan backdoor detection method and device based on cloud protection environment
CN115643044A (en) Data processing method, device, server and storage medium
CN106487771B (en) Network behavior acquisition method and device
CN112583773B (en) Unknown sample detection method and device, storage medium and electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant