CN108875378A - Script virus detection method, device, electronic equipment and storage medium - Google Patents
Script virus detection method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN108875378A CN108875378A CN201810610496.2A CN201810610496A CN108875378A CN 108875378 A CN108875378 A CN 108875378A CN 201810610496 A CN201810610496 A CN 201810610496A CN 108875378 A CN108875378 A CN 108875378A
- Authority
- CN
- China
- Prior art keywords
- script
- variable name
- variable
- name
- loading
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the present invention provides a kind of script virus detection method, device, electronic equipment and storage medium, the technical issues of for solving the script form after being difficult to obscure, wherein this method includes:The corresponding multiple variable names of the loading script are obtained to script progress syntactic analysis is loaded into;Variable name each in the multiple variable name is matched to obtain multiple target variable names of successful match with the variable name in pre-stored variable list;Obtain the quantity ratio between the multiple target variable name and the multiple variable name;When the quantity ratio is less than preset threshold, determine that the loading script is script virus.Implement the embodiment of the present invention, can detecte script virus, to improve the safety of electronic equipment.
Description
Technical field
The present invention relates to technical field of electronic equipment, and in particular to a kind of script virus detection method, device, electronic equipment
And storage medium.
Background technique
Scripting language is to shorten and traditional write-compiling-and link-operational process and the computer programming language that creates
Speech, it explains execution by corresponding interpreter sentence by sentence, has simply, the features such as being easy to learn and use.Script is usually all explanation type language
Speech, the feature of interpreted languages maximum is exactly that its code is executed when parsing, this also means that its source code is can not be with
Compiled language is equally hiding, so that how to hide source code in script publication has been implemented as an important problem.?
In the prior art, the source code of script is hidden using obfuscation, that is, under the premise of realizing effect same, by source
Code be changed to can not direct reading technology, can prevent scripted code from revealing using obfuscation, improve the safety of script.
However likewise, for script virus, malicious code details can also be hidden in source code in order to avoid by safety
Software detection.If script virus also uses obfuscation to hide source code, the killing of Anti- Virus Engine can be avoided, to increase anti-
The detection difficulty of antivirus engine.
Summary of the invention
The embodiment of the present invention provides a kind of script virus detection method, device, electronic equipment and storage medium, for solving
The technical issues of script form being difficult to after obscuring.
First aspect of the embodiment of the present invention provides a kind of script virus detection method, including:
Syntactic analysis is carried out to script is loaded into, obtains the corresponding multiple variable names of the loading script;
Variable name each in the multiple variable name is matched with the variable name in pre-stored variable list, is obtained
To multiple target variable names of successful match;
Obtain the quantity ratio between the multiple target variable name and the multiple variable name;
When the quantity ratio is less than preset threshold, determine that the loading script is script virus.
In conjunction with the embodiment of the present invention in a first aspect, first aspect of the embodiment of the present invention the first possible implementation
In, described pair of loading script carries out syntactic analysis, the corresponding multiple variable names of the loading script are obtained, including:
Syntactic analysis is carried out to the loading script, obtains the semantic type of each section of script sentence;
It is identified according to the semantic type of each section of script sentence, obtains the multiple variable name.
In conjunction with the first possible implementation of first aspect of the embodiment of the present invention, in first aspect of the embodiment of the present invention
Second of possible implementation in, it is described by variable name each in the multiple variable name and pre-stored variable list
In variable name matched, obtain multiple target variable names, including:
The multiple variable name is split according to preset variable naming rule, obtains multiple alphabetical segments;
Determine that each variable name is corresponding in the multiple variable name according to the multiple alphabetical segment and the semantic type
Multiple associated variable names;
By each associated variable name and institute in the corresponding multiple associated variable names of variable name each in the multiple variable name
The variable name stated in variable list is matched, and the multiple target variable name is obtained.
In conjunction with first aspect of the embodiment of the present invention, the first possible implementation or second of possible implementation,
In the third possible implementation of first aspect of the embodiment of the present invention, syntactic analysis is carried out in described pair of loading script,
Before obtaining the corresponding multiple variable names of the loading script, the method also includes:
Obtain the script type for being loaded into script;
When the script type is text type, safety detection is carried out to the loading script;
In safety detection success, executes described pair of loading script and carry out syntactic analysis, obtain the loading script
The step of corresponding multiple variable names.
In conjunction with first aspect of the embodiment of the present invention, the first possible implementation or second of possible implementation,
It is script disease in the determination loading script in the 4th kind of possible implementation of first aspect of the embodiment of the present invention
After poison, the method also includes:
Submit script virus prompt information corresponding with the loading script;
When detecting the credential request that user returns for the script virus prompt information, the loading script is obtained
Source-information and the multiple variable name in multiple variable names to be detected other than the multiple target variable name;
The multiple variable to be detected is associated with the source-information.
Second aspect of the embodiment of the present invention provides a kind of script virus detection device, including:
Analytical unit, for obtaining the corresponding multiple variable names of the loading script to script progress syntactic analysis is loaded into;
Matching unit, for by the variable in variable name each in the multiple variable name and pre-stored variable list
Name is matched, and multiple target variable names of successful match are obtained;
First acquisition unit, for obtaining the quantity ratio between the multiple target variable name and the multiple variable name
Value;
Determination unit, for when the quantity ratio is less than preset threshold, determining that the loading script is script virus.
In conjunction with second aspect of the embodiment of the present invention, in the first possible implementation of second aspect of the embodiment of the present invention
In, the analytical unit includes:
Analysis module obtains the semantic type of each section of script sentence for carrying out syntactic analysis to the loading script;
Identification module obtains the multiple change for being identified according to the semantic type of each section of script sentence
Measure name.
In conjunction with the first possible implementation of second aspect of the embodiment of the present invention, in second aspect of the embodiment of the present invention
Second of possible implementation in, the matching unit includes:
Module is split to obtain multiple for being split the multiple variable name according to preset variable naming rule
Alphabetical segment;
Determining module, it is every in the multiple variable name for being determined according to the multiple alphabetical segment and the semantic type
The corresponding multiple associated variable names of one variable name;
Matching module is used for each pass in the corresponding multiple associated variable names of variable name each in the multiple variable name
Connection variable name is matched with the variable name in the variable list, obtains the multiple target variable name.
In conjunction with second aspect of the embodiment of the present invention, the first possible implementation or second of possible implementation,
In the third possible implementation of second aspect of the embodiment of the present invention, described device further includes:
Second acquisition unit, for obtaining the script type for being loaded into script;
Detection unit, for carrying out safety detection to the loading script when the script type is text type;?
When safety detection success, the analytical unit is called.
In conjunction with second aspect of the embodiment of the present invention, the first possible implementation or second of possible implementation,
In the 4th kind of possible implementation of second aspect of the embodiment of the present invention, described device further includes:
Unit is submitted, for submitting script virus prompt information corresponding with the loading script;
Third acquiring unit, in the credential request for detecting that user returns for the script virus prompt information
When, it obtains more other than the multiple target variable name in the source-information and the multiple variable name for being loaded into script
A variable name to be detected;
Associative cell, for the multiple variable to be detected to be associated with the source-information.
The third aspect of the embodiment of the present invention provides a kind of electronic equipment, including:Shell, processor, memory, circuit board and
Power circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Electricity
Source circuit, for each circuit or the device power supply for electronic equipment;Memory is for storing executable program code;Processor
Program corresponding with executable program code is run by reading the executable program code stored in memory, for holding
The script virus detection method that row first aspect of the embodiment of the present invention provides.
Fourth aspect of the embodiment of the present invention provides a kind of non-transitorycomputer readable storage medium, wherein the storage
Medium realizes that first aspect of the embodiment of the present invention mentions for storing computer program, when the computer program is executed by processor
The script virus detection method of confession.
The 5th aspect of the embodiment of the present invention provides a kind of application program, wherein the application program for holding at runtime
A kind of script virus detection method that row first aspect of the embodiment of the present invention provides.
In the embodiment of the present invention, the corresponding multiple variables of the loading script are obtained to script progress syntactic analysis is loaded into
Name, variable name each in the multiple variable name is matched with the variable name in pre-stored variable list
Successful multiple target variable names, obtain the quantity ratio between the multiple target variable name and the multiple variable name,
When the quantity ratio is less than preset threshold, determine that the loading script is script virus.As it can be seen that the characteristics of according to obfuscation
The variable name being loaded into script is detected, the quantity and the corresponding variable name of the loading script further according to target variable name
Size between the ratio between sum and the preset threshold is compared, so that it is determined that being loaded into whether script is script virus, is improved
The safety of electronic equipment.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are some embodiments of the invention, general for this field
For logical technical staff, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of script virus detection method provided in an embodiment of the present invention;
Fig. 2 is the flow chart of another script virus detection method provided in an embodiment of the present invention;
Fig. 3 is the flow chart of another script virus detection method provided in an embodiment of the present invention;
Fig. 4 A- Fig. 4 C is a kind of structure chart of script virus detection device provided in an embodiment of the present invention;
Fig. 5 is the structure chart of a kind of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are some of the embodiments of the present invention, instead of all the embodiments.Based on this hair
Embodiment in bright, every other implementation obtained by those of ordinary skill in the art without making creative efforts
Example, shall fall within the protection scope of the present invention.
Description and claims of this specification and term " first " in the attached drawing, " second " and " third " etc. are
For distinguishing different objects, it is not use to describe a particular order.In addition, term " includes " and " having " and their any changes
Shape, it is intended that cover and non-exclusive include.Such as contain the process, method of a series of steps or units, system, product or
Equipment is not limited to listed step or unit, but optionally further comprising the step of not listing or unit or optional
Ground further includes the other step or units intrinsic for these process, methods, product or equipment.
Referenced herein " embodiment " is it is meant that a particular feature, structure, or characteristic described can wrap in conjunction with the embodiments
Containing at least one embodiment of the present invention.Each position in the description occur the phrase might not each mean it is identical
Embodiment, nor the independent or alternative embodiment with other embodiments mutual exclusion.Those skilled in the art explicitly and
Implicitly understand, embodiment described herein can be combined with other embodiments.
Electronic equipment described in the embodiment of the present invention may include smart phone (such as Android phone), tablet computer,
Palm PC, laptop, mobile internet device (Mobile Internet Devices, MID) or wearable device
It is only citing Deng, above equipment, and it is non exhaustive, including but not limited to above-mentioned electronic equipment.
The embodiment of the present invention provides a kind of script virus detection method, device, electronic equipment and storage medium, for solving
The technical issues of script form being difficult to after obscuring.It is described in detail separately below.
Referring to Fig. 1, Fig. 1 is a kind of flow diagram of script virus detection method provided in an embodiment of the present invention.Its
In, which is suitable for the electronic equipments such as mobile phone, tablet computer.As shown in Figure 1, the script virus detection side
Method may comprise steps of.
101, syntactic analysis is carried out to loading script and obtains the corresponding multiple variable names of the loading script.
In the present embodiment, it is loaded into all variable names in the corresponding multiple entitled loading scripts of variables of script included, this reality
Apply example for syntactic analysis method without limitation.
Optionally, described pair of loading script carries out syntactic analysis and obtains the corresponding multiple variable name packets of the loading script
It includes:Syntactic analysis is carried out to the loading script and obtains the semantic type of each section of script sentence;According to each section of script
The semantic type of sentence is identified to obtain the multiple variable name.
Scripted code is made of sentence, and each sentence all uses a branch ending, for compound statement, using a pair of flower
One or more sentence is bracketed composition by bracket { }.Its semantic type includes assignment statement, case statement, skip instruction, follows
Ring sentence, return statement etc., its form of the sentence of different semantic types is different, and the position of variable name is different.
In the present embodiment, without limitation for each section of script sentence, it can be the sentence to be ended up by branch, be also possible to
The sentence that brace is included can also be skip instruction, Do statement or the corresponding sentence of case statement etc..
It is appreciated that syntactic analysis first is carried out to the loading script, to obtain the semantic type of each section of script sentence,
Variable name therein is identified for semantic type again, i.e., determines for the semantic type in scripted code, search efficiency can be improved
And accuracy.
Optionally, described pair of loading script carry out syntactic analysis obtain the corresponding multiple variable names of the loading script it
Before, the method also includes:Obtain the script type for being loaded into script;Script type is divided into text type and compiling type,
Wherein, text type is code form, i.e. the executable compiling of the script of text type, link and operating procedure;Compiling type is
To the program that scripted code is compiled, such as:Binary code, i.e. the script execution link and operation step of compiling type
Suddenly, the safety of script can be improved.When the script type is text type, safety detection is carried out to the loading script.
In safety detection success, it is corresponding multiple that described pair of loading script progress syntactic analysis of execution obtains the loading script
The step of variable name.
Safety detection may include static mode, may also comprise dynamical fashion, be employed in existing safety detection software
Method, it is not limited here.
Presently, there are two kinds of scripted codes to obscure method, a kind of for variable name, function name and the class name in scripted code
Etc. contents obscured;Another kind is embedded into program for script is compiled as binary code.That is, script virus
Above two method can also be used to be obscured, to avoid safety detection.
In the present embodiment, before executing step 101, the script type for being loaded into script is first obtained, described in determination
When script type is text type, safety detection is carried out to script is loaded into, and in safety detection success, execute step 101, i.e.,
The present embodiment carries out safety detection for the script type for being loaded into script, if determining in safety detection step, being loaded into script is foot
This virus, i.e. end operation can save the power consumption of electronic equipment;If not identifying in safety detection step, being loaded into script is
Script virus, execute step 101 and later the step of, to further determine whether that electronic equipment can be improved for script virus
Safety.
The script virus detection method for being loaded into script for compiling type without limitation can carry out the loading script
Reduction obtains script to be detected, and restoring method can be gone back according to intermediate code corresponding with the loading source-information of script
Original executes step 101 then using the script to be detected as the loading script.
102, by the variable name progress in variable name each in the multiple variable name and pre-stored variable list
With obtaining multiple target variable names of successful match.
Optionally, the variable name by variable name each in the multiple variable name and pre-stored variable list
The multiple target variable names for being matched to obtain successful match include:According to preset variable naming rule by the multiple variable
Name is split to obtain multiple alphabetical segments;The multiple variable is determined according to the multiple alphabetical segment and the semantic type
The corresponding multiple associated variable names of each variable name in name;By the corresponding multiple associations of variable name each in the multiple variable name
Each associated variable name is matched with the variable name in the variable list in variable name, obtains the multiple target variable
Name.
Wherein, variable naming rule includes:Variable name initial is necessary for alphabetical (a-z or A-Z), underscore (_), or
Dollar mark () ($) starts.For example all variables must be started in php programming with $, variable name can only be alphabetical (a-z or A-Z),
Digital (0-9), the combination of underscore (_), and between cannot include space, number cannot be placed on variable name first place, variable name
The reserved word of programming language cannot be used.Such as in javascript cannot use true, false, while, case,
Break reserved word etc..Some compilers have supported Chinese variable name, it is not limited here, further, preset change
Measuring name rule should be corresponding with the script type of script is loaded into, and script type here further includes writing language form, compiler class
Type etc..
User usually passes through the symbol naming variable name for combinations of words such as underscore or capitalization, variable naming rule
It then may include said combination rule, then multiple variable names can be split according to the variable naming rule, to obtain more
A letter segment.
Associated variable name is the variable name relevant with variable name, such as can be full name in English, the approximation of variable name
Word etc., also without limitation.Due to generally comprising english abbreviation in variable name, according to the multiple alphabetical segment and the semantic category
Type determines the corresponding multiple associated variable names of each variable name in the multiple variable name, can more comprehensively cover and the variable
The relevant variable name of name, improves the accuracy for determining associated variable name.
It is appreciated that being split to obtain multiple alphabetical pieces to the multiple variable name according to preset variable naming rule
Section determines that each variable name is corresponding more in the multiple variable name further according to the multiple alphabetical segment and the semantic type
The accuracy of determining associated variable name can be improved in a associated variable name, then further according to the multiple associated variable name with it is described
Variable name in variable list is matched, if successful match, it is determined that the corresponding variable name of associated variable name of successful match
For target variable name.The accuracy of alphabetical segment and associated variable name can be improved according to variable naming rule and semantic type, then
The accuracy of determining target variable name can be improved according to the matching process of multiple associated variable names.
103, the quantity ratio between the multiple target variable name and the multiple variable name is obtained.
104, when the quantity ratio is less than preset threshold, determine that the loading script is script virus.
Wherein, preset threshold without limitation, can be determined by the script length of loading script, can also be by same with loading script
The variable number of the safe script of type is determined.
When the quantity ratio is less than preset threshold, determine that the loading script is script virus.That is, if will
Variable name in the multiple variable name other than the multiple target variable name is as variable name to be detected, i.e., change to be detected
Measuring the entitled variable name with the pre-stored variable list, it fails to match, in the quantity and loading foot of variable name to be detected
When the ratio between this corresponding variable name sum is greater than or equal to the preset threshold, illustrate that the variable name that it fails to match is more, determines
The loading script is script virus.When the quantity ratio is greater than or equal to preset threshold, determine that the loading script is
Safe script, that is, the ratio between the quantity of the variable name to be detected variable name sum corresponding with script is loaded into is less than described default
When threshold value, determine that the loading script is safe script.
In the script virus detection method described in Fig. 1, the loading foot is obtained to script progress syntactic analysis is loaded into
This corresponding multiple variable name, by the variable name in variable name each in the multiple variable name and pre-stored variable list
Matched to obtain multiple target variable names of successful match, obtain the multiple target variable name and the multiple variable name it
Between quantity ratio determine the loadings script for script virus when the quantity ratio is less than preset threshold.As it can be seen that according to
The variable name being loaded into script is detected according to the characteristics of obfuscation, the quantity and the loading further according to target variable name
Size of the ratio between the corresponding variable name sum of script between the preset threshold is compared, so that it is determined that whether being loaded into script
For script virus, the safety of electronic equipment is improved.
Optionally, after the determination loading script is script virus, the method also includes:Submit with it is described
It is loaded into the corresponding script virus prompt information of script;In the trust for detecting that user returns for the script virus prompt information
When request, obtain in the source-information and the multiple variable name for being loaded into script other than the multiple target variable name
Multiple variable names to be detected;The multiple variable to be detected is associated with the source-information.
Wherein, script virus prompt information is script virus for informing loading script described in user;Credential request is used for
It informs that electronic device user trusts the loading script, that is, the loading script is allowed to run;Source-information is to be loaded into script
Write company, writer, write time, download link etc.;In addition to described in the entitled the multiple variable name of variable to be detected
Variable name except multiple target variable names, i.e., with the variable name variable name that it fails to match in the variable list.
It is appreciated that the name of variable name may be different since personal coding is accustomed to difference, the loading is being determined
Script is submits the script virus prompt information of the loading script after script virus, if the users to trust loading script, and return
When returning the corresponding credential request of the script virus prompt information, obtains the source-information of the loading script and be loaded into more in script
Multiple variable name to be detected is associated by a variable name to be detected with the source-information, convenient for receive next time with
When the consistent script of the source-information, can variable list according to the pre-stored data and the variable name to be detected that is associated carry out
Match, judges whether above-mentioned script is script virus further according to matching result.
It is consistent with the embodiment of Fig. 1, referring to Fig. 2, Fig. 2 is another script virus detection provided in an embodiment of the present invention
The flow chart of method.Wherein, which is suitable for the electronic equipments such as mobile phone, tablet computer.As shown in Fig. 2,
The script virus detection method may comprise steps of.
201, syntactic analysis is carried out to loading script and obtains the semantic type of each section of script sentence.
202, it is identified to obtain multiple variable names according to the semantic type of each section of script sentence.
203, by the variable name progress in variable name each in the multiple variable name and pre-stored variable list
With obtaining multiple target variable names of successful match.
204, the quantity ratio between the multiple target variable name and the multiple variable name is obtained.
205, when the quantity ratio is less than preset threshold, determine that the loading script is script virus.
In the script virus detection method described in Fig. 2, syntactic analysis is carried out to script is loaded into, to obtain each section of foot
The semantic type of this sentence, then identify variable name therein for semantic type, i.e., it is true for the semantic type in scripted code
Surely it is loaded into the variable name that script includes, the efficiency and accuracy of determining variable name can be improved.It then, will be in the multiple variable name
Each variable name is matched to obtain multiple target variable names of successful match with the variable name in pre-stored variable list,
The quantity ratio between the multiple target variable name and the multiple variable name is obtained, is less than default threshold in the quantity ratio
When value, determine that the loading script is script virus.As it can be seen that the characteristics of according to obfuscation to be loaded into script in variable name into
Row detection, the ratio between quantity and the corresponding variable name sum of the loading script further according to target variable name and the preset threshold
Between size be compared, so that it is determined that be loaded into script whether be script virus, improve the safety of electronic equipment.
It is consistent with the embodiment of Fig. 1, referring to Fig. 3, Fig. 3 is another script virus detection provided in an embodiment of the present invention
The flow chart of method.Wherein, which is suitable for the electronic equipments such as mobile phone, tablet computer.As shown in figure 3,
The script virus detection method may comprise steps of.
301, syntactic analysis is carried out to the loading script and obtains the semantic type of each section of script sentence.
302, it is identified to obtain multiple variable names according to the semantic type of each section of script sentence.
303, the multiple variable name is split according to preset variable naming rule to obtain multiple alphabetical segments.
304, each variable name in the multiple variable name is determined according to the multiple alphabetical segment and the semantic type
Corresponding multiple associated variable names.
305, by each associated variable name in the corresponding multiple associated variable names of variable name each in the multiple variable name
It is matched to obtain multiple target variable names with the variable name in the variable list.
306, the quantity ratio between the multiple target variable name and the multiple variable name is obtained.
307, when the quantity ratio is less than preset threshold, determine that the loading script is script virus.
In the script virus detection method described in Fig. 3, syntactic analysis is carried out to script is loaded into, to obtain each section of foot
The semantic type of this sentence, then identify variable name therein for semantic type, i.e., it is true for the semantic type in scripted code
It is fixed, the efficiency and accuracy searched and be loaded into all variable names that script includes can be improved.Then, it is advised according to preset variable naming
Then the multiple variable name is split to obtain multiple alphabetical segments, further according to the multiple alphabetical segment and the semantic category
Type determines the corresponding multiple associated variable names of each variable name in the multiple variable name, and the standard of determining associated variable name can be improved
Then true property again matches the multiple associated variable name with the variable name in the variable list, if successful match,
The entitled target variable name of the corresponding variable of associated variable name for determining successful match, obtain the multiple target variable name with it is described
Quantity ratio between multiple variable names determines that the loading script is script when the quantity ratio is less than preset threshold
Virus.As it can be seen that the characteristics of according to obfuscation, detects the variable name being loaded into script, further according to the number of target variable name
Amount and the size for being loaded into the ratio between corresponding variable name sum of script between the preset threshold are compared, so that it is determined that
It is loaded into whether script is script virus, improves the safety of electronic equipment.
It is consistent with the embodiment of Fig. 1, Fig. 2 and Fig. 3, Fig. 4 A is please referred to, Fig. 4 A is a kind of foot provided in an embodiment of the present invention
The structure chart of this viral diagnosis device.Wherein, which can be set sets in electronics such as mobile phone, tablet computers
In standby, as shown in Figure 4 A, which includes:
Analytical unit 401 obtains the corresponding multiple variables of the loading script for carrying out syntactic analysis to loading script
Name;
Matching unit 402, for will be in variable name each in the multiple variable name and pre-stored variable list
Variable name is matched to obtain multiple target variable names of successful match;
First acquisition unit 403, for obtaining the quantity between the multiple target variable name and the multiple variable name
Ratio;
Determination unit 404, for when the quantity ratio is less than preset threshold, determining that the loading script is script disease
Poison.
Optionally, as shown in Figure 4 B, the analytical unit 401 includes:
Analysis module 4011 obtains the semanteme of each section of script sentence for carrying out syntactic analysis to the loading script
Type;
Identification module 4012 obtains described more for being identified according to the semantic type of each section of script sentence
A variable name.
Optionally, as shown in Figure 4 C, the matching unit 402 includes:
Module 4021 is split to obtain for being split the multiple variable name according to preset variable naming rule
Multiple letter segments;
Determining module 4022, for determining the multiple variable name according to the multiple alphabetical segment and the semantic type
In the corresponding multiple associated variable names of each variable name;
Matching module 4023, being used for will be every in the corresponding multiple associated variable names of variable name each in the multiple variable name
One associated variable name is matched with the variable name in the variable list, obtains the multiple target variable name.
Optionally, as shown in Figure 4 A, described device 400 further includes:
Second acquisition unit 405, for obtaining the script type for being loaded into script;
Detection unit 406, for carrying out safe inspection to the loading script when the script type is text type
It surveys;In safety detection success, the analytical unit 401 is called.
Optionally, as shown in Figure 4 A, described device 400 further includes:
Unit 407 is submitted, for submitting script virus prompt information corresponding with the loading script;
Third acquiring unit 408, for being asked in the trust for detecting that user returns for the script virus prompt information
When asking, obtain in the source-information and the multiple variable name for being loaded into script other than the multiple target variable name
Multiple variable names to be detected;
Associative cell 409, for the multiple variable to be detected to be associated with the source-information.
In the script virus detection device described in Fig. 4, the loading foot is obtained to script progress syntactic analysis is loaded into
This corresponding multiple variable name, by the variable name in variable name each in the multiple variable name and pre-stored variable list
Matched to obtain multiple target variable names of successful match, obtain the multiple target variable name and the multiple variable name it
Between quantity ratio determine the loadings script for script virus when the quantity ratio is less than preset threshold.As it can be seen that according to
The variable name being loaded into script is detected according to the characteristics of obfuscation, the quantity and the loading further according to target variable name
Size of the ratio between the corresponding variable name sum of script between the preset threshold is compared, so that it is determined that whether being loaded into script
For script virus, the safety of electronic equipment is improved.
It is consistent with the embodiment of Fig. 1, Fig. 2 and Fig. 3, referring to Fig. 5, Fig. 5 is a kind of electronics disclosed by the embodiments of the present invention
Equipment.Wherein, electronic equipment can be mobile phone, tablet computer etc..As shown in figure 5, the electronic equipment may include shell 501,
Processor 502, memory 503, circuit board 504 and power circuit 505, wherein circuit board 504 is placed in the space that shell surrounds
Inside, processor 502 and memory 503 are arranged on circuit board 504;Power circuit 505, for each electricity for electronic equipment
Road or device power supply;Memory 503 is for storing executable program code;Processor 502 is stored by reading in memory 503
Executable program code run program corresponding with executable program code, for executing following steps:
Syntactic analysis is carried out to script is loaded into, obtains the corresponding multiple variable names of the loading script;
Variable name each in the multiple variable name is matched with the variable name in pre-stored variable list, is obtained
To multiple target variable names of successful match;
Obtain the quantity ratio between the multiple target variable name and the multiple variable name;
When the quantity ratio is less than preset threshold, determine that the loading script is script virus.
As a kind of possible embodiment, syntactic analysis is carried out in described pair of loading script, obtains the loading script
In terms of corresponding multiple variable names, the processor 502 is specifically used for executing following operation:
Syntactic analysis is carried out to the loading script, obtains the semantic type of each section of script sentence;
It is identified according to the semantic type of each section of script sentence, obtains the multiple variable name.
As a kind of possible embodiment, the processor by variable name each in the multiple variable name and in advance
Variable name in the variable list of storage is matched, and in terms of obtaining multiple target variable names, the processor 502 is specifically used for
Execute following operation:
The multiple variable name is split according to preset variable naming rule, obtains multiple alphabetical segments;
Determine that each variable name is corresponding in the multiple variable name according to the multiple alphabetical segment and the semantic type
Multiple associated variable names;
By each associated variable name and institute in the corresponding multiple associated variable names of variable name each in the multiple variable name
The variable name stated in variable list is matched, and the multiple target variable name is obtained.
As a kind of possible embodiment, syntactic analysis is carried out in described pair of loading script, obtains the loading script
Before corresponding multiple variable names, the processor 502 is also used to execute following operation:
Obtain the script type for being loaded into script;
When the script type is text type, safety detection is carried out to the loading script;
In safety detection success, executes described pair of loading script and carry out syntactic analysis, obtain the loading script
The step of corresponding multiple variable names.
As a kind of possible embodiment, after the determination loading script is script virus, the processing
Device 502 is also used to execute following operation:
Submit script virus prompt information corresponding with the loading script;
When detecting the credential request that user returns for the script virus prompt information, the loading script is obtained
Source-information and the multiple variable name in multiple variable names to be detected other than the multiple target variable name;
The multiple variable to be detected is associated with the source-information.
In the electronic equipment described in Fig. 5, it is corresponding that the loading script is obtained to loading script progress syntactic analysis
Multiple variable names match variable name each in the multiple variable name with the variable name in pre-stored variable list
Multiple target variable names of successful match are obtained, the quantity between the multiple target variable name and the multiple variable name is obtained
Ratio determines that the loading script is script virus when the quantity ratio is less than preset threshold.As it can be seen that according to skill is obscured
The characteristics of art, detects the variable name being loaded into script, and the quantity and the loading script further according to target variable name are corresponding
Size between the preset threshold of the ratio between variable name sum be compared, so that it is determined that being loaded into whether script is script disease
Poison improves the safety of electronic equipment.
A kind of non-transitorycomputer readable storage medium is provided in one embodiment, is stored thereon with computer journey
Sequence, wherein realized when the computer program is executed by processor as shown in Figure 1, Figure 2 or script virus shown in Fig. 3 embodiment detects
Method.
A kind of application program is provided in one embodiment, and the application program is as shown in Figure 1, Figure 2 for executing at runtime
Or script virus detection method shown in Fig. 3 embodiment.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of above-described embodiment is can
It is completed with instructing relevant hardware by program, which can be stored in a computer readable storage medium, storage
Medium may include:Flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random Access
Memory, RAM), disk or CD etc..
It is provided for the embodiments of the invention script virus detection method, device and electronic equipment above and has carried out detailed Jie
It continues, used herein a specific example illustrates the principle and implementation of the invention, and the explanation of above embodiments is only
It is to be used to help understand method and its core concept of the invention;At the same time, for those skilled in the art, according to this hair
Bright thought, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification should not manage
Solution is limitation of the present invention.
Claims (10)
1. a kind of script virus detection method, which is characterized in that including:
Syntactic analysis is carried out to script is loaded into, obtains the corresponding multiple variable names of the loading script;
Variable name each in the multiple variable name is matched with the variable name in pre-stored variable list, is obtained
With successful multiple target variable names;
Obtain the quantity ratio between the multiple target variable name and the multiple variable name;
When the quantity ratio is less than preset threshold, determine that the loading script is script virus.
2. being obtained described the method according to claim 1, wherein described pair of loading script carries out syntactic analysis
The corresponding multiple variable names of script are loaded into, including:
Syntactic analysis is carried out to the loading script, obtains the semantic type of each section of script sentence;
It is identified according to the semantic type of each section of script sentence, obtains the multiple variable name.
3. according to the method described in claim 2, it is characterized in that, described by variable name each in the multiple variable name and pre-
The variable name in variable list first stored is matched, and multiple target variable names are obtained, including:
The multiple variable name is split according to preset variable naming rule, obtains multiple alphabetical segments;
Determine that each variable name is corresponding more in the multiple variable name according to the multiple alphabetical segment and the semantic type
A associated variable name;
By each associated variable name in the corresponding multiple associated variable names of variable name each in the multiple variable name and the change
Variable name in amount list is matched, and the multiple target variable name is obtained.
4. method according to claim 1-3, which is characterized in that carry out grammer point in described pair of loading script
Analysis, before obtaining the corresponding multiple variable names of the loading script, the method also includes:
Obtain the script type for being loaded into script;
When the script type is text type, safety detection is carried out to the loading script;
In safety detection success, executes described pair of loading script and carry out syntactic analysis, it is corresponding to obtain the loading script
Multiple variable names the step of.
5. method according to claim 1-3, which is characterized in that the determination loading script be script
After virus, the method also includes:
Submit script virus prompt information corresponding with the loading script;
When detecting the credential request that user returns for the script virus prompt information, coming for the loading script is obtained
Multiple variable names to be detected in source information and the multiple variable name other than the multiple target variable name;
The multiple variable to be detected is associated with the source-information.
6. a kind of script virus detection device, which is characterized in that including:
Analytical unit, for obtaining the corresponding multiple variable names of the loading script to script progress syntactic analysis is loaded into;
Matching unit, for by the variable name in variable name each in the multiple variable name and pre-stored variable list into
Row matching, obtains multiple target variable names of successful match;
First acquisition unit, for obtaining the quantity ratio between the multiple target variable name and the multiple variable name;
Determination unit, for when the quantity ratio is less than preset threshold, determining that the loading script is script virus.
7. device according to claim 6, which is characterized in that the analytical unit includes:
Analysis module obtains the semantic type of each section of script sentence for carrying out syntactic analysis to the loading script;
Identification module obtains the multiple variable name for being identified according to the semantic type of each section of script sentence.
8. device according to claim 7, which is characterized in that the matching unit includes:
It splits module and obtains multiple letters for splitting the multiple variable name according to preset variable naming rule
Segment;
Determining module, for determining each change in the multiple variable name according to the multiple alphabetical segment and the semantic type
Measure the corresponding multiple associated variable names of name;
Matching module, for becoming association each in the corresponding multiple associated variable names of variable name each in the multiple variable name
Amount name is matched with the variable name in the variable list, obtains the multiple target variable name.
9. a kind of electronic equipment, which is characterized in that including:Shell, processor, memory, circuit board and power circuit, wherein
Circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power circuit, for being electric
The each circuit or device of sub- equipment are powered;Memory is for storing executable program code;Processor is by reading memory
The executable program code of middle storage runs program corresponding with executable program code, for executing such as claim 1-
5 described in any item methods.
10. a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, which is characterized in that the meter
Such as method as claimed in any one of claims 1 to 5 is realized when calculation machine program is executed by processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810610496.2A CN108875378A (en) | 2018-06-12 | 2018-06-12 | Script virus detection method, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810610496.2A CN108875378A (en) | 2018-06-12 | 2018-06-12 | Script virus detection method, device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108875378A true CN108875378A (en) | 2018-11-23 |
Family
ID=64338162
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810610496.2A Pending CN108875378A (en) | 2018-06-12 | 2018-06-12 | Script virus detection method, device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108875378A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109657469A (en) * | 2018-12-07 | 2019-04-19 | 腾讯科技(深圳)有限公司 | A kind of script detection method and device |
| CN110704816A (en) * | 2019-09-29 | 2020-01-17 | 武汉极意网络科技有限公司 | Interface cracking recognition method, device, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1924866A (en) * | 2006-09-28 | 2007-03-07 | 北京理工大学 | Static feature based web page malicious scenarios detection method |
| CN102542201A (en) * | 2011-12-26 | 2012-07-04 | 北京奇虎科技有限公司 | Detection method and system for malicious codes in web pages |
| CN106650449A (en) * | 2016-12-29 | 2017-05-10 | 哈尔滨安天科技股份有限公司 | Script heuristic detection method and system based on variable name confusion degree |
| CN107908679A (en) * | 2017-10-26 | 2018-04-13 | 平安科技(深圳)有限公司 | Script sentence conversion method, device and computer-readable recording medium |
-
2018
- 2018-06-12 CN CN201810610496.2A patent/CN108875378A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1924866A (en) * | 2006-09-28 | 2007-03-07 | 北京理工大学 | Static feature based web page malicious scenarios detection method |
| CN102542201A (en) * | 2011-12-26 | 2012-07-04 | 北京奇虎科技有限公司 | Detection method and system for malicious codes in web pages |
| CN106650449A (en) * | 2016-12-29 | 2017-05-10 | 哈尔滨安天科技股份有限公司 | Script heuristic detection method and system based on variable name confusion degree |
| CN107908679A (en) * | 2017-10-26 | 2018-04-13 | 平安科技(深圳)有限公司 | Script sentence conversion method, device and computer-readable recording medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109657469A (en) * | 2018-12-07 | 2019-04-19 | 腾讯科技(深圳)有限公司 | A kind of script detection method and device |
| CN109657469B (en) * | 2018-12-07 | 2023-02-24 | 腾讯科技(深圳)有限公司 | Script detection method and device |
| CN110704816A (en) * | 2019-09-29 | 2020-01-17 | 武汉极意网络科技有限公司 | Interface cracking recognition method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11687645B2 (en) | Security control method and computer system | |
| US8850581B2 (en) | Identification of malware detection signature candidate code | |
| Huang et al. | {SUPOR}: Precise and scalable sensitive user input detection for android apps | |
| CN105068932B (en) | A kind of detection method of Android application programs shell adding | |
| EP3499364B1 (en) | Method and device for loading kernel module | |
| US9652209B2 (en) | Static analysis and reconstruction of deep link handling in compiled applications | |
| CN110221968A (en) | Method for testing software and Related product | |
| CN104834837A (en) | Binary code anti-obfuscation method based on semanteme | |
| CN109388946B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN113961919B (en) | Malicious software detection method and device | |
| CN115562992A (en) | File detection method and device, electronic equipment and storage medium | |
| US10241759B2 (en) | Detecting open source components built into mobile applications | |
| CN111753302A (en) | Method and device for detecting code bugs, computer readable medium and electronic equipment | |
| CN108875378A (en) | Script virus detection method, device, electronic equipment and storage medium | |
| US20140282534A1 (en) | Virtual environment having harvard architecture | |
| US11868465B2 (en) | Binary image stack cookie protection | |
| CN116868193A (en) | Firmware component identification and vulnerability assessment | |
| CN106502707B (en) | Code generation method and device | |
| US8161109B2 (en) | Client side culling of dynamic resources | |
| WO2017054731A1 (en) | Method and device for processing hijacked browser | |
| CN107077365B (en) | Selectively loading precompiled headers and/or portions thereof | |
| CN107066886A (en) | A kind of Android reinforces the detection method of shelling | |
| US11615338B2 (en) | System and method for generating a file execution record of address tuples | |
| CN109426546A (en) | Using starting method and device, computer storage medium and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20191125 Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Applicant after: Zhuhai Leopard Technology Co.,Ltd. Address before: 519070, No. 10, main building, No. six, science Road, Harbour Road, Tang Wan Town, Guangdong, Zhuhai, 601F Applicant before: Zhuhai Juntian Electronic Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181123 |
|
| RJ01 | Rejection of invention patent application after publication |