CN109117635A

CN109117635A - Method for detecting virus, device, computer equipment and the storage medium of application program

Info

Publication number: CN109117635A
Application number: CN201811042877.1A
Authority: CN
Inventors: 雷经纬
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2018-09-06
Filing date: 2018-09-06
Publication date: 2019-01-01
Anticipated expiration: 2038-09-06
Also published as: CN109117635B; WO2020048392A1

Abstract

The invention discloses a kind of method for detecting virus of application program, device, computer equipment and storage mediums, belong to electronic technology field.The described method includes: being instructed according to the viral diagnosis to destination application, obtain at least one function execution information of the destination application, at least one described function execution information is used to record the destination application performed function in the process of running；According at least one function execution information of the destination application, the function of generating the destination application executes image；Extract the characteristics of image that the function executes image；When the similarity of described image feature and viral characteristics of image is greater than similarity threshold, by the destination application labeled as virus.Using the present invention, the accuracy of viral diagnosis can be improved.

Description

Method for detecting virus, device, computer equipment and the storage medium of application program

Technical field

The present invention relates to electronic technology field, in particular to a kind of method for detecting virus of application program, device, computer Equipment and storage medium.

Background technique

With the extensive use of terminal, the safety of terminal also more and more attention has been paid to.The virus of application program can be to use Family brings interests to lose and perplex, for example, virus sends short message on backstage automatically, the next customized service of deducting fees is ignorant in user In the case where bring economic loss；Virus can also maliciously push waste advertisements, cause to perplex to user.

The detection of virus is of great significance to the safety of terminal and convenience.It is possible, firstly, to known virus Source code is analyzed, and determines the condition code of the virus, and this feature code can be a continuous binary segments in source code.So Afterwards, when whether detect any application is virus, the source code of the available application program judges the source of the application program Whether include the condition code of above-mentioned virus in code, if including the application program as virus.

But in order to hide detection, viral source code may be modified, the virus deformed.Due to current disease Malicious source code has changed, no longer identical as the source code of provirus, may obtain when detecting to current viral source code With the inconsistent testing result of actual conditions, namely the viral diagnosis will not be come out, hit rate is lower, viral diagnosis it is accurate Property is poor.

Summary of the invention

The embodiment of the invention provides a kind of method for detecting virus of application program, device, computer equipment and storages to be situated between Matter is able to solve the poor problem of the accuracy of the viral diagnosis of application program.The technical solution is as follows:

On the one hand, a kind of method for detecting virus of application program is provided, this method comprises:

According to the viral diagnosis instruction to destination application, at least one function of obtaining the destination application is held Row information, at least one described function execution information are used to record the destination application performed function in the process of running Energy；

According at least one function execution information of the destination application, the function of the destination application is generated Execute image；

Extract the characteristics of image that the function executes image；

When the similarity of described image feature and viral characteristics of image is greater than similarity threshold, by the target application journey Sequence is labeled as virus

According to the viral diagnosis instruction to destination application, simulator is called, the destination application is loaded onto The simulator operation, wherein the simulator is used to simulate the running environment of an isolation；

The function execution information of the destination application in the process of running is obtained, at least one function is obtained and executes letter Breath, at least one described function execution information are performed when the destination application is run in the simulator for recording Function；

Viral diagnosis request is sent to server, the viral diagnosis request carries at least one described function and executes letter Breath, the viral diagnosis request are used to indicate the server and detect to the destination application；

According to the viral diagnosis received as a result, carrying out viral prompt, the viral diagnosis result is based on described at least one A function execution information obtains.

On the one hand, a kind of viral diagnosis device of application program is provided, which includes:

Module is obtained, for instructing according to the viral diagnosis to destination application, obtains the destination application At least one function execution information, at least one described function execution information were being run for recording the destination application Performed function in journey；

Generation module generates the target at least one function execution information according to the destination application The function of application program executes image；

Extraction module executes the characteristics of image of image for extracting the function；

Determining module, for inciting somebody to action when the similarity of described image feature and viral characteristics of image is greater than similarity threshold The destination application is labeled as virus.

Calling module calls simulator, the target is answered for being instructed according to the viral diagnosis to destination application The simulator operation is loaded into program, wherein the simulator is used to simulate the running environment of an isolation；

Module is obtained to obtain at least for obtaining the function execution information of the destination application in the process of running One function execution information, at least one described function execution information is for recording the destination application in the simulator Performed function when middle operation；

Sending module, for sending viral diagnosis request to server, the viral diagnosis request carries described at least one A function execution information, the viral diagnosis request are used to indicate the server and detect to the destination application；

Cue module, the viral diagnosis received for basis is as a result, carry out viral prompt, the viral diagnosis result base It is obtained at least one described function execution information.

On the one hand, a kind of server is provided, the server includes processor and memory, is stored in the memory There is at least one instruction, at least one instruction processor loads and execute the disease to realize any of the above-described application program Virus detection method.

On the one hand, a kind of computer readable storage medium is provided, at least one instruction is stored in the storage medium, At least one instruction is loaded by the processor and is executed the method for detecting virus to realize any of the above-described application program.

Technical solution provided in an embodiment of the present invention has the benefit that

In the embodiment of the present invention, due to the behavior that there are the virus of application program certain specific functions to execute, even if sick The source code of poison changes, and the function that virus executes will not generally change, therefore, function of the server based on application program Can execution information carry out viral diagnosis, the virus of deformation also be can detecte out, there is stronger generalization ability.Also, Characteristic reliability based on image zooming-out is higher, and the embodiment of the present invention is held using the function execution information systematic function of application program The corresponding characteristics of image of application program to be detected and viral characteristics of image are compared, viral inspection can be improved by row image The accuracy of survey.

Detailed description of the invention

To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.

Fig. 1 is a kind of implementation environment schematic diagram provided in an embodiment of the present invention；

Fig. 2 is another implementation environment schematic diagram provided in an embodiment of the present invention；

Fig. 3 is another implementation environment schematic diagram provided in an embodiment of the present invention；

Fig. 4 is a kind of method for detecting virus flow chart of application program provided in an embodiment of the present invention；

Fig. 5 is that a kind of function provided in an embodiment of the present invention executes image schematic diagram；

Fig. 6 is a kind of schematic diagram of determining similarity provided in an embodiment of the present invention；

Fig. 7 is a kind of virus detection system schematic diagram provided in an embodiment of the present invention；

Fig. 8 is a kind of testing process control submodule processing flow schematic diagram provided in an embodiment of the present invention；

Fig. 9 is a kind of behavior fingerprint extraction submodule processing flow schematic diagram provided in an embodiment of the present invention；

Figure 10 is a kind of method flow diagram of the viral diagnosis of application program provided in an embodiment of the present invention；

Figure 11 is that a kind of virus base provided in an embodiment of the present invention generates submodule processing flow schematic diagram；

Figure 12 is a kind of measuring similarity submodule processing flow schematic diagram provided in an embodiment of the present invention；

Figure 13 is a kind of method for detecting virus flow chart of application program provided in an embodiment of the present invention；

Figure 14 is a kind of method for detecting virus flow chart of application program provided in an embodiment of the present invention；

Figure 15 is a kind of viral diagnosis schematic device of application program provided in an embodiment of the present invention；

Figure 16 is a kind of viral diagnosis schematic device of application program provided in an embodiment of the present invention；

Figure 17 is a kind of structural schematic diagram of server provided in an embodiment of the present invention；

Figure 18 is a kind of structural block diagram of terminal provided in an embodiment of the present invention.

Specific embodiment

To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention Formula is described in further detail.

In embodiments of the present invention, application program can execute various functions at runtime, and each application program Performed function all has respective feature, therefore, can use function performed by an application program uniquely to indicate The application program, since the one-to-one relationship between this function-application program and the one-to-one correspondence between fingerprint-people are closed System plays the same tune on different musical instruments wonderful, therefore, can be by function performed by application program the characteristics of, carries out area to application program Point, it that is to say, the feature of function performed by application program can play the role of the fingerprint of application program, for the reason of visualization These features, can be known as the behavior fingerprint of application program by solution.It is understood that for virus, viral source code Even if changing, the function that virus executes will not generally change, for example, the virus for class of deducting fees may can be executed still The automatic function of sending short message.Therefore, if application program is virus, function execution information can be with corresponding Virus Type Function executes feature and matches.Based on such thinking, the embodiment of the present invention can execute feelings by the function to application program Condition is recorded, and based on the function executive condition recorded, viral diagnosis is carried out to application program, to improve viral inspection The accuracy of survey is avoided due to itself slight change of virus, and the case where cause missing inspection, false retrieval.

In embodiments of the present invention, the function execution information of application program is related to, the function of the application program executes letter The information for ceasing the function performed by referring to records application program at runtime can be used to indicate that the function of application program executes feelings Condition, for example, which kind of function when an application program performing.

Based on the above principles, in implementing the embodiments of the present invention, it can be carried out based on a variety of implementation environments, for example, Fig. 1 is The implementation environment figure of the method for detecting virus of application program provided in an embodiment of the present invention.The method for detecting virus of the application program Implementation environment may include at least one user equipment 101, for providing the clothes of service at least one user equipment 101 Business device 102.

Wherein, which is connected by wireless or cable network and server 102, this this extremely A few user equipment 101 can be to be able to access that computer equipment or intelligent terminal of server 102 etc..User equipment 101 On applications client for viral diagnosis can be installed, will pass through the applications client, to be handed over server 102 Mutually, to obtain the virus detection service of the offer of server 102.For example, the applications client can be application management class client End, can not only provide virus detection service, can also provide and service using information, using downloading, using update etc..

At least one virus base can be safeguarded in server 102, which can be above-mentioned applications client Background server.The server 102 can also be provided for user equipment using information, using downloading, answer by applications client With the service such as update.Certainly, which can also provide issuing interface, and user equipment is connect by the publication The publication that mouth is applied.

Specifically, implementation environment figure as shown in connection with fig. 1, server can provide viral diagnosis clothes for any user equipment Business, that is to say, user equipment can initiate viral diagnosis request to server, when server receives the disease of user equipment transmission When poison detection request, viral diagnosis process can be triggered.Wherein, viral diagnosis request can carry target application to be detected The mark of program, so that server carries out viral diagnosis, certainly, the virus to destination application stored on server Detection request can also carry destination application, and destination application is supplied to server and carries out viral diagnosis.Certainly, The server, which can also be, periodically carries out viral diagnosis to the application program stored on server, or any receiving When the application program that user equipment is newly issued, the process of viral diagnosis is triggered, the embodiment of the present invention is examined to how to trigger the virus Flow gauge is without limitation.

Server, can function execution information to destination application when carrying out viral diagnosis to destination application It is obtained, in a kind of possible embodiment, simulator can be installed in server, the fortune for analog subscriber equipment Row environment, correspondingly, it includes: server calls simulator that server, which obtains function execution information process, by destination application It is loaded onto simulator operation, the function execution information of record destination application in the process of running obtains at least the one of record A function execution information.It when running application program based on simulator, can cause damages to avoid virus to server, improve virus The safety of detection.

Wherein, simulator can be the simulator of Android system, can run Android application program.Certainly, above-mentioned simulation Device can be run corresponding application program, be not construed as limiting herein with IOS simulator, Windows simulator etc..

Wherein, function execution information may include that the Function Identification of performed function and function execute the time, and server exists When running the destination application in simulator, whenever destination application executes a function in simulator, server can The time is executed to record Function Identification and the function of the function, is stored as a function execution information.Wherein, function Mark can be used to indicate that the type of function, which can be using number mark, so that definition virus as far as possible may The function type of execution.For example, the range of Function Identification is [0,255], it is based on the value range, Function Identification 01 is defined as sending out Short message is sent, 02 is makes a phone call, and 03 is calls recording pen, and 04 is pop-up, and 05 is calling camera etc..Function executes the time can be with It is the triggered time of function.

It should be noted that at least one the function execution information recorded can execute the time by early to evening according to function Sequence, therefore, the sequence of function execution information can indicate that function executes sequence.For example, when destination application transmission is short When letter, the Function Identification 01 and function for recording short message execute the information such as time 10:30, as a function execution information；When When calling camera, records the Function Identification 05 for calling camera and function executes the information such as time 10:33；It records when calling When pen, records the Function Identification 03 for calling recording pen and function executes information ... the destination applications such as time 10:49 fortune After row a period of time, following function execution information can be obtained:

01,10:30；

05,10:33；

03,10:49；

……

Above content describes the recording mode of function execution information and the content recorded, and server is in the function of acquisition It is able to can be introduced separately below there are many mode when execution information:

First way, server record function execution information of the destination application in the first preset duration.

Server can in simulator operational objective application program, whenever destination application executes one in simulator When a function, server can recorde down the Function Identification of the function and function executes the time, as a function execution information It is stored, it is out of service after the first preset duration, at least one function execution information of record is stored.Example Such as, server can be 15 minutes with operational objective application program, obtain the function execution information in this 15 minutes.Based on target application The function that program executes in preset duration carries out viral diagnosis, can guarantee that the function execution information for getting virus can wrap The institute for including the destination application is functional, improves the accuracy of viral diagnosis.

Certainly, aforesaid way provides a kind of operation duration recording mode identical with preset duration, and in some implementations In example, which can also be greater than preset duration, that is to say, server operational objective application program in simulator, often When destination application executes a function in simulator, server can recorde down the Function Identification and function of the function The time is executed, is stored as a function execution information, it is out of service after the second preset duration, at least by record One function execution information is stored, and the function of being extracted in the first preset duration from stored function execution information executes Information.In embodiments of the present invention, without limitation to the starting point of first preset duration, which can be operation starting Point, or some later time point of operation starting point, the starting point of first preset duration, which can be, guarantees that target is answered The time point etc. completed with program initialization.For example, server can be 20 minutes with operational objective application program, viral inspection is being carried out When survey, the wherein function execution information in 15 minutes is obtained, can be the function execution information of first 15 minutes or latter 15 minutes, It can be the function execution information in any 15 minutes intermediate, the embodiment of the present invention is not construed as limiting this.

The second way, server obtain what destination application object run process during being run multiple times was recorded Function execution information, the object run process operational process most for the function execution information number that is recorded.

Destination application can be run multiple times in server, and to the number of the function execution information in each operational process It is counted, obtains the function execution information number in each operational process, so that it is determined that object run process, that is to say, function The most operational process of energy execution information number, and based on function execution information recorded in the object run process, it carries out Subsequent virus detection procedure.By this optional way, it can guarantee that the function of getting application program executes letter as far as possible Breath can more accurately embody the actual functional capability of the application program, improve the accuracy of viral diagnosis.

Certainly, above two optinal plan can combine namely server can be in each fortune for the process that is run multiple times During row, the function execution information recorded in the first preset duration is obtained, then transport based on target during each run The function execution information that row process is recorded, to carry out subsequent virus detection procedure.

The above-mentioned specific process for obtaining function execution information is carried out based on implementation environment shown in FIG. 1, and in the present invention Embodiment additionally provides another implementation environment, as shown in Fig. 2, the implementation environment includes: at least one user equipment 201 and clothes Business device 202.Function that the user equipment 201 has and the function that above-mentioned user equipment 101 has similarly, the user equipment 201 can also have operational objective application program, to record the function of the function execution information of the destination application, and with After family equipment 201 gets the function execution information of destination application, which can be by the destination application Function execution information be sent to the server 202, by server 202 based on the function execution information of the destination application into Row viral diagnosis.In implementation environment shown in Fig. 2, the method for detecting virus of application program can be realized by server.Service Device obtain function execution information process include: server receive destination application in another equipment in operational process extremely A few function execution information.In one embodiment, which specifically includes: user equipment runs the target application journey Sequence records at least one function execution information of destination application in the process of running, sends viral diagnosis to server and asks It asks, carries in viral diagnosis request by least one function execution information of the destination application, server receives the disease Poison detection request, extracts at least one function execution information of destination application from viral diagnosis request.It needs to illustrate , the process of at least one function execution information of destination application and the mistake of server acquisition are obtained on a user device Cheng Tongli, this will not be repeated here.Further, when server obtains viral diagnosis result by detection, virus can be examined It surveys result and is sent to user equipment, user equipment is receiving viral diagnosis as a result, can carry out disease based on viral diagnosis result Poison prompt for example, then prompting the application program for virus when viral diagnosis result indicates that the application program is viral, and is worked as Viral diagnosis result indicates the application program not when being virus, then prompt the application program be not virus, certainly, when the virus When testing result indicates that the application program is suspicious, can also prompting the application program, there are risks, it is not recommended that operation etc..

In foregoing invention embodiment be method for detecting virus is realized with server, and export for viral diagnosis result into Row explanation, certainly, above-mentioned method for detecting virus can also be by installing viral diagnosis application program realization on a user device, phase Ying Di, the viral diagnosis application program can configured with local virus database, by local virus database, then can to Mounted application program carries out offline viral diagnosis in the equipment of family.For this purpose, the embodiment of the invention also provides a kind of implementations Environment provides a kind of implementation environment of the embodiment of the present invention referring to Fig. 3, the Fig. 3.The implementation environment may include at least one User equipment 301 and server 302.Viral diagnosis application program can be installed on the user equipment 301, and be also stored with At least one virus base for viral diagnosis.User equipment 301 can recorde operational process when running any application program In function execution information and store, so as to subsequent carry out viral diagnosis.Optionally, user can also do not carry out at any time it is above-mentioned Recording and storage, but when triggering on user equipment 301 to the viral diagnosis of destination application, then to target application journey The function execution information of sequence in the process of running carries out recording and storage, and then can detect target based on the function execution information Whether application program is virus.User equipment can carry out viral prompt based on viral diagnosis result.The virus reminding method can With similarly, this will not be repeated here with method provided in above-described embodiment.

In implementation environment shown in Fig. 3, the method for detecting virus of application program can be examined by the virus on user equipment Application program is surveyed to realize.The processing that viral diagnosis application program obtains function execution information can be such that viral diagnosis application journey Sequence obtains at least one the function execution information for the destination application being locally stored.

It is introduced below with the virus detection procedure to an application program, as shown in figure 4, with based on shown in FIG. 1 Server in implementation environment be illustrated for viral diagnosis, and Fig. 4 is the viral diagnosis side of application program of the present invention Method flow chart, the process flow of this method may include following step:

400, user equipment sends destination application to server.

401, server obtains at least one of destination application in the process of running after receiving destination application A function execution information.

The step of server acquisition function execution information, may refer to the acquisition process in above-described embodiment in step 401, Details are not described herein again.

Above-mentioned steps 400 are into step 401, after only issuing destination application on the server with user equipment, by taking Device be engaged in be illustrated for viral diagnosis, in some embodiments, user equipment can also only send viral diagnosis and ask It asks, viral diagnosis request carries the mark of destination application or destination application, to indicate that server carries out viral inspection It surveys.Certainly, in some embodiments, server can also voluntarily initiate the viral diagnosis to any application program, and the present invention is real Example is applied not limit this.

402, server executes the time according to the function at least one function execution information, is held based at least one function Function Identification in row information, conformation function execute sequence.

Function executes sequence and can be made of Function Identification.Specifically, what server obtained in above-mentioned steps 401 is to be checked Surveying each function execution information that destination application generates in the process of running includes the letters such as Function Identification, function execution time Breath.Server can execute the time according to the function in function execution information, determine putting in order for Function Identification, and then can be with Function Identification is constituted into function execution sequence according to putting in order.

In a kind of possible embodiment, server can be arranged Function Identification according to the sequencing of time Column, the specific processing of step 402 can be such that be determined at least based on the function execution time at least one function execution information The function of one function execution information executes sequence, according to function execution sequence to the function at least one function execution information Mark is ranked up, and is obtained function and is executed sequence.

When server arranges function execution information according to the sequencing of time, the arrangement of function execution information Sequence is that function executes sequence, and server can execute sequence according to the function, Function Identification is formed corresponding function and is held Row sequence.

Specifically, conformation function execute sequence method can there are two types of, be introduced separately below:

First, when conformation function executes sequence, server can execute sequence according to function, and Function Identification is formed phase The function of answering executes sequence.For example, when the function execution information of record is (01,10:30；05,10:33；03,10:49；…) When, Function Identification is arranged according to function execution information, available decimal sequence (1,5,3 ...), the decimal system sequence Column can be corresponding function and execute sequence.

Second, when conformation function executes sequence, the function of the available every two adjacent functional execution information of server The time is executed, the time interval between every two adjacent Function Identification is calculated, then, server can execute suitable according to function Sequence arranges Function Identification, and corresponding time interval mark can be added between two adjacent Function Identifications, It obtains corresponding function and executes sequence.For example, it can be (1,0,0,5,0,3 ...) that function, which executes sequence, wherein " 0 " is the time Spacing identification.

The method for executing sequence based on any of the above-described conformation function in an implementation is handled.

403, function is executed the Function Identification in sequence and is converted to pixel by server, generates destination application Function executes image.

After server obtains metric function execution sequence in step 402, it can be converted into hexadecimal Function executes sequence, namely obtains (01,05,03 ...).Then, the value of each Function Identification can be converted to pixel by server Value, each Function Identification constitute function and execute image as a pixel.Wherein, may range from of the pixel value [0, 255]。

Since the range of Function Identification is set within [0,255], hexadecimal function executes each of sequence Function Identification can be converted to a pixel value, and function execution sequence is also converted to corresponding function and executes image, should Function, which executes image, can be the function execution image of 1*n.It is, of course, also possible to which it is multiple sequences that function, which is executed sequence cutting, Then segment is spliced into the matrix form of multiple lines and multiple rows, then is converted to function based on aforesaid way and executes image, do not limit herein It is fixed.For example, each Function Identification that function executes sequence can be converted to the gray value within [0,255] accordingly, then Obtained function, which executes image, can be gray level image, and gray level image function as shown in Figure 5 executes image schematic diagram；Or Person, each Function Identification that function executes sequence can also generate the pixel value of RGB triple channel by transfer algorithm, at this point, RGB The function that triple channel is constituted, which executes image, can be color image.

For the method that the first conformation function in step 402 executes sequence, the function that server generates executes image The pixel value of each pixel may be used to indicate the type of function, putting in order for pixel can be above-mentioned multiple function The function of energy execution information executes sequence, and two adjacent pixels can be used to indicate that two functions of continuously performing.For example, The pixel that the function executes image can be (01,05,03 ...).

It is similar with first method for the method that second of conformation function in step 402 executes sequence, service The function that device generates executes type of the pixel value of image in addition to that can indicate function, also may indicate that time interval unit.Example Such as, pixel value 00 can indicate that a time interval unit can for (01,00,00,05,00,03 ...) in above-mentioned form two To indicate triggered time 2, the interval time interval unit of function 01 Yu function 05, between function 05 and the triggered time of function 03 Every 1 time interval unit etc..

Server can be held according to multiple function execution informations of destination application, the function of generating destination application Row image, step 402-403 can be a kind of possible embodiment.Certainly, server can also pass through other methods, root According at least one function execution information of destination application, the function of generating destination application executes image.Below to one The method that kind systematic function executes image is introduced, and conformation function execution sequence, which is specifically handled, in this method can be such that base At least one function execution information is arranged in preset function execution information queueing discipline, by least one after arrangement Function Identification in function execution information constitutes function according to the sequence of the function execution information obtained after arrangement and executes sequence.

Preset function execution information queueing discipline can be the sequence descending according to the number for executing number.Service Device can count the number of each Function Identification, and according to number by big at least one the function execution information got Function Identification is ranked up to small sequence.The number of Function Identification is more, then shows that destination application executes the function Number it is more.Then, server can execute sequence according to the sequence of Function Identification and the number of Function Identification, conformation function Column.For example, the execution number of function 01 is 3 times, the execution number of function 03 is 1 time, and the execution number of function 05 is 2 times, then It is (1,1,1,5,5,3) that available function, which executes sequence,.

Function execution information queueing discipline can be configured according to actual needs, and the embodiment of the present invention does not limit this It is fixed.

404, the function that server extracts destination application executes the characteristics of image of image.

Image Feature Selection Model can be called in server, extract the figure that the function of generating in the above process executes image As feature.For example, image characteristics extraction model can be the image characteristics extraction model based on SIFT algorithm, it is also possible to be based on Image characteristics extraction model of machine learning algorithm etc., is not construed as limiting herein.Corresponding, the characteristics of image extracted can be Feature vector is also possible to eigenmatrix etc., also, in characteristics of image may include at least one feature vector or at least one Eigenmatrix.

Below by taking the image characteristics extraction model based on SIFT algorithm as an example, the characteristics of image of extraction is introduced:

Image characteristics extraction model of the server calls based on SIFT algorithm executes image to function and carries out feature extraction, At least one available SIFT feature vector, a SIFT feature vector can be made of 64 floating numbers, herein to SIFT The dimension of feature vector is not construed as limiting.The function of different application executes the corresponding SIFT feature number of vectors of image may not Together.In general, a function, which executes image, can extract one group of SIFT feature vector, for example, this group of SIFT feature vector May include 5 SIFT feature vectors, be recorded as sample X:[0.1234,0.154 ...], [0.134,0.5154 ...] ..., [0.1254,0.4521 ...].

Server can calculate characteristics of image and viral image after getting the corresponding characteristics of image of destination application The similarity of feature.Before this, it needs to extract viral characteristics of image, will be explained below:

The Virus Sample of at least one available known viruse type of server, runs each virus-like in simulator This, executes the processing of step 201-204, and it is special to extract viral image based on method identical with destination application to be detected Sign, details are not described herein again.

By taking the above-mentioned image characteristics extraction model based on SIFT algorithm as an example, final server can export to obtain at least one Group SIFT feature vector, it is corresponding with Virus Sample.Optionally, server is when exporting one group of SIFT feature vector, Ke Yiwei This group of SIFT feature vector adds the mark of corresponding Virus Type, and format can be " Virus Type: SIFT feature Vector Groups ", For example, swindle class: [0.1234,0.154 ...], [0.134,0.5154 ...] ..., [0.1254,0.4521 ...].

In turn, server can be by the viral characteristics of image storage of at least one Virus Type under determining to virus base In.Subsequent in use, add the viral characteristics of image of new Virus Sample if necessary, then can be determined based on the above method The virus characteristics of image, is updated virus base, details are not described herein again.

405, server traverses the viral characteristics of image of a variety of Virus Types, the viral image of one Virus Type of every traversal Feature obtains the similarity of the viral characteristics of image of characteristics of image and Virus Type.

A kind of viral characteristics of image of Virus Type may include at least one feature vector in characteristics of image or virus base Or eigenmatrix.

In a kind of possible embodiment, server can traverse all Virus Types in virus base, determine every kind The viral characteristics of image of Virus Type and the similarity of characteristics of image.For example, the case where matrix is characterized for characteristics of image, it can To determine the order of the sum of ranks virus characteristics of image of characteristics of image respectively, in turn, it can be determined that the sum of ranks virus image of characteristics of image The ratio is determined as similarity by the ratio of the order of feature.

It is introduced by taking feature vector as an example below, the specific processing of above-mentioned steps 405 can be such that determining characteristics of image Each target feature vector and Virus Type viral characteristics of image each feature vector vector distance, distance will be less than The number of the vector distance of threshold value is determined as the similarity of the viral characteristics of image of characteristics of image and Virus Type

For a target feature vector of destination application, server can traverse the every kind of disease stored in virus base The feature vector of malicious type determines vector distance respectively.Server by all target feature vectors of destination application and disease The feature vector of all Virus Types stored in malicious library all compares, it is ensured that viral diagnosis it is comprehensive.

Server can calculate the distance between characteristics of image and viral characteristics of image based on distance algorithm, and distance is closer, Similarity is higher, for example, distance algorithm can be Euclidean distance algorithm, manhatton distance algorithm etc..

By taking Euclidean distance algorithm as an example, for the SIFT feature vector of 64 dimensions, if a SIFT spy of characteristics of image Sign vector is (x₁,x₂,...,x₆₄), a SIFT feature vector of viral characteristics of image is (y₁,y₂,...,y₆₄), then it can be with base Vector distance d is calculated in following formula (1):

The range of method provided in an embodiment of the present invention, the vector distance being calculated can incite somebody to action between [0,1] Distance threshold is set as 0.2.When vector distance is less than 0.2, it is believed that the two SIFT feature vectors are similar.

For only including a feature vector or a spy in the viral characteristics of image of characteristics of image or a kind of Virus Type The case where levying matrix, can be using the inverse of vector distance as similarity, and the inverse of vector threshold is as similarity threshold.Vector When distance is less than distance threshold, similarity is greater than similarity threshold.

By taking feature vector as an example, due to may include multiple feature vectors in characteristics of image, target application journey can use The number of feature vector including in the corresponding characteristics of image of sequence, similar with the viral characteristics of image of certain Virus Type, to weigh It measures the corresponding characteristics of image of destination application and whether the viral characteristics of image of the Virus Type is similar.Similar feature vector It is more, then show that characteristics of image is more similar.For example, the schematic diagram of determining similarity as shown in FIG. 6, target application to be detected The similar features vector of Virus Type 1 has Sim_1=1 in program and virus base, has with the similar features vector of Virus Type 2 Sim_2=0 has Sim_3=4 etc. with the similar features vector of Virus Type 3.

Certainly, server is also based on the similarity that similarity algorithm calculates characteristics of image and viral characteristics of image, example Such as, similarity algorithm can be cosine similarity algorithm, solution Jie Kade similarity factor etc..The embodiment of the present invention is similar to determination The specific algorithm of degree is not construed as limiting.

406, when the similarity of characteristics of image and viral characteristics of image is greater than similarity threshold, server is by target application Programming indicia is virus.

Server may determine that whether the similarity under determining in step 405 is greater than similarity threshold, if there is any Similarity is greater than similarity threshold, then server can determine that destination application is virus, and then can be to the target application Program is marked.It is greater than similarity threshold if there is no similarity, then cannot judges whether destination application is virus, Server can temporarily determine destination application safety.If it is disease that this is determined safe destination application really Poison, during subsequent use, which may be detected by other method for detecting virus or the mesh The corresponding viral characteristics of image of mark application program is added in virus base, by disease provided in an embodiment of the present invention when detecting again Virus detection method detected.

In a kind of possible embodiment, server determines lower characteristics of image and every kind of Virus Type in step 405 Similarity after, similarity maximum value can be obtained out, judge whether the similarity maximum value is greater than similarity threshold.Such as Fruit similarity maximum value is greater than similarity threshold, then shows that destination application is virus；If similarity maximum value is not more than Similarity threshold then shows that remaining similarity no more than similarity threshold, can temporarily determine that the destination application is pacified Entirely, it can be avoided and compare each similarity with similarity threshold, improve treatment effeciency.At this point, if similarity is maximum Value is greater than similarity threshold, then the Virus Type of the corresponding viral characteristics of image of similarity maximum value can also be determined as mesh The target viral type for marking application program, improves the accuracy of viral diagnosis, to take accurate counter-measure, improves safety Property.

For example, similarity threshold can be set to 3, target application to be detected under being determined in above-mentioned steps 405 Similarity maximum value Sim_3=4 can be obtained out, with similarity threshold by program after the similarity of each Virus Type 3 are compared.4 > 3 are easy to get, then the destination application can be determined for virus.

If server provides the service of viral diagnosis for application market, when determining destination application is virus, Can refuse destination application and be delivered to application market, or by destination application from application market undercarriage.If clothes Business device provides the service of viral diagnosis for other equipment, then viral diagnosis result can be sent to the equipment, so that user sentences It is disconnected to continue to use the destination application or unloading.

Illustratively, the system of virus detection system schematic diagram as shown in Figure 7, viral diagnosis can be program-controlled by detection stream System module, behavior fingerprint extraction submodule, virus base generate 4 submodule structures such as submodule and measuring similarity submodule At.Wherein, testing process control submodule can call remaining 3 submodule, can be used to implement the stream of entire viral diagnosis Journey；Behavior fingerprint extraction submodule can be used for extracting characteristics of image, and the characteristics of image that function executes image is behavior fingerprint； Virus base, which generates submodule, can call behavior fingerprint extraction submodule, can store at least one disease in the virus base of generation The viral characteristics of image of malicious type；Measuring similarity submodule be determined for the corresponding characteristics of image of destination application and The similarity of viral characteristics of image.Testing process control submodule processing flow schematic diagram is as shown in figure 8, behavior fingerprint extraction For resume module flow diagram as shown in figure 9, the method flow diagram of the viral diagnosis of application program is as shown in Figure 10, virus base is raw As shown in figure 11 at submodule processing flow schematic diagram, measuring similarity submodule processing flow schematic diagram is as shown in figure 12.

The process of above-mentioned steps 401 can call behavior fingerprint extraction submodule to realize by testing process control submodule, The process of above-mentioned steps 402-404 can be realized by behavior fingerprint extraction submodule, and viral image is generated in above-mentioned steps 404 The processing of feature can generate submodule by virus base and behavior fingerprint extraction submodule is called to realize, the process of above-mentioned steps 405 Measuring similarity submodule can be called to realize that the process of above-mentioned steps 406 can be by detecting by testing process control submodule Row control submodule is realized.

It is introduced below with the virus detection procedure to an application program, as shown in figure 13, based on shown in Fig. 2 The interaction of server and user equipment in implementation environment, be illustrated for viral diagnosis, Figure 13 answers for the present invention With the method for detecting virus flow chart of program, the process flow of this method may include following step:

1300, user equipment is instructed according to viral diagnosis, obtains at least one of destination application in the process of running Function execution information.

1301, user equipment sends viral diagnosis request to server, and viral diagnosis request carries the target application journey At least one the function execution information of sequence in the process of running.

1302, it after server receives viral diagnosis request, is held according to the function at least one function execution information The row time, based on the Function Identification at least one function execution information, conformation function executes sequence.

1303, function is executed the Function Identification in sequence and is converted to pixel by server, generates destination application Function execute image.

1304, the function that server extracts destination application executes the characteristics of image of image.

1305, server traverses the viral characteristics of image of a variety of Virus Types, the virus figure of every one Virus Type of traversal As feature, the similarity of the viral characteristics of image of characteristics of image and Virus Type is obtained.

1306, when the similarity of characteristics of image and viral characteristics of image is greater than similarity threshold, server answers target It is virus with programming indicia.

1307, viral diagnosis result is sent to user equipment by server.

1308, after user equipment receives viral diagnosis result, viral prompt is carried out.

In the embodiment of the present invention, due to the behavior that there are the virus of application program certain specific functions to execute, even if sick The source code of poison changes, and the function that virus executes will not generally change, therefore, function of the server based on application program Can execution information carry out viral diagnosis, the virus of deformation also be can detecte out, there is stronger generalization ability.Also, Characteristic reliability based on image zooming-out is higher, and the embodiment of the present invention is held using the function execution information systematic function of application program The corresponding characteristics of image of application program to be detected and viral characteristics of image are compared, viral inspection can be improved by row image The accuracy of survey.Further, function execution information acquired in operational process is sent to by server by user equipment It is detected, the processing pressure of server can be reduced.

It is introduced below with the virus detection procedure to an application program, as shown in figure 14, based on shown in Fig. 2 The interaction of server and user equipment in implementation environment, be illustrated for viral diagnosis, Figure 14 answers for the present invention With the method for detecting virus flow chart of program, the process flow of this method may include following step:

1401, user equipment is instructed according to viral diagnosis, obtains at least one of destination application in the process of running Function execution information.

1402, user equipment executes the time according to the function at least one function execution information, is based at least one function Function Identification in energy execution information, conformation function execute sequence.

1403, function is executed the Function Identification in sequence and is converted to pixel by user equipment, generates target application journey The function of sequence executes image.

1404, the function that user equipment extracts destination application executes the characteristics of image of image.

1405, user equipment traverses the viral characteristics of image of a variety of Virus Types, the virus of one Virus Type of every traversal Characteristics of image obtains the similarity of the viral characteristics of image of characteristics of image and Virus Type.

1406, when the similarity of characteristics of image and viral characteristics of image is greater than similarity threshold, user equipment is by target Application program mark is virus.

1407, user equipment carries out viral prompt according to viral diagnosis result.

In the embodiment of the present invention, due to the behavior that there are the virus of application program certain specific functions to execute, even if sick The source code of poison changes, and the function that virus executes will not generally change, therefore, function of the server based on application program Can execution information carry out viral diagnosis, the virus of deformation also be can detecte out, there is stronger generalization ability.Also, Characteristic reliability based on image zooming-out is higher, and the embodiment of the present invention is held using the function execution information systematic function of application program The corresponding characteristics of image of application program to be detected and viral characteristics of image are compared, viral inspection can be improved by row image The accuracy of survey.Further, local virus database is based on by user equipment and carries out above-mentioned viral diagnosis, it is ensured that from Also viral diagnosis can be completed under field of line scape.

Based on the same technical idea, the embodiment of the invention also provides a kind of viral diagnosis devices of application program, should Device can be above-mentioned server.As shown in figure 15, which includes:

Module 1510 is obtained, for instructing according to the viral diagnosis to destination application, obtains the target application journey At least one function execution information of sequence, at least one described function execution information are being transported for recording the destination application Performed function during row；

Generation module 1520, at least one function execution information according to the destination application, described in generation The function of destination application executes image；

Extraction module 1530 executes the characteristics of image of image for extracting the function；

Determining module 1540, for being greater than similarity threshold when the similarity of described image feature and viral characteristics of image When, by the destination application labeled as virus.

Optionally, the acquisition module 1510 is used for:

Simulator is called, the destination application is loaded onto the simulator and is run, the target application journey is recorded The function execution information of sequence in the process of running obtains at least one function execution information of record, wherein the simulator is used In the running environment of analog subscriber equipment；Or

Receive at least one function execution information that the destination application records in operational process in another equipment.

Optionally, at least one described function execution information includes:

The destination application at least one function recorded in the operational process of the first preset duration executes letter Breath；Or,

The destination application is executed at least one function that the object run process for the process that is run multiple times is recorded Information, the object run process are the most operational process of information content recorded in the multiple operational process.

It optionally, include that Function Identification and function execute time, the generation module 1520 in each function execution information For:

The time is executed according to the function at least one described function execution information, is executed based at least one described function Function Identification in information, conformation function execute sequence, wherein the function executes sequence by the multiple Function Identification group At；

Function Identification in function execution sequence is converted into pixel, generates the function of the destination application Image can be executed.

Optionally, the generation module 1520 is used for:

The time is executed based on the function at least one described function execution information, determines that at least one described function executes The function of information executes sequence, executes sequence according to the function, to the function mark at least one described function execution information Knowledge is ranked up, and is obtained function and is executed sequence.

Optionally, the generation module 1520 is used for:

Based on preset function execution information queueing discipline, at least one described function execution information is arranged, it will The Function Identification at least one function execution information after arrangement, according to the sequence structure of the function execution information obtained after arrangement Sequence is executed at function.

Optionally, the determining module 1540 is used for:

The viral characteristics of image of a variety of Virus Types is traversed, the viral characteristics of image of one Virus Type of every traversal obtains The similarity of the viral characteristics of image of described image feature and the Virus Type；

When similarity maximum value is greater than similarity threshold, by the destination application labeled as virus.

Optionally, described image feature includes multiple target feature vectors, and the virus characteristics of image includes multiple features Vector；

The determining module 1540 is used for:

Determine each of each target feature vector of described image feature and the viral characteristics of image of the Virus Type The vector distance of feature vector will be less than the number of the vector distance of distance threshold, be determined as described image feature and the disease The similarity of the viral characteristics of image of malicious type.

Optionally, the determining module 1540 is also used to:

By the Virus Type of the corresponding viral characteristics of image of the similarity maximum value, it is determined as the destination application Target viral type.

About the device in above-described embodiment, wherein modules execute the concrete mode of operation in related this method Embodiment in be described in detail, no detailed explanation will be given here.

It should be understood that the viral diagnosis device of application program provided by the above embodiment detect virus when, only with The division progress of above-mentioned each functional module can according to need and for example, in practical application by above-mentioned function distribution by not Same functional module is completed, i.e., the internal structure of server is divided into different functional modules, described above complete to complete Portion or partial function.In addition, the viral diagnosis device of application program provided by the above embodiment and the virus of application program are examined It surveys embodiment of the method and belongs to same design, specific implementation process is detailed in embodiment of the method, and which is not described herein again.

Based on the same technical idea, the embodiment of the invention also provides a kind of viral diagnosis devices of application program, should Device can be above-mentioned user equipment.As shown in figure 16, which includes:

Calling module 1610 calls simulator, by the mesh for instructing according to the viral diagnosis to destination application Mark application program is loaded onto the simulator operation, wherein the simulator is used to simulate the running environment of an isolation；

Module 1620 is obtained to obtain for obtaining the function execution information of the destination application in the process of running At least one function execution information, at least one described function execution information is for recording the destination application in the mould Performed function when being run in quasi- device；

Sending module 1630, for sending viral diagnosis request to server, the viral diagnosis request carrying is described extremely A few function execution information, the viral diagnosis request are used to indicate the server and examine to the destination application It surveys；

Cue module 1640, the viral diagnosis received for basis is as a result, carry out viral prompt, the viral diagnosis knot Fruit is based at least one described function execution information and obtains.

Optionally, which is used for:

Obtain function execution information of the destination application in the operational process of the first preset duration；

Or,

Function execution information of destination application during being run multiple times is obtained, was run multiple times described in acquisition At least one function execution information that object run process is recorded in journey, the object run process are the multiple ran The most operational process of information content recorded in journey.

Figure 17 is a kind of structural schematic diagram of server provided in an embodiment of the present invention, the server 1700 can because of configuration or Performance is different and generates bigger difference, may include one or more processors (central processing Units, CPU) 1701 and one or more memory 1702, wherein at least one is stored in the memory 1702 Item instruction, at least one instruction are loaded by the processor 1701 and execute the viral diagnosis to realize following application programs Method and step:

Extract the characteristics of image that the function executes image；

When the similarity of described image feature and viral characteristics of image is greater than similarity threshold, by the target application journey Sequence is labeled as virus.

Optionally, at least one instruction is loaded by the processor 1701 and is executed to realize following methods step:

Simulator is called, the destination application is loaded onto the simulator and is run, the target application journey is recorded The function execution information of sequence in the process of running obtains multiple function execution informations of record, wherein the simulator is used for mould The running environment of quasi- user equipment；Or

It optionally, include that Function Identification and function execute time, at least one instruction in each function execution information It is loaded by the processor 1701 and is executed to realize following methods step:

The time is executed according to the function at least one described function execution information, is executed based at least one described function Function Identification in information, conformation function execute sequence, wherein the function executes sequence and is made of the Function Identification, institute Stating function and executing the sequence of the Function Identification in sequence is that the function executes sequence；

At least one determining described function of time is executed based on the function at least one described function execution information to execute The function of information executes sequence, according to the function execution sequence to the Function Identification at least one described function execution information It is ranked up, obtains function and execute sequence.

At least one described function execution information is arranged based on preset function execution information queueing discipline, will be arranged The Function Identification at least one function execution information after column is constituted according to the sequence of the function execution information obtained after arrangement Function executes sequence.

Optionally, the viral characteristics of image includes the viral characteristics of image of at least one Virus Type；

At least one instruction is loaded by the processor 1701 and is executed to realize following methods step:

Figure 18 is a kind of structural block diagram of terminal provided in an embodiment of the present invention.The terminal 1800 may is that smart phone, Tablet computer, MP3 player (Moving Picture Experts Group Audio Layer III, dynamic image expert Compression standard audio level 3), (Moving Picture Experts Group Audio Layer IV, dynamic image are special by MP4 Family's compression standard audio level 4) player, laptop or desktop computer.Terminal 1800 be also possible to referred to as user equipment, Other titles such as portable terminal, laptop terminal, terminal console.

In general, terminal 1800 includes: processor 1801 and memory 1802.

Processor 1801 may include one or more processing cores, such as 4 core processors, 8 core processors etc..Place Reason device 1801 can use DSP (Digital Signal Processing, Digital Signal Processing), FPGA (Field- Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array, may be programmed Logic array) at least one of example, in hardware realize.Processor 1801 also may include primary processor and coprocessor, master Processor is the processor for being handled data in the awake state, also referred to as CPU (Central Processing Unit, central processing unit)；Coprocessor is the low power processor for being handled data in the standby state.? In some embodiments, processor 1801 can be integrated with GPU (Graphics Processing Unit, image processor), GPU is used to be responsible for the rendering and drafting of content to be shown needed for display screen.In some embodiments, processor 1801 can also be wrapped AI (Artificial Intelligence, artificial intelligence) processor is included, the AI processor is for handling related machine learning Calculating operation.

Memory 1802 may include one or more computer readable storage mediums, which can To be non-transient.Memory 1802 may also include high-speed random access memory and nonvolatile memory, such as one Or multiple disk storage equipments, flash memory device.In some embodiments, the non-transient computer in memory 1802 can Storage medium is read for storing at least one instruction, at least one instruction performed by processor 1801 for realizing this Shen Please in embodiment of the method provide application program method for detecting virus.

In some embodiments, terminal 1800 is also optional includes: peripheral device interface 1803 and at least one periphery are set It is standby.It can be connected by bus or signal wire between processor 1801, memory 1802 and peripheral device interface 1803.It is each outer Peripheral equipment can be connected by bus, signal wire or circuit board with peripheral device interface 1803.Specifically, peripheral equipment includes: In radio circuit 1804, touch display screen 1805, camera 1806, voicefrequency circuit 1807, positioning component 1808 and power supply 1809 At least one.

Peripheral device interface 1803 can be used for I/O (Input/Output, input/output) is relevant outside at least one Peripheral equipment is connected to processor 1801 and memory 1802.In some embodiments, processor 1801, memory 1802 and periphery Equipment interface 1803 is integrated on same chip or circuit board；In some other embodiments, processor 1801, memory 1802 and peripheral device interface 1803 in any one or two can be realized on individual chip or circuit board, this implementation Example is not limited this.

Radio circuit 1804 is for receiving and emitting RF (Radio Frequency, radio frequency) signal, also referred to as electromagnetic signal. Radio circuit 1804 is communicated by electromagnetic signal with communication network and other communication equipments.Radio circuit 1804 is by telecommunications Number being converted to electromagnetic signal is sent, alternatively, the electromagnetic signal received is converted to electric signal.Optionally, radio circuit 1804 include: antenna system, RF transceiver, one or more amplifiers, tuner, oscillator, digital signal processor, volume solution Code chipset, user identity module card etc..Radio circuit 1804 can by least one wireless communication protocol come with it is other Terminal is communicated.The wireless communication protocol includes but is not limited to: Metropolitan Area Network (MAN), each third generation mobile communication network (2G, 3G, 4G and 5G), WLAN and/or WiFi (Wireless Fidelity, Wireless Fidelity) network.In some embodiments, radio frequency electrical Road 1804 can also include NFC (Near Field Communication, wireless near field communication) related circuit, the application This is not limited.

Display screen 1805 is for showing UI (User Interface, user interface).The UI may include figure, text, Icon, video and its their any combination.When display screen 1805 is touch display screen, display screen 1805 also there is acquisition to exist The ability of the touch signal on the surface or surface of display screen 1805.The touch signal can be used as control signal and be input to place Reason device 1801 is handled.At this point, display screen 1805 can be also used for providing virtual push button and/or dummy keyboard, it is also referred to as soft to press Button and/or soft keyboard.In some embodiments, display screen 1805 can be one, and the front panel of terminal 1800 is arranged；Another In a little embodiments, display screen 1805 can be at least two, be separately positioned on the different surfaces of terminal 1800 or in foldover design； In still other embodiments, display screen 1805 can be flexible display screen, is arranged on the curved surface of terminal 1800 or folds On face.Even, display screen 1805 can also be arranged to non-rectangle irregular figure, namely abnormity screen.Display screen 1805 can be with Using LCD (Liquid Crystal Display, liquid crystal display), OLED (Organic Light-Emitting Diode, Organic Light Emitting Diode) etc. materials preparation.

CCD camera assembly 1806 is for acquiring image or video.Optionally, CCD camera assembly 1806 includes front camera And rear camera.In general, the front panel of terminal is arranged in front camera, the back side of terminal is arranged in rear camera.? In some embodiments, rear camera at least two is that main camera, depth of field camera, wide-angle camera, focal length are taken the photograph respectively As any one in head, to realize that main camera and the fusion of depth of field camera realize background blurring function, main camera and wide Pan-shot and VR (Virtual Reality, virtual reality) shooting function or other fusions are realized in camera fusion in angle Shooting function.In some embodiments, CCD camera assembly 1806 can also include flash lamp.Flash lamp can be monochromatic temperature flash of light Lamp is also possible to double-colored temperature flash lamp.Double-colored temperature flash lamp refers to the combination of warm light flash lamp and cold light flash lamp, can be used for Light compensation under different-colour.

Voicefrequency circuit 1807 may include microphone and loudspeaker.Microphone is used to acquire the sound wave of user and environment, and It converts sound waves into electric signal and is input to processor 1801 and handled, or be input to radio circuit 1804 to realize that voice is logical Letter.For stereo acquisition or the purpose of noise reduction, microphone can be separately positioned on the different parts of terminal 1800 to be multiple. Microphone can also be array microphone or omnidirectional's acquisition type microphone.Loudspeaker is then used to that processor 1801 or radio frequency will to be come from The electric signal of circuit 1804 is converted to sound wave.Loudspeaker can be traditional wafer speaker, be also possible to piezoelectric ceramics loudspeaking Device.When loudspeaker is piezoelectric ceramic loudspeaker, the audible sound wave of the mankind can be not only converted electrical signals to, can also be incited somebody to action Electric signal is converted to the sound wave that the mankind do not hear to carry out the purposes such as ranging.In some embodiments, voicefrequency circuit 1807 may be used also To include earphone jack.

Positioning component 1808 is used for the current geographic position of positioning terminal 1800, to realize navigation or LBS (Location Based Service, location based service).Positioning component 1808 can be the GPS (Global based on the U.S. Positioning System, global positioning system), the dipper system of China, Russia Gray receive this system or European Union The positioning component of Galileo system.

Power supply 1809 is used to be powered for the various components in terminal 1800.Power supply 1809 can be alternating current, direct current Electricity, disposable battery or rechargeable battery.When power supply 1809 includes rechargeable battery, which can support wired Charging or wireless charging.The rechargeable battery can be also used for supporting fast charge technology.

In some embodiments, terminal 1800 further includes having one or more sensors 1810.One or more sensing Device 1810 includes but is not limited to: acceleration transducer 1811, gyro sensor 1812, pressure sensor 1813, fingerprint sensing Device 1814, optical sensor 1815 and proximity sensor 1816.

Acceleration transducer 1811 can detecte the acceleration in three reference axis of the coordinate system established with terminal 1800 Size.For example, acceleration transducer 1811 can be used for detecting component of the acceleration of gravity in three reference axis.Processor The 1801 acceleration of gravity signals that can be acquired according to acceleration transducer 1811, control touch display screen 1805 with transverse views Or longitudinal view carries out the display of user interface.Acceleration transducer 1811 can be also used for game or the exercise data of user Acquisition.

Gyro sensor 1812 can detecte body direction and the rotational angle of terminal 1800, gyro sensor 1812 Acquisition user can be cooperateed with to act the 3D of terminal 1800 with acceleration transducer 1811.Processor 1801 is according to gyro sensors The data that device 1812 acquires, following function may be implemented: action induction (for example changing UI according to the tilt operation of user) is clapped Image stabilization, game control and inertial navigation when taking the photograph.

The lower layer of side frame and/or touch display screen 1805 in terminal 1800 can be set in pressure sensor 1813.When When the side frame of terminal 1800 is arranged in pressure sensor 1813, user can detecte to the gripping signal of terminal 1800, by Reason device 1801 carries out right-hand man's identification or prompt operation according to the gripping signal that pressure sensor 1813 acquires.Work as pressure sensor 1813 when being arranged in the lower layer of touch display screen 1805, is grasped by processor 1801 according to pressure of the user to touch display screen 1805 Make, realization controls the operability control on the interface UI.Operability control include button control, scroll bar control, At least one of icon control, menu control.

Fingerprint sensor 1814 is used to acquire the fingerprint of user, is collected by processor 1801 according to fingerprint sensor 1814 Fingerprint recognition user identity, alternatively, by fingerprint sensor 1814 according to the identity of collected fingerprint recognition user.Knowing Not Chu the identity of user when being trusted identity, authorize the user to execute relevant sensitive operation by processor 1801, which grasps Make to include solving lock screen, checking encryption information, downloading software, payment and change setting etc..Fingerprint sensor 1814 can be set Set the front, the back side or side of terminal 1800.When being provided with physical button or manufacturer Logo in terminal 1800, fingerprint sensor 1814 can integrate with physical button or manufacturer Logo.

Optical sensor 1815 is for acquiring ambient light intensity.In one embodiment, processor 1801 can be according to light The ambient light intensity that sensor 1815 acquires is learned, the display brightness of touch display screen 1805 is controlled.Specifically, work as ambient light intensity When higher, the display brightness of touch display screen 1805 is turned up；When ambient light intensity is lower, the aobvious of touch display screen 1805 is turned down Show brightness.In another embodiment, the ambient light intensity that processor 1801 can also be acquired according to optical sensor 1815, is moved The acquisition parameters of state adjustment CCD camera assembly 1806.

Proximity sensor 1816, also referred to as range sensor are generally arranged at the front panel of terminal 1800.Proximity sensor 1816 for acquiring the distance between the front of user Yu terminal 1800.In one embodiment, when proximity sensor 1816 is examined When measuring the distance between the front of user and terminal 1800 and gradually becoming smaller, by processor 1801 control touch display screen 1805 from Bright screen state is switched to breath screen state；When proximity sensor 1816 detect the distance between front of user and terminal 1800 by When gradual change is big, touch display screen 1805 is controlled by processor 1801 and is switched to bright screen state from breath screen state.

It, can be with it will be understood by those skilled in the art that the restriction of the not structure paired terminal 1800 of structure shown in Figure 18 Including than illustrating more or fewer components, perhaps combining certain components or being arranged using different components.

In the exemplary embodiment, a kind of computer readable storage medium is additionally provided, the memory for example including instruction, Above-metioned instruction can be executed by the processor in equipment to complete the method for detecting virus of above-mentioned application program.For example, the calculating Machine readable storage medium storing program for executing can be ROM, random access memory (RAM), CD-ROM, tape, floppy disk and optical data storage devices Deng.

Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..

The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.

Claims

1. a kind of method for detecting virus of application program, which is characterized in that the described method includes:

According to the viral diagnosis instruction to destination application, at least one function of obtaining the destination application executes letter Breath, at least one described function execution information are used to record the destination application performed function in the process of running；

According at least one function execution information of the destination application, the function of generating the destination application is executed Image；

Extract the characteristics of image that the function executes image；

When the similarity of described image feature and viral characteristics of image is greater than similarity threshold, by the destination application mark It is denoted as virus.

2. the method according to claim 1, wherein described at least one function of obtaining destination application is held Row information, comprising:

Simulator is called, the destination application is loaded onto the simulator and is run, the destination application is recorded and exists Function execution information in operational process obtains at least one function execution information of record, wherein the simulator is used for mould The running environment of quasi- user equipment；Or

3. the method according to claim 1, wherein at least one described function execution information includes:

The destination application at least one function execution information recorded in the operational process of the first preset duration； Or,

At least one function execution information that the destination application is recorded in the object run process for the process that is run multiple times, The object run process is the most operational process of information content recorded in the multiple operational process.

4. the method according to claim 1, wherein including Function Identification and function in each function execution information The time is executed, described at least one function execution information according to the destination application generates the destination application Function execute image, comprising:

The time is executed according to the function at least one described function execution information, based at least one described function execution information In Function Identification, conformation function executes sequence, wherein the function executes sequence and is made of the Function Identification；

The function is executed into the Function Identification in sequence and is converted to pixel, the function of generating the destination application executes Image.

5. according to the method described in claim 4, it is characterized in that, described according at least one described function execution information Function executes the time, and based on the Function Identification at least one described function execution information, conformation function executes sequence, comprising:

The time is executed based on the function at least one described function execution information, determines at least one described function execution information Function execute sequence；

Sequence is executed according to the function, the Function Identification at least one described function execution information is ranked up, is obtained Function executes sequence.

6. the method according to claim 1, wherein including Function Identification and function in each function execution information The time is executed, described at least one function execution information according to the destination application generates the destination application Function execute image, comprising:

At least one described function execution information is arranged based on preset function execution information queueing discipline, after arrangement At least one function execution information in Function Identification, according to the function execution information obtained after arrangement sequence constitute function Execute sequence.

7. the method according to claim 1, wherein the phase for working as described image feature and viral characteristics of image When being greater than similarity threshold like degree, determine the destination application for virus, comprising:

Traverse the viral characteristics of image of a variety of Virus Types, the viral characteristics of image of one Virus Type of every traversal, described in acquisition The similarity of the viral characteristics of image of characteristics of image and the Virus Type；

8. the method according to the description of claim 7 is characterized in that described image feature includes multiple target feature vectors, institute Stating viral characteristics of image includes multiple feature vectors；

The similarity of the viral characteristics of image for obtaining described image feature and the Virus Type, comprising:

Determine each feature of each target feature vector of described image feature and the viral characteristics of image of the Virus Type The vector distance of vector will be less than the number of the vector distance of distance threshold, be determined as described image feature and the virus type The similarity of the viral characteristics of image of type.

9. the method according to the description of claim 7 is characterized in that the method also includes:

By the Virus Type of the corresponding viral characteristics of image of the similarity maximum value, it is determined as the mesh of the destination application Mark Virus Type.

10. a kind of method for detecting virus of application program, which is characterized in that the described method includes:

According to the viral diagnosis instruction to destination application, simulator is called, the destination application is loaded onto described Simulator operation, wherein the simulator is used to simulate the running environment of an isolation；

The function execution information of the destination application in the process of running is obtained, at least one function execution information is obtained, At least one described function execution information is performed when the destination application is run in the simulator for recording Function；

Viral diagnosis request is sent to server, the viral diagnosis request carries at least one described function execution information, institute Viral diagnosis request is stated to be used to indicate the server and detect the destination application；

According to the viral diagnosis received as a result, carrying out viral prompt, the viral diagnosis result is based at least one described function Energy execution information obtains.

11. according to the method described in claim 10, it is characterized in that, described obtain the destination application in operational process In function execution information, comprising:

Or,

Function execution information of destination application during being run multiple times is obtained, during being run multiple times described in acquisition At least one function execution information that object run process is recorded, the object run process are in the multiple operational process The most operational process of recorded information quantity.

12. a kind of viral diagnosis device of application program, which is characterized in that described device includes:

Module is obtained, for instructing according to the viral diagnosis to destination application, obtains the destination application at least One function execution information, at least one described function execution information is for recording the destination application in the process of running Performed function；

Generation module generates the target application at least one function execution information according to the destination application The function of program executes image；

Determining module will be described for when described image feature and the similarity of viral characteristics of image are greater than similarity threshold Destination application is labeled as virus.

13. a kind of viral diagnosis device of application program, which is characterized in that described device includes:

Calling module calls simulator, by the target application journey for instructing according to the viral diagnosis to destination application Sequence is loaded onto the simulator operation, wherein the simulator is used to simulate the running environment of an isolation；

It obtains module and obtains at least one for obtaining the function execution information of the destination application in the process of running Function execution information, at least one described function execution information are transported in the simulator for recording the destination application Performed function when row；

Sending module, for sending viral diagnosis request to server, the viral diagnosis request carries at least one described function Energy execution information, the viral diagnosis request are used to indicate the server and detect to the destination application；

Cue module, for, as a result, carrying out viral prompt, the viral diagnosis result to be based on institute according to the viral diagnosis received At least one function execution information is stated to obtain.

14. a kind of computer equipment, which is characterized in that the computer equipment includes processor and memory, the memory In be stored at least one instruction, at least one instruction is loaded by the processor and is executed to realize such as claim 1 To the method for detecting virus of 9 any application programs；Or, the disease of the application program as described in claim 10 to 11 is any Virus detection method.

15. a kind of computer readable storage medium, which is characterized in that be stored at least one instruction, institute in the storage medium It states at least one instruction and is loaded by processor and executed virus to realize application program as described in any one of claim 1 to 9 Detection method；Or, the method for detecting virus of the application program as described in claim 10 to 11 is any.