CN109117635A - Method for detecting virus, device, computer equipment and the storage medium of application program - Google Patents
Method for detecting virus, device, computer equipment and the storage medium of application program Download PDFInfo
- Publication number
- CN109117635A CN109117635A CN201811042877.1A CN201811042877A CN109117635A CN 109117635 A CN109117635 A CN 109117635A CN 201811042877 A CN201811042877 A CN 201811042877A CN 109117635 A CN109117635 A CN 109117635A
- Authority
- CN
- China
- Prior art keywords
- function
- execution information
- image
- destination application
- function execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V10/00—Arrangements for image or video recognition or understanding
- G06V10/40—Extraction of image or video features
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Multimedia (AREA)
- Stored Programmes (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a kind of method for detecting virus of application program, device, computer equipment and storage mediums, belong to electronic technology field.The described method includes: being instructed according to the viral diagnosis to destination application, obtain at least one function execution information of the destination application, at least one described function execution information is used to record the destination application performed function in the process of running;According at least one function execution information of the destination application, the function of generating the destination application executes image;Extract the characteristics of image that the function executes image;When the similarity of described image feature and viral characteristics of image is greater than similarity threshold, by the destination application labeled as virus.Using the present invention, the accuracy of viral diagnosis can be improved.
Description
Technical field
The present invention relates to electronic technology field, in particular to a kind of method for detecting virus of application program, device, computer
Equipment and storage medium.
Background technique
With the extensive use of terminal, the safety of terminal also more and more attention has been paid to.The virus of application program can be to use
Family brings interests to lose and perplex, for example, virus sends short message on backstage automatically, the next customized service of deducting fees is ignorant in user
In the case where bring economic loss;Virus can also maliciously push waste advertisements, cause to perplex to user.
The detection of virus is of great significance to the safety of terminal and convenience.It is possible, firstly, to known virus
Source code is analyzed, and determines the condition code of the virus, and this feature code can be a continuous binary segments in source code.So
Afterwards, when whether detect any application is virus, the source code of the available application program judges the source of the application program
Whether include the condition code of above-mentioned virus in code, if including the application program as virus.
But in order to hide detection, viral source code may be modified, the virus deformed.Due to current disease
Malicious source code has changed, no longer identical as the source code of provirus, may obtain when detecting to current viral source code
With the inconsistent testing result of actual conditions, namely the viral diagnosis will not be come out, hit rate is lower, viral diagnosis it is accurate
Property is poor.
Summary of the invention
The embodiment of the invention provides a kind of method for detecting virus of application program, device, computer equipment and storages to be situated between
Matter is able to solve the poor problem of the accuracy of the viral diagnosis of application program.The technical solution is as follows:
On the one hand, a kind of method for detecting virus of application program is provided, this method comprises:
According to the viral diagnosis instruction to destination application, at least one function of obtaining the destination application is held
Row information, at least one described function execution information are used to record the destination application performed function in the process of running
Energy;
According at least one function execution information of the destination application, the function of the destination application is generated
Execute image;
Extract the characteristics of image that the function executes image;
When the similarity of described image feature and viral characteristics of image is greater than similarity threshold, by the target application journey
Sequence is labeled as virus
On the one hand, a kind of method for detecting virus of application program is provided, this method comprises:
According to the viral diagnosis instruction to destination application, simulator is called, the destination application is loaded onto
The simulator operation, wherein the simulator is used to simulate the running environment of an isolation;
The function execution information of the destination application in the process of running is obtained, at least one function is obtained and executes letter
Breath, at least one described function execution information are performed when the destination application is run in the simulator for recording
Function;
Viral diagnosis request is sent to server, the viral diagnosis request carries at least one described function and executes letter
Breath, the viral diagnosis request are used to indicate the server and detect to the destination application;
According to the viral diagnosis received as a result, carrying out viral prompt, the viral diagnosis result is based on described at least one
A function execution information obtains.
On the one hand, a kind of viral diagnosis device of application program is provided, which includes:
Module is obtained, for instructing according to the viral diagnosis to destination application, obtains the destination application
At least one function execution information, at least one described function execution information were being run for recording the destination application
Performed function in journey;
Generation module generates the target at least one function execution information according to the destination application
The function of application program executes image;
Extraction module executes the characteristics of image of image for extracting the function;
Determining module, for inciting somebody to action when the similarity of described image feature and viral characteristics of image is greater than similarity threshold
The destination application is labeled as virus.
On the one hand, a kind of viral diagnosis device of application program is provided, which includes:
Calling module calls simulator, the target is answered for being instructed according to the viral diagnosis to destination application
The simulator operation is loaded into program, wherein the simulator is used to simulate the running environment of an isolation;
Module is obtained to obtain at least for obtaining the function execution information of the destination application in the process of running
One function execution information, at least one described function execution information is for recording the destination application in the simulator
Performed function when middle operation;
Sending module, for sending viral diagnosis request to server, the viral diagnosis request carries described at least one
A function execution information, the viral diagnosis request are used to indicate the server and detect to the destination application;
Cue module, the viral diagnosis received for basis is as a result, carry out viral prompt, the viral diagnosis result base
It is obtained at least one described function execution information.
On the one hand, a kind of server is provided, the server includes processor and memory, is stored in the memory
There is at least one instruction, at least one instruction processor loads and execute the disease to realize any of the above-described application program
Virus detection method.
On the one hand, a kind of computer readable storage medium is provided, at least one instruction is stored in the storage medium,
At least one instruction is loaded by the processor and is executed the method for detecting virus to realize any of the above-described application program.
Technical solution provided in an embodiment of the present invention has the benefit that
In the embodiment of the present invention, due to the behavior that there are the virus of application program certain specific functions to execute, even if sick
The source code of poison changes, and the function that virus executes will not generally change, therefore, function of the server based on application program
Can execution information carry out viral diagnosis, the virus of deformation also be can detecte out, there is stronger generalization ability.Also,
Characteristic reliability based on image zooming-out is higher, and the embodiment of the present invention is held using the function execution information systematic function of application program
The corresponding characteristics of image of application program to be detected and viral characteristics of image are compared, viral inspection can be improved by row image
The accuracy of survey.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is a kind of implementation environment schematic diagram provided in an embodiment of the present invention;
Fig. 2 is another implementation environment schematic diagram provided in an embodiment of the present invention;
Fig. 3 is another implementation environment schematic diagram provided in an embodiment of the present invention;
Fig. 4 is a kind of method for detecting virus flow chart of application program provided in an embodiment of the present invention;
Fig. 5 is that a kind of function provided in an embodiment of the present invention executes image schematic diagram;
Fig. 6 is a kind of schematic diagram of determining similarity provided in an embodiment of the present invention;
Fig. 7 is a kind of virus detection system schematic diagram provided in an embodiment of the present invention;
Fig. 8 is a kind of testing process control submodule processing flow schematic diagram provided in an embodiment of the present invention;
Fig. 9 is a kind of behavior fingerprint extraction submodule processing flow schematic diagram provided in an embodiment of the present invention;
Figure 10 is a kind of method flow diagram of the viral diagnosis of application program provided in an embodiment of the present invention;
Figure 11 is that a kind of virus base provided in an embodiment of the present invention generates submodule processing flow schematic diagram;
Figure 12 is a kind of measuring similarity submodule processing flow schematic diagram provided in an embodiment of the present invention;
Figure 13 is a kind of method for detecting virus flow chart of application program provided in an embodiment of the present invention;
Figure 14 is a kind of method for detecting virus flow chart of application program provided in an embodiment of the present invention;
Figure 15 is a kind of viral diagnosis schematic device of application program provided in an embodiment of the present invention;
Figure 16 is a kind of viral diagnosis schematic device of application program provided in an embodiment of the present invention;
Figure 17 is a kind of structural schematic diagram of server provided in an embodiment of the present invention;
Figure 18 is a kind of structural block diagram of terminal provided in an embodiment of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention
Formula is described in further detail.
In embodiments of the present invention, application program can execute various functions at runtime, and each application program
Performed function all has respective feature, therefore, can use function performed by an application program uniquely to indicate
The application program, since the one-to-one relationship between this function-application program and the one-to-one correspondence between fingerprint-people are closed
System plays the same tune on different musical instruments wonderful, therefore, can be by function performed by application program the characteristics of, carries out area to application program
Point, it that is to say, the feature of function performed by application program can play the role of the fingerprint of application program, for the reason of visualization
These features, can be known as the behavior fingerprint of application program by solution.It is understood that for virus, viral source code
Even if changing, the function that virus executes will not generally change, for example, the virus for class of deducting fees may can be executed still
The automatic function of sending short message.Therefore, if application program is virus, function execution information can be with corresponding Virus Type
Function executes feature and matches.Based on such thinking, the embodiment of the present invention can execute feelings by the function to application program
Condition is recorded, and based on the function executive condition recorded, viral diagnosis is carried out to application program, to improve viral inspection
The accuracy of survey is avoided due to itself slight change of virus, and the case where cause missing inspection, false retrieval.
In embodiments of the present invention, the function execution information of application program is related to, the function of the application program executes letter
The information for ceasing the function performed by referring to records application program at runtime can be used to indicate that the function of application program executes feelings
Condition, for example, which kind of function when an application program performing.
Based on the above principles, in implementing the embodiments of the present invention, it can be carried out based on a variety of implementation environments, for example, Fig. 1 is
The implementation environment figure of the method for detecting virus of application program provided in an embodiment of the present invention.The method for detecting virus of the application program
Implementation environment may include at least one user equipment 101, for providing the clothes of service at least one user equipment 101
Business device 102.
Wherein, which is connected by wireless or cable network and server 102, this this extremely
A few user equipment 101 can be to be able to access that computer equipment or intelligent terminal of server 102 etc..User equipment 101
On applications client for viral diagnosis can be installed, will pass through the applications client, to be handed over server 102
Mutually, to obtain the virus detection service of the offer of server 102.For example, the applications client can be application management class client
End, can not only provide virus detection service, can also provide and service using information, using downloading, using update etc..
At least one virus base can be safeguarded in server 102, which can be above-mentioned applications client
Background server.The server 102 can also be provided for user equipment using information, using downloading, answer by applications client
With the service such as update.Certainly, which can also provide issuing interface, and user equipment is connect by the publication
The publication that mouth is applied.
Specifically, implementation environment figure as shown in connection with fig. 1, server can provide viral diagnosis clothes for any user equipment
Business, that is to say, user equipment can initiate viral diagnosis request to server, when server receives the disease of user equipment transmission
When poison detection request, viral diagnosis process can be triggered.Wherein, viral diagnosis request can carry target application to be detected
The mark of program, so that server carries out viral diagnosis, certainly, the virus to destination application stored on server
Detection request can also carry destination application, and destination application is supplied to server and carries out viral diagnosis.Certainly,
The server, which can also be, periodically carries out viral diagnosis to the application program stored on server, or any receiving
When the application program that user equipment is newly issued, the process of viral diagnosis is triggered, the embodiment of the present invention is examined to how to trigger the virus
Flow gauge is without limitation.
Server, can function execution information to destination application when carrying out viral diagnosis to destination application
It is obtained, in a kind of possible embodiment, simulator can be installed in server, the fortune for analog subscriber equipment
Row environment, correspondingly, it includes: server calls simulator that server, which obtains function execution information process, by destination application
It is loaded onto simulator operation, the function execution information of record destination application in the process of running obtains at least the one of record
A function execution information.It when running application program based on simulator, can cause damages to avoid virus to server, improve virus
The safety of detection.
Wherein, simulator can be the simulator of Android system, can run Android application program.Certainly, above-mentioned simulation
Device can be run corresponding application program, be not construed as limiting herein with IOS simulator, Windows simulator etc..
Wherein, function execution information may include that the Function Identification of performed function and function execute the time, and server exists
When running the destination application in simulator, whenever destination application executes a function in simulator, server can
The time is executed to record Function Identification and the function of the function, is stored as a function execution information.Wherein, function
Mark can be used to indicate that the type of function, which can be using number mark, so that definition virus as far as possible may
The function type of execution.For example, the range of Function Identification is [0,255], it is based on the value range, Function Identification 01 is defined as sending out
Short message is sent, 02 is makes a phone call, and 03 is calls recording pen, and 04 is pop-up, and 05 is calling camera etc..Function executes the time can be with
It is the triggered time of function.
It should be noted that at least one the function execution information recorded can execute the time by early to evening according to function
Sequence, therefore, the sequence of function execution information can indicate that function executes sequence.For example, when destination application transmission is short
When letter, the Function Identification 01 and function for recording short message execute the information such as time 10:30, as a function execution information;When
When calling camera, records the Function Identification 05 for calling camera and function executes the information such as time 10:33;It records when calling
When pen, records the Function Identification 03 for calling recording pen and function executes information ... the destination applications such as time 10:49 fortune
After row a period of time, following function execution information can be obtained:
01,10:30;
05,10:33;
03,10:49;
……
Above content describes the recording mode of function execution information and the content recorded, and server is in the function of acquisition
It is able to can be introduced separately below there are many mode when execution information:
First way, server record function execution information of the destination application in the first preset duration.
Server can in simulator operational objective application program, whenever destination application executes one in simulator
When a function, server can recorde down the Function Identification of the function and function executes the time, as a function execution information
It is stored, it is out of service after the first preset duration, at least one function execution information of record is stored.Example
Such as, server can be 15 minutes with operational objective application program, obtain the function execution information in this 15 minutes.Based on target application
The function that program executes in preset duration carries out viral diagnosis, can guarantee that the function execution information for getting virus can wrap
The institute for including the destination application is functional, improves the accuracy of viral diagnosis.
Certainly, aforesaid way provides a kind of operation duration recording mode identical with preset duration, and in some implementations
In example, which can also be greater than preset duration, that is to say, server operational objective application program in simulator, often
When destination application executes a function in simulator, server can recorde down the Function Identification and function of the function
The time is executed, is stored as a function execution information, it is out of service after the second preset duration, at least by record
One function execution information is stored, and the function of being extracted in the first preset duration from stored function execution information executes
Information.In embodiments of the present invention, without limitation to the starting point of first preset duration, which can be operation starting
Point, or some later time point of operation starting point, the starting point of first preset duration, which can be, guarantees that target is answered
The time point etc. completed with program initialization.For example, server can be 20 minutes with operational objective application program, viral inspection is being carried out
When survey, the wherein function execution information in 15 minutes is obtained, can be the function execution information of first 15 minutes or latter 15 minutes,
It can be the function execution information in any 15 minutes intermediate, the embodiment of the present invention is not construed as limiting this.
The second way, server obtain what destination application object run process during being run multiple times was recorded
Function execution information, the object run process operational process most for the function execution information number that is recorded.
Destination application can be run multiple times in server, and to the number of the function execution information in each operational process
It is counted, obtains the function execution information number in each operational process, so that it is determined that object run process, that is to say, function
The most operational process of energy execution information number, and based on function execution information recorded in the object run process, it carries out
Subsequent virus detection procedure.By this optional way, it can guarantee that the function of getting application program executes letter as far as possible
Breath can more accurately embody the actual functional capability of the application program, improve the accuracy of viral diagnosis.
Certainly, above two optinal plan can combine namely server can be in each fortune for the process that is run multiple times
During row, the function execution information recorded in the first preset duration is obtained, then transport based on target during each run
The function execution information that row process is recorded, to carry out subsequent virus detection procedure.
The above-mentioned specific process for obtaining function execution information is carried out based on implementation environment shown in FIG. 1, and in the present invention
Embodiment additionally provides another implementation environment, as shown in Fig. 2, the implementation environment includes: at least one user equipment 201 and clothes
Business device 202.Function that the user equipment 201 has and the function that above-mentioned user equipment 101 has similarly, the user equipment
201 can also have operational objective application program, to record the function of the function execution information of the destination application, and with
After family equipment 201 gets the function execution information of destination application, which can be by the destination application
Function execution information be sent to the server 202, by server 202 based on the function execution information of the destination application into
Row viral diagnosis.In implementation environment shown in Fig. 2, the method for detecting virus of application program can be realized by server.Service
Device obtain function execution information process include: server receive destination application in another equipment in operational process extremely
A few function execution information.In one embodiment, which specifically includes: user equipment runs the target application journey
Sequence records at least one function execution information of destination application in the process of running, sends viral diagnosis to server and asks
It asks, carries in viral diagnosis request by least one function execution information of the destination application, server receives the disease
Poison detection request, extracts at least one function execution information of destination application from viral diagnosis request.It needs to illustrate
, the process of at least one function execution information of destination application and the mistake of server acquisition are obtained on a user device
Cheng Tongli, this will not be repeated here.Further, when server obtains viral diagnosis result by detection, virus can be examined
It surveys result and is sent to user equipment, user equipment is receiving viral diagnosis as a result, can carry out disease based on viral diagnosis result
Poison prompt for example, then prompting the application program for virus when viral diagnosis result indicates that the application program is viral, and is worked as
Viral diagnosis result indicates the application program not when being virus, then prompt the application program be not virus, certainly, when the virus
When testing result indicates that the application program is suspicious, can also prompting the application program, there are risks, it is not recommended that operation etc..
In foregoing invention embodiment be method for detecting virus is realized with server, and export for viral diagnosis result into
Row explanation, certainly, above-mentioned method for detecting virus can also be by installing viral diagnosis application program realization on a user device, phase
Ying Di, the viral diagnosis application program can configured with local virus database, by local virus database, then can to
Mounted application program carries out offline viral diagnosis in the equipment of family.For this purpose, the embodiment of the invention also provides a kind of implementations
Environment provides a kind of implementation environment of the embodiment of the present invention referring to Fig. 3, the Fig. 3.The implementation environment may include at least one
User equipment 301 and server 302.Viral diagnosis application program can be installed on the user equipment 301, and be also stored with
At least one virus base for viral diagnosis.User equipment 301 can recorde operational process when running any application program
In function execution information and store, so as to subsequent carry out viral diagnosis.Optionally, user can also do not carry out at any time it is above-mentioned
Recording and storage, but when triggering on user equipment 301 to the viral diagnosis of destination application, then to target application journey
The function execution information of sequence in the process of running carries out recording and storage, and then can detect target based on the function execution information
Whether application program is virus.User equipment can carry out viral prompt based on viral diagnosis result.The virus reminding method can
With similarly, this will not be repeated here with method provided in above-described embodiment.
In implementation environment shown in Fig. 3, the method for detecting virus of application program can be examined by the virus on user equipment
Application program is surveyed to realize.The processing that viral diagnosis application program obtains function execution information can be such that viral diagnosis application journey
Sequence obtains at least one the function execution information for the destination application being locally stored.
It is introduced below with the virus detection procedure to an application program, as shown in figure 4, with based on shown in FIG. 1
Server in implementation environment be illustrated for viral diagnosis, and Fig. 4 is the viral diagnosis side of application program of the present invention
Method flow chart, the process flow of this method may include following step:
400, user equipment sends destination application to server.
401, server obtains at least one of destination application in the process of running after receiving destination application
A function execution information.
The step of server acquisition function execution information, may refer to the acquisition process in above-described embodiment in step 401,
Details are not described herein again.
Above-mentioned steps 400 are into step 401, after only issuing destination application on the server with user equipment, by taking
Device be engaged in be illustrated for viral diagnosis, in some embodiments, user equipment can also only send viral diagnosis and ask
It asks, viral diagnosis request carries the mark of destination application or destination application, to indicate that server carries out viral inspection
It surveys.Certainly, in some embodiments, server can also voluntarily initiate the viral diagnosis to any application program, and the present invention is real
Example is applied not limit this.
402, server executes the time according to the function at least one function execution information, is held based at least one function
Function Identification in row information, conformation function execute sequence.
Function executes sequence and can be made of Function Identification.Specifically, what server obtained in above-mentioned steps 401 is to be checked
Surveying each function execution information that destination application generates in the process of running includes the letters such as Function Identification, function execution time
Breath.Server can execute the time according to the function in function execution information, determine putting in order for Function Identification, and then can be with
Function Identification is constituted into function execution sequence according to putting in order.
In a kind of possible embodiment, server can be arranged Function Identification according to the sequencing of time
Column, the specific processing of step 402 can be such that be determined at least based on the function execution time at least one function execution information
The function of one function execution information executes sequence, according to function execution sequence to the function at least one function execution information
Mark is ranked up, and is obtained function and is executed sequence.
When server arranges function execution information according to the sequencing of time, the arrangement of function execution information
Sequence is that function executes sequence, and server can execute sequence according to the function, Function Identification is formed corresponding function and is held
Row sequence.
Specifically, conformation function execute sequence method can there are two types of, be introduced separately below:
First, when conformation function executes sequence, server can execute sequence according to function, and Function Identification is formed phase
The function of answering executes sequence.For example, when the function execution information of record is (01,10:30;05,10:33;03,10:49;…)
When, Function Identification is arranged according to function execution information, available decimal sequence (1,5,3 ...), the decimal system sequence
Column can be corresponding function and execute sequence.
Second, when conformation function executes sequence, the function of the available every two adjacent functional execution information of server
The time is executed, the time interval between every two adjacent Function Identification is calculated, then, server can execute suitable according to function
Sequence arranges Function Identification, and corresponding time interval mark can be added between two adjacent Function Identifications,
It obtains corresponding function and executes sequence.For example, it can be (1,0,0,5,0,3 ...) that function, which executes sequence, wherein " 0 " is the time
Spacing identification.
The method for executing sequence based on any of the above-described conformation function in an implementation is handled.
403, function is executed the Function Identification in sequence and is converted to pixel by server, generates destination application
Function executes image.
After server obtains metric function execution sequence in step 402, it can be converted into hexadecimal
Function executes sequence, namely obtains (01,05,03 ...).Then, the value of each Function Identification can be converted to pixel by server
Value, each Function Identification constitute function and execute image as a pixel.Wherein, may range from of the pixel value [0,
255]。
Since the range of Function Identification is set within [0,255], hexadecimal function executes each of sequence
Function Identification can be converted to a pixel value, and function execution sequence is also converted to corresponding function and executes image, should
Function, which executes image, can be the function execution image of 1*n.It is, of course, also possible to which it is multiple sequences that function, which is executed sequence cutting,
Then segment is spliced into the matrix form of multiple lines and multiple rows, then is converted to function based on aforesaid way and executes image, do not limit herein
It is fixed.For example, each Function Identification that function executes sequence can be converted to the gray value within [0,255] accordingly, then
Obtained function, which executes image, can be gray level image, and gray level image function as shown in Figure 5 executes image schematic diagram;Or
Person, each Function Identification that function executes sequence can also generate the pixel value of RGB triple channel by transfer algorithm, at this point, RGB
The function that triple channel is constituted, which executes image, can be color image.
For the method that the first conformation function in step 402 executes sequence, the function that server generates executes image
The pixel value of each pixel may be used to indicate the type of function, putting in order for pixel can be above-mentioned multiple function
The function of energy execution information executes sequence, and two adjacent pixels can be used to indicate that two functions of continuously performing.For example,
The pixel that the function executes image can be (01,05,03 ...).
It is similar with first method for the method that second of conformation function in step 402 executes sequence, service
The function that device generates executes type of the pixel value of image in addition to that can indicate function, also may indicate that time interval unit.Example
Such as, pixel value 00 can indicate that a time interval unit can for (01,00,00,05,00,03 ...) in above-mentioned form two
To indicate triggered time 2, the interval time interval unit of function 01 Yu function 05, between function 05 and the triggered time of function 03
Every 1 time interval unit etc..
Server can be held according to multiple function execution informations of destination application, the function of generating destination application
Row image, step 402-403 can be a kind of possible embodiment.Certainly, server can also pass through other methods, root
According at least one function execution information of destination application, the function of generating destination application executes image.Below to one
The method that kind systematic function executes image is introduced, and conformation function execution sequence, which is specifically handled, in this method can be such that base
At least one function execution information is arranged in preset function execution information queueing discipline, by least one after arrangement
Function Identification in function execution information constitutes function according to the sequence of the function execution information obtained after arrangement and executes sequence.
Preset function execution information queueing discipline can be the sequence descending according to the number for executing number.Service
Device can count the number of each Function Identification, and according to number by big at least one the function execution information got
Function Identification is ranked up to small sequence.The number of Function Identification is more, then shows that destination application executes the function
Number it is more.Then, server can execute sequence according to the sequence of Function Identification and the number of Function Identification, conformation function
Column.For example, the execution number of function 01 is 3 times, the execution number of function 03 is 1 time, and the execution number of function 05 is 2 times, then
It is (1,1,1,5,5,3) that available function, which executes sequence,.
Function execution information queueing discipline can be configured according to actual needs, and the embodiment of the present invention does not limit this
It is fixed.
404, the function that server extracts destination application executes the characteristics of image of image.
Image Feature Selection Model can be called in server, extract the figure that the function of generating in the above process executes image
As feature.For example, image characteristics extraction model can be the image characteristics extraction model based on SIFT algorithm, it is also possible to be based on
Image characteristics extraction model of machine learning algorithm etc., is not construed as limiting herein.Corresponding, the characteristics of image extracted can be
Feature vector is also possible to eigenmatrix etc., also, in characteristics of image may include at least one feature vector or at least one
Eigenmatrix.
Below by taking the image characteristics extraction model based on SIFT algorithm as an example, the characteristics of image of extraction is introduced:
Image characteristics extraction model of the server calls based on SIFT algorithm executes image to function and carries out feature extraction,
At least one available SIFT feature vector, a SIFT feature vector can be made of 64 floating numbers, herein to SIFT
The dimension of feature vector is not construed as limiting.The function of different application executes the corresponding SIFT feature number of vectors of image may not
Together.In general, a function, which executes image, can extract one group of SIFT feature vector, for example, this group of SIFT feature vector
May include 5 SIFT feature vectors, be recorded as sample X:[0.1234,0.154 ...], [0.134,0.5154 ...] ...,
[0.1254,0.4521 ...].
Server can calculate characteristics of image and viral image after getting the corresponding characteristics of image of destination application
The similarity of feature.Before this, it needs to extract viral characteristics of image, will be explained below:
The Virus Sample of at least one available known viruse type of server, runs each virus-like in simulator
This, executes the processing of step 201-204, and it is special to extract viral image based on method identical with destination application to be detected
Sign, details are not described herein again.
By taking the above-mentioned image characteristics extraction model based on SIFT algorithm as an example, final server can export to obtain at least one
Group SIFT feature vector, it is corresponding with Virus Sample.Optionally, server is when exporting one group of SIFT feature vector, Ke Yiwei
This group of SIFT feature vector adds the mark of corresponding Virus Type, and format can be " Virus Type: SIFT feature Vector Groups ",
For example, swindle class: [0.1234,0.154 ...], [0.134,0.5154 ...] ..., [0.1254,0.4521 ...].
In turn, server can be by the viral characteristics of image storage of at least one Virus Type under determining to virus base
In.Subsequent in use, add the viral characteristics of image of new Virus Sample if necessary, then can be determined based on the above method
The virus characteristics of image, is updated virus base, details are not described herein again.
405, server traverses the viral characteristics of image of a variety of Virus Types, the viral image of one Virus Type of every traversal
Feature obtains the similarity of the viral characteristics of image of characteristics of image and Virus Type.
A kind of viral characteristics of image of Virus Type may include at least one feature vector in characteristics of image or virus base
Or eigenmatrix.
In a kind of possible embodiment, server can traverse all Virus Types in virus base, determine every kind
The viral characteristics of image of Virus Type and the similarity of characteristics of image.For example, the case where matrix is characterized for characteristics of image, it can
To determine the order of the sum of ranks virus characteristics of image of characteristics of image respectively, in turn, it can be determined that the sum of ranks virus image of characteristics of image
The ratio is determined as similarity by the ratio of the order of feature.
It is introduced by taking feature vector as an example below, the specific processing of above-mentioned steps 405 can be such that determining characteristics of image
Each target feature vector and Virus Type viral characteristics of image each feature vector vector distance, distance will be less than
The number of the vector distance of threshold value is determined as the similarity of the viral characteristics of image of characteristics of image and Virus Type
For a target feature vector of destination application, server can traverse the every kind of disease stored in virus base
The feature vector of malicious type determines vector distance respectively.Server by all target feature vectors of destination application and disease
The feature vector of all Virus Types stored in malicious library all compares, it is ensured that viral diagnosis it is comprehensive.
Server can calculate the distance between characteristics of image and viral characteristics of image based on distance algorithm, and distance is closer,
Similarity is higher, for example, distance algorithm can be Euclidean distance algorithm, manhatton distance algorithm etc..
By taking Euclidean distance algorithm as an example, for the SIFT feature vector of 64 dimensions, if a SIFT spy of characteristics of image
Sign vector is (x1,x2,...,x64), a SIFT feature vector of viral characteristics of image is (y1,y2,...,y64), then it can be with base
Vector distance d is calculated in following formula (1):
The range of method provided in an embodiment of the present invention, the vector distance being calculated can incite somebody to action between [0,1]
Distance threshold is set as 0.2.When vector distance is less than 0.2, it is believed that the two SIFT feature vectors are similar.
For only including a feature vector or a spy in the viral characteristics of image of characteristics of image or a kind of Virus Type
The case where levying matrix, can be using the inverse of vector distance as similarity, and the inverse of vector threshold is as similarity threshold.Vector
When distance is less than distance threshold, similarity is greater than similarity threshold.
By taking feature vector as an example, due to may include multiple feature vectors in characteristics of image, target application journey can use
The number of feature vector including in the corresponding characteristics of image of sequence, similar with the viral characteristics of image of certain Virus Type, to weigh
It measures the corresponding characteristics of image of destination application and whether the viral characteristics of image of the Virus Type is similar.Similar feature vector
It is more, then show that characteristics of image is more similar.For example, the schematic diagram of determining similarity as shown in FIG. 6, target application to be detected
The similar features vector of Virus Type 1 has Sim_1=1 in program and virus base, has with the similar features vector of Virus Type 2
Sim_2=0 has Sim_3=4 etc. with the similar features vector of Virus Type 3.
Certainly, server is also based on the similarity that similarity algorithm calculates characteristics of image and viral characteristics of image, example
Such as, similarity algorithm can be cosine similarity algorithm, solution Jie Kade similarity factor etc..The embodiment of the present invention is similar to determination
The specific algorithm of degree is not construed as limiting.
406, when the similarity of characteristics of image and viral characteristics of image is greater than similarity threshold, server is by target application
Programming indicia is virus.
Server may determine that whether the similarity under determining in step 405 is greater than similarity threshold, if there is any
Similarity is greater than similarity threshold, then server can determine that destination application is virus, and then can be to the target application
Program is marked.It is greater than similarity threshold if there is no similarity, then cannot judges whether destination application is virus,
Server can temporarily determine destination application safety.If it is disease that this is determined safe destination application really
Poison, during subsequent use, which may be detected by other method for detecting virus or the mesh
The corresponding viral characteristics of image of mark application program is added in virus base, by disease provided in an embodiment of the present invention when detecting again
Virus detection method detected.
In a kind of possible embodiment, server determines lower characteristics of image and every kind of Virus Type in step 405
Similarity after, similarity maximum value can be obtained out, judge whether the similarity maximum value is greater than similarity threshold.Such as
Fruit similarity maximum value is greater than similarity threshold, then shows that destination application is virus;If similarity maximum value is not more than
Similarity threshold then shows that remaining similarity no more than similarity threshold, can temporarily determine that the destination application is pacified
Entirely, it can be avoided and compare each similarity with similarity threshold, improve treatment effeciency.At this point, if similarity is maximum
Value is greater than similarity threshold, then the Virus Type of the corresponding viral characteristics of image of similarity maximum value can also be determined as mesh
The target viral type for marking application program, improves the accuracy of viral diagnosis, to take accurate counter-measure, improves safety
Property.
For example, similarity threshold can be set to 3, target application to be detected under being determined in above-mentioned steps 405
Similarity maximum value Sim_3=4 can be obtained out, with similarity threshold by program after the similarity of each Virus Type
3 are compared.4 > 3 are easy to get, then the destination application can be determined for virus.
If server provides the service of viral diagnosis for application market, when determining destination application is virus,
Can refuse destination application and be delivered to application market, or by destination application from application market undercarriage.If clothes
Business device provides the service of viral diagnosis for other equipment, then viral diagnosis result can be sent to the equipment, so that user sentences
It is disconnected to continue to use the destination application or unloading.
Illustratively, the system of virus detection system schematic diagram as shown in Figure 7, viral diagnosis can be program-controlled by detection stream
System module, behavior fingerprint extraction submodule, virus base generate 4 submodule structures such as submodule and measuring similarity submodule
At.Wherein, testing process control submodule can call remaining 3 submodule, can be used to implement the stream of entire viral diagnosis
Journey;Behavior fingerprint extraction submodule can be used for extracting characteristics of image, and the characteristics of image that function executes image is behavior fingerprint;
Virus base, which generates submodule, can call behavior fingerprint extraction submodule, can store at least one disease in the virus base of generation
The viral characteristics of image of malicious type;Measuring similarity submodule be determined for the corresponding characteristics of image of destination application and
The similarity of viral characteristics of image.Testing process control submodule processing flow schematic diagram is as shown in figure 8, behavior fingerprint extraction
For resume module flow diagram as shown in figure 9, the method flow diagram of the viral diagnosis of application program is as shown in Figure 10, virus base is raw
As shown in figure 11 at submodule processing flow schematic diagram, measuring similarity submodule processing flow schematic diagram is as shown in figure 12.
The process of above-mentioned steps 401 can call behavior fingerprint extraction submodule to realize by testing process control submodule,
The process of above-mentioned steps 402-404 can be realized by behavior fingerprint extraction submodule, and viral image is generated in above-mentioned steps 404
The processing of feature can generate submodule by virus base and behavior fingerprint extraction submodule is called to realize, the process of above-mentioned steps 405
Measuring similarity submodule can be called to realize that the process of above-mentioned steps 406 can be by detecting by testing process control submodule
Row control submodule is realized.
In the embodiment of the present invention, due to the behavior that there are the virus of application program certain specific functions to execute, even if sick
The source code of poison changes, and the function that virus executes will not generally change, therefore, function of the server based on application program
Can execution information carry out viral diagnosis, the virus of deformation also be can detecte out, there is stronger generalization ability.Also,
Characteristic reliability based on image zooming-out is higher, and the embodiment of the present invention is held using the function execution information systematic function of application program
The corresponding characteristics of image of application program to be detected and viral characteristics of image are compared, viral inspection can be improved by row image
The accuracy of survey.
It is introduced below with the virus detection procedure to an application program, as shown in figure 13, based on shown in Fig. 2
The interaction of server and user equipment in implementation environment, be illustrated for viral diagnosis, Figure 13 answers for the present invention
With the method for detecting virus flow chart of program, the process flow of this method may include following step:
1300, user equipment is instructed according to viral diagnosis, obtains at least one of destination application in the process of running
Function execution information.
1301, user equipment sends viral diagnosis request to server, and viral diagnosis request carries the target application journey
At least one the function execution information of sequence in the process of running.
1302, it after server receives viral diagnosis request, is held according to the function at least one function execution information
The row time, based on the Function Identification at least one function execution information, conformation function executes sequence.
1303, function is executed the Function Identification in sequence and is converted to pixel by server, generates destination application
Function execute image.
1304, the function that server extracts destination application executes the characteristics of image of image.
1305, server traverses the viral characteristics of image of a variety of Virus Types, the virus figure of every one Virus Type of traversal
As feature, the similarity of the viral characteristics of image of characteristics of image and Virus Type is obtained.
1306, when the similarity of characteristics of image and viral characteristics of image is greater than similarity threshold, server answers target
It is virus with programming indicia.
1307, viral diagnosis result is sent to user equipment by server.
1308, after user equipment receives viral diagnosis result, viral prompt is carried out.
In the embodiment of the present invention, due to the behavior that there are the virus of application program certain specific functions to execute, even if sick
The source code of poison changes, and the function that virus executes will not generally change, therefore, function of the server based on application program
Can execution information carry out viral diagnosis, the virus of deformation also be can detecte out, there is stronger generalization ability.Also,
Characteristic reliability based on image zooming-out is higher, and the embodiment of the present invention is held using the function execution information systematic function of application program
The corresponding characteristics of image of application program to be detected and viral characteristics of image are compared, viral inspection can be improved by row image
The accuracy of survey.Further, function execution information acquired in operational process is sent to by server by user equipment
It is detected, the processing pressure of server can be reduced.
It is introduced below with the virus detection procedure to an application program, as shown in figure 14, based on shown in Fig. 2
The interaction of server and user equipment in implementation environment, be illustrated for viral diagnosis, Figure 14 answers for the present invention
With the method for detecting virus flow chart of program, the process flow of this method may include following step:
1401, user equipment is instructed according to viral diagnosis, obtains at least one of destination application in the process of running
Function execution information.
1402, user equipment executes the time according to the function at least one function execution information, is based at least one function
Function Identification in energy execution information, conformation function execute sequence.
1403, function is executed the Function Identification in sequence and is converted to pixel by user equipment, generates target application journey
The function of sequence executes image.
1404, the function that user equipment extracts destination application executes the characteristics of image of image.
1405, user equipment traverses the viral characteristics of image of a variety of Virus Types, the virus of one Virus Type of every traversal
Characteristics of image obtains the similarity of the viral characteristics of image of characteristics of image and Virus Type.
1406, when the similarity of characteristics of image and viral characteristics of image is greater than similarity threshold, user equipment is by target
Application program mark is virus.
1407, user equipment carries out viral prompt according to viral diagnosis result.
In the embodiment of the present invention, due to the behavior that there are the virus of application program certain specific functions to execute, even if sick
The source code of poison changes, and the function that virus executes will not generally change, therefore, function of the server based on application program
Can execution information carry out viral diagnosis, the virus of deformation also be can detecte out, there is stronger generalization ability.Also,
Characteristic reliability based on image zooming-out is higher, and the embodiment of the present invention is held using the function execution information systematic function of application program
The corresponding characteristics of image of application program to be detected and viral characteristics of image are compared, viral inspection can be improved by row image
The accuracy of survey.Further, local virus database is based on by user equipment and carries out above-mentioned viral diagnosis, it is ensured that from
Also viral diagnosis can be completed under field of line scape.
Based on the same technical idea, the embodiment of the invention also provides a kind of viral diagnosis devices of application program, should
Device can be above-mentioned server.As shown in figure 15, which includes:
Module 1510 is obtained, for instructing according to the viral diagnosis to destination application, obtains the target application journey
At least one function execution information of sequence, at least one described function execution information are being transported for recording the destination application
Performed function during row;
Generation module 1520, at least one function execution information according to the destination application, described in generation
The function of destination application executes image;
Extraction module 1530 executes the characteristics of image of image for extracting the function;
Determining module 1540, for being greater than similarity threshold when the similarity of described image feature and viral characteristics of image
When, by the destination application labeled as virus.
Optionally, the acquisition module 1510 is used for:
Simulator is called, the destination application is loaded onto the simulator and is run, the target application journey is recorded
The function execution information of sequence in the process of running obtains at least one function execution information of record, wherein the simulator is used
In the running environment of analog subscriber equipment;Or
Receive at least one function execution information that the destination application records in operational process in another equipment.
Optionally, at least one described function execution information includes:
The destination application at least one function recorded in the operational process of the first preset duration executes letter
Breath;Or,
The destination application is executed at least one function that the object run process for the process that is run multiple times is recorded
Information, the object run process are the most operational process of information content recorded in the multiple operational process.
It optionally, include that Function Identification and function execute time, the generation module 1520 in each function execution information
For:
The time is executed according to the function at least one described function execution information, is executed based at least one described function
Function Identification in information, conformation function execute sequence, wherein the function executes sequence by the multiple Function Identification group
At;
Function Identification in function execution sequence is converted into pixel, generates the function of the destination application
Image can be executed.
Optionally, the generation module 1520 is used for:
The time is executed based on the function at least one described function execution information, determines that at least one described function executes
The function of information executes sequence, executes sequence according to the function, to the function mark at least one described function execution information
Knowledge is ranked up, and is obtained function and is executed sequence.
Optionally, the generation module 1520 is used for:
Based on preset function execution information queueing discipline, at least one described function execution information is arranged, it will
The Function Identification at least one function execution information after arrangement, according to the sequence structure of the function execution information obtained after arrangement
Sequence is executed at function.
Optionally, the determining module 1540 is used for:
The viral characteristics of image of a variety of Virus Types is traversed, the viral characteristics of image of one Virus Type of every traversal obtains
The similarity of the viral characteristics of image of described image feature and the Virus Type;
When similarity maximum value is greater than similarity threshold, by the destination application labeled as virus.
Optionally, described image feature includes multiple target feature vectors, and the virus characteristics of image includes multiple features
Vector;
The determining module 1540 is used for:
Determine each of each target feature vector of described image feature and the viral characteristics of image of the Virus Type
The vector distance of feature vector will be less than the number of the vector distance of distance threshold, be determined as described image feature and the disease
The similarity of the viral characteristics of image of malicious type.
Optionally, the determining module 1540 is also used to:
By the Virus Type of the corresponding viral characteristics of image of the similarity maximum value, it is determined as the destination application
Target viral type.
About the device in above-described embodiment, wherein modules execute the concrete mode of operation in related this method
Embodiment in be described in detail, no detailed explanation will be given here.
In the embodiment of the present invention, due to the behavior that there are the virus of application program certain specific functions to execute, even if sick
The source code of poison changes, and the function that virus executes will not generally change, therefore, function of the server based on application program
Can execution information carry out viral diagnosis, the virus of deformation also be can detecte out, there is stronger generalization ability.Also,
Characteristic reliability based on image zooming-out is higher, and the embodiment of the present invention is held using the function execution information systematic function of application program
The corresponding characteristics of image of application program to be detected and viral characteristics of image are compared, viral inspection can be improved by row image
The accuracy of survey.
It should be understood that the viral diagnosis device of application program provided by the above embodiment detect virus when, only with
The division progress of above-mentioned each functional module can according to need and for example, in practical application by above-mentioned function distribution by not
Same functional module is completed, i.e., the internal structure of server is divided into different functional modules, described above complete to complete
Portion or partial function.In addition, the viral diagnosis device of application program provided by the above embodiment and the virus of application program are examined
It surveys embodiment of the method and belongs to same design, specific implementation process is detailed in embodiment of the method, and which is not described herein again.
Based on the same technical idea, the embodiment of the invention also provides a kind of viral diagnosis devices of application program, should
Device can be above-mentioned user equipment.As shown in figure 16, which includes:
Calling module 1610 calls simulator, by the mesh for instructing according to the viral diagnosis to destination application
Mark application program is loaded onto the simulator operation, wherein the simulator is used to simulate the running environment of an isolation;
Module 1620 is obtained to obtain for obtaining the function execution information of the destination application in the process of running
At least one function execution information, at least one described function execution information is for recording the destination application in the mould
Performed function when being run in quasi- device;
Sending module 1630, for sending viral diagnosis request to server, the viral diagnosis request carrying is described extremely
A few function execution information, the viral diagnosis request are used to indicate the server and examine to the destination application
It surveys;
Cue module 1640, the viral diagnosis received for basis is as a result, carry out viral prompt, the viral diagnosis knot
Fruit is based at least one described function execution information and obtains.
Optionally, which is used for:
Obtain function execution information of the destination application in the operational process of the first preset duration;
Or,
Function execution information of destination application during being run multiple times is obtained, was run multiple times described in acquisition
At least one function execution information that object run process is recorded in journey, the object run process are the multiple ran
The most operational process of information content recorded in journey.
It should be understood that the viral diagnosis device of application program provided by the above embodiment detect virus when, only with
The division progress of above-mentioned each functional module can according to need and for example, in practical application by above-mentioned function distribution by not
Same functional module is completed, i.e., the internal structure of server is divided into different functional modules, described above complete to complete
Portion or partial function.In addition, the viral diagnosis device of application program provided by the above embodiment and the virus of application program are examined
It surveys embodiment of the method and belongs to same design, specific implementation process is detailed in embodiment of the method, and which is not described herein again.
Figure 17 is a kind of structural schematic diagram of server provided in an embodiment of the present invention, the server 1700 can because of configuration or
Performance is different and generates bigger difference, may include one or more processors (central processing
Units, CPU) 1701 and one or more memory 1702, wherein at least one is stored in the memory 1702
Item instruction, at least one instruction are loaded by the processor 1701 and execute the viral diagnosis to realize following application programs
Method and step:
According to the viral diagnosis instruction to destination application, at least one function of obtaining the destination application is held
Row information, at least one described function execution information are used to record the destination application performed function in the process of running
Energy;
According at least one function execution information of the destination application, the function of the destination application is generated
Execute image;
Extract the characteristics of image that the function executes image;
When the similarity of described image feature and viral characteristics of image is greater than similarity threshold, by the target application journey
Sequence is labeled as virus.
Optionally, at least one instruction is loaded by the processor 1701 and is executed to realize following methods step:
Simulator is called, the destination application is loaded onto the simulator and is run, the target application journey is recorded
The function execution information of sequence in the process of running obtains multiple function execution informations of record, wherein the simulator is used for mould
The running environment of quasi- user equipment;Or
Receive at least one function execution information that the destination application records in operational process in another equipment.
It optionally, include that Function Identification and function execute time, at least one instruction in each function execution information
It is loaded by the processor 1701 and is executed to realize following methods step:
The time is executed according to the function at least one described function execution information, is executed based at least one described function
Function Identification in information, conformation function execute sequence, wherein the function executes sequence and is made of the Function Identification, institute
Stating function and executing the sequence of the Function Identification in sequence is that the function executes sequence;
Function Identification in function execution sequence is converted into pixel, generates the function of the destination application
Image can be executed.
Optionally, at least one instruction is loaded by the processor 1701 and is executed to realize following methods step:
At least one determining described function of time is executed based on the function at least one described function execution information to execute
The function of information executes sequence, according to the function execution sequence to the Function Identification at least one described function execution information
It is ranked up, obtains function and execute sequence.
Optionally, at least one instruction is loaded by the processor 1701 and is executed to realize following methods step:
At least one described function execution information is arranged based on preset function execution information queueing discipline, will be arranged
The Function Identification at least one function execution information after column is constituted according to the sequence of the function execution information obtained after arrangement
Function executes sequence.
Optionally, the viral characteristics of image includes the viral characteristics of image of at least one Virus Type;
At least one instruction is loaded by the processor 1701 and is executed to realize following methods step:
The viral characteristics of image of a variety of Virus Types is traversed, the viral characteristics of image of one Virus Type of every traversal obtains
The similarity of the viral characteristics of image of described image feature and the Virus Type;
When similarity maximum value is greater than similarity threshold, by the destination application labeled as virus.
Optionally, described image feature includes multiple target feature vectors, and the virus characteristics of image includes multiple features
Vector;
At least one instruction is loaded by the processor 1701 and is executed to realize following methods step:
Determine each of each target feature vector of described image feature and the viral characteristics of image of the Virus Type
The vector distance of feature vector will be less than the number of the vector distance of distance threshold, be determined as described image feature and the disease
The similarity of the viral characteristics of image of malicious type.
Optionally, at least one instruction is loaded by the processor 1701 and is executed to realize following methods step:
By the Virus Type of the corresponding viral characteristics of image of the similarity maximum value, it is determined as the destination application
Target viral type.
In the embodiment of the present invention, due to the behavior that there are the virus of application program certain specific functions to execute, even if sick
The source code of poison changes, and the function that virus executes will not generally change, therefore, function of the server based on application program
Can execution information carry out viral diagnosis, the virus of deformation also be can detecte out, there is stronger generalization ability.Also,
Characteristic reliability based on image zooming-out is higher, and the embodiment of the present invention is held using the function execution information systematic function of application program
The corresponding characteristics of image of application program to be detected and viral characteristics of image are compared, viral inspection can be improved by row image
The accuracy of survey.
Figure 18 is a kind of structural block diagram of terminal provided in an embodiment of the present invention.The terminal 1800 may is that smart phone,
Tablet computer, MP3 player (Moving Picture Experts Group Audio Layer III, dynamic image expert
Compression standard audio level 3), (Moving Picture Experts Group Audio Layer IV, dynamic image are special by MP4
Family's compression standard audio level 4) player, laptop or desktop computer.Terminal 1800 be also possible to referred to as user equipment,
Other titles such as portable terminal, laptop terminal, terminal console.
In general, terminal 1800 includes: processor 1801 and memory 1802.
Processor 1801 may include one or more processing cores, such as 4 core processors, 8 core processors etc..Place
Reason device 1801 can use DSP (Digital Signal Processing, Digital Signal Processing), FPGA (Field-
Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array, may be programmed
Logic array) at least one of example, in hardware realize.Processor 1801 also may include primary processor and coprocessor, master
Processor is the processor for being handled data in the awake state, also referred to as CPU (Central Processing
Unit, central processing unit);Coprocessor is the low power processor for being handled data in the standby state.?
In some embodiments, processor 1801 can be integrated with GPU (Graphics Processing Unit, image processor),
GPU is used to be responsible for the rendering and drafting of content to be shown needed for display screen.In some embodiments, processor 1801 can also be wrapped
AI (Artificial Intelligence, artificial intelligence) processor is included, the AI processor is for handling related machine learning
Calculating operation.
Memory 1802 may include one or more computer readable storage mediums, which can
To be non-transient.Memory 1802 may also include high-speed random access memory and nonvolatile memory, such as one
Or multiple disk storage equipments, flash memory device.In some embodiments, the non-transient computer in memory 1802 can
Storage medium is read for storing at least one instruction, at least one instruction performed by processor 1801 for realizing this Shen
Please in embodiment of the method provide application program method for detecting virus.
In some embodiments, terminal 1800 is also optional includes: peripheral device interface 1803 and at least one periphery are set
It is standby.It can be connected by bus or signal wire between processor 1801, memory 1802 and peripheral device interface 1803.It is each outer
Peripheral equipment can be connected by bus, signal wire or circuit board with peripheral device interface 1803.Specifically, peripheral equipment includes:
In radio circuit 1804, touch display screen 1805, camera 1806, voicefrequency circuit 1807, positioning component 1808 and power supply 1809
At least one.
Peripheral device interface 1803 can be used for I/O (Input/Output, input/output) is relevant outside at least one
Peripheral equipment is connected to processor 1801 and memory 1802.In some embodiments, processor 1801, memory 1802 and periphery
Equipment interface 1803 is integrated on same chip or circuit board;In some other embodiments, processor 1801, memory
1802 and peripheral device interface 1803 in any one or two can be realized on individual chip or circuit board, this implementation
Example is not limited this.
Radio circuit 1804 is for receiving and emitting RF (Radio Frequency, radio frequency) signal, also referred to as electromagnetic signal.
Radio circuit 1804 is communicated by electromagnetic signal with communication network and other communication equipments.Radio circuit 1804 is by telecommunications
Number being converted to electromagnetic signal is sent, alternatively, the electromagnetic signal received is converted to electric signal.Optionally, radio circuit
1804 include: antenna system, RF transceiver, one or more amplifiers, tuner, oscillator, digital signal processor, volume solution
Code chipset, user identity module card etc..Radio circuit 1804 can by least one wireless communication protocol come with it is other
Terminal is communicated.The wireless communication protocol includes but is not limited to: Metropolitan Area Network (MAN), each third generation mobile communication network (2G, 3G, 4G and
5G), WLAN and/or WiFi (Wireless Fidelity, Wireless Fidelity) network.In some embodiments, radio frequency electrical
Road 1804 can also include NFC (Near Field Communication, wireless near field communication) related circuit, the application
This is not limited.
Display screen 1805 is for showing UI (User Interface, user interface).The UI may include figure, text,
Icon, video and its their any combination.When display screen 1805 is touch display screen, display screen 1805 also there is acquisition to exist
The ability of the touch signal on the surface or surface of display screen 1805.The touch signal can be used as control signal and be input to place
Reason device 1801 is handled.At this point, display screen 1805 can be also used for providing virtual push button and/or dummy keyboard, it is also referred to as soft to press
Button and/or soft keyboard.In some embodiments, display screen 1805 can be one, and the front panel of terminal 1800 is arranged;Another
In a little embodiments, display screen 1805 can be at least two, be separately positioned on the different surfaces of terminal 1800 or in foldover design;
In still other embodiments, display screen 1805 can be flexible display screen, is arranged on the curved surface of terminal 1800 or folds
On face.Even, display screen 1805 can also be arranged to non-rectangle irregular figure, namely abnormity screen.Display screen 1805 can be with
Using LCD (Liquid Crystal Display, liquid crystal display), OLED (Organic Light-Emitting
Diode, Organic Light Emitting Diode) etc. materials preparation.
CCD camera assembly 1806 is for acquiring image or video.Optionally, CCD camera assembly 1806 includes front camera
And rear camera.In general, the front panel of terminal is arranged in front camera, the back side of terminal is arranged in rear camera.?
In some embodiments, rear camera at least two is that main camera, depth of field camera, wide-angle camera, focal length are taken the photograph respectively
As any one in head, to realize that main camera and the fusion of depth of field camera realize background blurring function, main camera and wide
Pan-shot and VR (Virtual Reality, virtual reality) shooting function or other fusions are realized in camera fusion in angle
Shooting function.In some embodiments, CCD camera assembly 1806 can also include flash lamp.Flash lamp can be monochromatic temperature flash of light
Lamp is also possible to double-colored temperature flash lamp.Double-colored temperature flash lamp refers to the combination of warm light flash lamp and cold light flash lamp, can be used for
Light compensation under different-colour.
Voicefrequency circuit 1807 may include microphone and loudspeaker.Microphone is used to acquire the sound wave of user and environment, and
It converts sound waves into electric signal and is input to processor 1801 and handled, or be input to radio circuit 1804 to realize that voice is logical
Letter.For stereo acquisition or the purpose of noise reduction, microphone can be separately positioned on the different parts of terminal 1800 to be multiple.
Microphone can also be array microphone or omnidirectional's acquisition type microphone.Loudspeaker is then used to that processor 1801 or radio frequency will to be come from
The electric signal of circuit 1804 is converted to sound wave.Loudspeaker can be traditional wafer speaker, be also possible to piezoelectric ceramics loudspeaking
Device.When loudspeaker is piezoelectric ceramic loudspeaker, the audible sound wave of the mankind can be not only converted electrical signals to, can also be incited somebody to action
Electric signal is converted to the sound wave that the mankind do not hear to carry out the purposes such as ranging.In some embodiments, voicefrequency circuit 1807 may be used also
To include earphone jack.
Positioning component 1808 is used for the current geographic position of positioning terminal 1800, to realize navigation or LBS (Location
Based Service, location based service).Positioning component 1808 can be the GPS (Global based on the U.S.
Positioning System, global positioning system), the dipper system of China, Russia Gray receive this system or European Union
The positioning component of Galileo system.
Power supply 1809 is used to be powered for the various components in terminal 1800.Power supply 1809 can be alternating current, direct current
Electricity, disposable battery or rechargeable battery.When power supply 1809 includes rechargeable battery, which can support wired
Charging or wireless charging.The rechargeable battery can be also used for supporting fast charge technology.
In some embodiments, terminal 1800 further includes having one or more sensors 1810.One or more sensing
Device 1810 includes but is not limited to: acceleration transducer 1811, gyro sensor 1812, pressure sensor 1813, fingerprint sensing
Device 1814, optical sensor 1815 and proximity sensor 1816.
Acceleration transducer 1811 can detecte the acceleration in three reference axis of the coordinate system established with terminal 1800
Size.For example, acceleration transducer 1811 can be used for detecting component of the acceleration of gravity in three reference axis.Processor
The 1801 acceleration of gravity signals that can be acquired according to acceleration transducer 1811, control touch display screen 1805 with transverse views
Or longitudinal view carries out the display of user interface.Acceleration transducer 1811 can be also used for game or the exercise data of user
Acquisition.
Gyro sensor 1812 can detecte body direction and the rotational angle of terminal 1800, gyro sensor 1812
Acquisition user can be cooperateed with to act the 3D of terminal 1800 with acceleration transducer 1811.Processor 1801 is according to gyro sensors
The data that device 1812 acquires, following function may be implemented: action induction (for example changing UI according to the tilt operation of user) is clapped
Image stabilization, game control and inertial navigation when taking the photograph.
The lower layer of side frame and/or touch display screen 1805 in terminal 1800 can be set in pressure sensor 1813.When
When the side frame of terminal 1800 is arranged in pressure sensor 1813, user can detecte to the gripping signal of terminal 1800, by
Reason device 1801 carries out right-hand man's identification or prompt operation according to the gripping signal that pressure sensor 1813 acquires.Work as pressure sensor
1813 when being arranged in the lower layer of touch display screen 1805, is grasped by processor 1801 according to pressure of the user to touch display screen 1805
Make, realization controls the operability control on the interface UI.Operability control include button control, scroll bar control,
At least one of icon control, menu control.
Fingerprint sensor 1814 is used to acquire the fingerprint of user, is collected by processor 1801 according to fingerprint sensor 1814
Fingerprint recognition user identity, alternatively, by fingerprint sensor 1814 according to the identity of collected fingerprint recognition user.Knowing
Not Chu the identity of user when being trusted identity, authorize the user to execute relevant sensitive operation by processor 1801, which grasps
Make to include solving lock screen, checking encryption information, downloading software, payment and change setting etc..Fingerprint sensor 1814 can be set
Set the front, the back side or side of terminal 1800.When being provided with physical button or manufacturer Logo in terminal 1800, fingerprint sensor
1814 can integrate with physical button or manufacturer Logo.
Optical sensor 1815 is for acquiring ambient light intensity.In one embodiment, processor 1801 can be according to light
The ambient light intensity that sensor 1815 acquires is learned, the display brightness of touch display screen 1805 is controlled.Specifically, work as ambient light intensity
When higher, the display brightness of touch display screen 1805 is turned up;When ambient light intensity is lower, the aobvious of touch display screen 1805 is turned down
Show brightness.In another embodiment, the ambient light intensity that processor 1801 can also be acquired according to optical sensor 1815, is moved
The acquisition parameters of state adjustment CCD camera assembly 1806.
Proximity sensor 1816, also referred to as range sensor are generally arranged at the front panel of terminal 1800.Proximity sensor
1816 for acquiring the distance between the front of user Yu terminal 1800.In one embodiment, when proximity sensor 1816 is examined
When measuring the distance between the front of user and terminal 1800 and gradually becoming smaller, by processor 1801 control touch display screen 1805 from
Bright screen state is switched to breath screen state;When proximity sensor 1816 detect the distance between front of user and terminal 1800 by
When gradual change is big, touch display screen 1805 is controlled by processor 1801 and is switched to bright screen state from breath screen state.
It, can be with it will be understood by those skilled in the art that the restriction of the not structure paired terminal 1800 of structure shown in Figure 18
Including than illustrating more or fewer components, perhaps combining certain components or being arranged using different components.
In the exemplary embodiment, a kind of computer readable storage medium is additionally provided, the memory for example including instruction,
Above-metioned instruction can be executed by the processor in equipment to complete the method for detecting virus of above-mentioned application program.For example, the calculating
Machine readable storage medium storing program for executing can be ROM, random access memory (RAM), CD-ROM, tape, floppy disk and optical data storage devices
Deng.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and
Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (15)
1. a kind of method for detecting virus of application program, which is characterized in that the described method includes:
According to the viral diagnosis instruction to destination application, at least one function of obtaining the destination application executes letter
Breath, at least one described function execution information are used to record the destination application performed function in the process of running;
According at least one function execution information of the destination application, the function of generating the destination application is executed
Image;
Extract the characteristics of image that the function executes image;
When the similarity of described image feature and viral characteristics of image is greater than similarity threshold, by the destination application mark
It is denoted as virus.
2. the method according to claim 1, wherein described at least one function of obtaining destination application is held
Row information, comprising:
Simulator is called, the destination application is loaded onto the simulator and is run, the destination application is recorded and exists
Function execution information in operational process obtains at least one function execution information of record, wherein the simulator is used for mould
The running environment of quasi- user equipment;Or
Receive at least one function execution information that the destination application records in operational process in another equipment.
3. the method according to claim 1, wherein at least one described function execution information includes:
The destination application at least one function execution information recorded in the operational process of the first preset duration;
Or,
At least one function execution information that the destination application is recorded in the object run process for the process that is run multiple times,
The object run process is the most operational process of information content recorded in the multiple operational process.
4. the method according to claim 1, wherein including Function Identification and function in each function execution information
The time is executed, described at least one function execution information according to the destination application generates the destination application
Function execute image, comprising:
The time is executed according to the function at least one described function execution information, based at least one described function execution information
In Function Identification, conformation function executes sequence, wherein the function executes sequence and is made of the Function Identification;
The function is executed into the Function Identification in sequence and is converted to pixel, the function of generating the destination application executes
Image.
5. according to the method described in claim 4, it is characterized in that, described according at least one described function execution information
Function executes the time, and based on the Function Identification at least one described function execution information, conformation function executes sequence, comprising:
The time is executed based on the function at least one described function execution information, determines at least one described function execution information
Function execute sequence;
Sequence is executed according to the function, the Function Identification at least one described function execution information is ranked up, is obtained
Function executes sequence.
6. the method according to claim 1, wherein including Function Identification and function in each function execution information
The time is executed, described at least one function execution information according to the destination application generates the destination application
Function execute image, comprising:
At least one described function execution information is arranged based on preset function execution information queueing discipline, after arrangement
At least one function execution information in Function Identification, according to the function execution information obtained after arrangement sequence constitute function
Execute sequence.
7. the method according to claim 1, wherein the phase for working as described image feature and viral characteristics of image
When being greater than similarity threshold like degree, determine the destination application for virus, comprising:
Traverse the viral characteristics of image of a variety of Virus Types, the viral characteristics of image of one Virus Type of every traversal, described in acquisition
The similarity of the viral characteristics of image of characteristics of image and the Virus Type;
When similarity maximum value is greater than similarity threshold, by the destination application labeled as virus.
8. the method according to the description of claim 7 is characterized in that described image feature includes multiple target feature vectors, institute
Stating viral characteristics of image includes multiple feature vectors;
The similarity of the viral characteristics of image for obtaining described image feature and the Virus Type, comprising:
Determine each feature of each target feature vector of described image feature and the viral characteristics of image of the Virus Type
The vector distance of vector will be less than the number of the vector distance of distance threshold, be determined as described image feature and the virus type
The similarity of the viral characteristics of image of type.
9. the method according to the description of claim 7 is characterized in that the method also includes:
By the Virus Type of the corresponding viral characteristics of image of the similarity maximum value, it is determined as the mesh of the destination application
Mark Virus Type.
10. a kind of method for detecting virus of application program, which is characterized in that the described method includes:
According to the viral diagnosis instruction to destination application, simulator is called, the destination application is loaded onto described
Simulator operation, wherein the simulator is used to simulate the running environment of an isolation;
The function execution information of the destination application in the process of running is obtained, at least one function execution information is obtained,
At least one described function execution information is performed when the destination application is run in the simulator for recording
Function;
Viral diagnosis request is sent to server, the viral diagnosis request carries at least one described function execution information, institute
Viral diagnosis request is stated to be used to indicate the server and detect the destination application;
According to the viral diagnosis received as a result, carrying out viral prompt, the viral diagnosis result is based at least one described function
Energy execution information obtains.
11. according to the method described in claim 10, it is characterized in that, described obtain the destination application in operational process
In function execution information, comprising:
Obtain function execution information of the destination application in the operational process of the first preset duration;
Or,
Function execution information of destination application during being run multiple times is obtained, during being run multiple times described in acquisition
At least one function execution information that object run process is recorded, the object run process are in the multiple operational process
The most operational process of recorded information quantity.
12. a kind of viral diagnosis device of application program, which is characterized in that described device includes:
Module is obtained, for instructing according to the viral diagnosis to destination application, obtains the destination application at least
One function execution information, at least one described function execution information is for recording the destination application in the process of running
Performed function;
Generation module generates the target application at least one function execution information according to the destination application
The function of program executes image;
Extraction module executes the characteristics of image of image for extracting the function;
Determining module will be described for when described image feature and the similarity of viral characteristics of image are greater than similarity threshold
Destination application is labeled as virus.
13. a kind of viral diagnosis device of application program, which is characterized in that described device includes:
Calling module calls simulator, by the target application journey for instructing according to the viral diagnosis to destination application
Sequence is loaded onto the simulator operation, wherein the simulator is used to simulate the running environment of an isolation;
It obtains module and obtains at least one for obtaining the function execution information of the destination application in the process of running
Function execution information, at least one described function execution information are transported in the simulator for recording the destination application
Performed function when row;
Sending module, for sending viral diagnosis request to server, the viral diagnosis request carries at least one described function
Energy execution information, the viral diagnosis request are used to indicate the server and detect to the destination application;
Cue module, for, as a result, carrying out viral prompt, the viral diagnosis result to be based on institute according to the viral diagnosis received
At least one function execution information is stated to obtain.
14. a kind of computer equipment, which is characterized in that the computer equipment includes processor and memory, the memory
In be stored at least one instruction, at least one instruction is loaded by the processor and is executed to realize such as claim 1
To the method for detecting virus of 9 any application programs;Or, the disease of the application program as described in claim 10 to 11 is any
Virus detection method.
15. a kind of computer readable storage medium, which is characterized in that be stored at least one instruction, institute in the storage medium
It states at least one instruction and is loaded by processor and executed virus to realize application program as described in any one of claim 1 to 9
Detection method;Or, the method for detecting virus of the application program as described in claim 10 to 11 is any.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811042877.1A CN109117635B (en) | 2018-09-06 | 2018-09-06 | Virus detection method and device for application program, computer equipment and storage medium |
PCT/CN2019/103600 WO2020048392A1 (en) | 2018-09-06 | 2019-08-30 | Application virus detection method, apparatus, computer device, and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811042877.1A CN109117635B (en) | 2018-09-06 | 2018-09-06 | Virus detection method and device for application program, computer equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109117635A true CN109117635A (en) | 2019-01-01 |
CN109117635B CN109117635B (en) | 2023-07-04 |
Family
ID=64858175
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811042877.1A Active CN109117635B (en) | 2018-09-06 | 2018-09-06 | Virus detection method and device for application program, computer equipment and storage medium |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN109117635B (en) |
WO (1) | WO2020048392A1 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110502900A (en) * | 2019-08-26 | 2019-11-26 | Oppo广东移动通信有限公司 | A kind of detection method, terminal, server and computer storage medium |
WO2020048392A1 (en) * | 2018-09-06 | 2020-03-12 | 腾讯科技(深圳)有限公司 | Application virus detection method, apparatus, computer device, and storage medium |
CN112487428A (en) * | 2020-11-26 | 2021-03-12 | 南方电网数字电网研究院有限公司 | Dormant combined computer virus discovery method based on block chain |
CN112597499A (en) * | 2020-12-30 | 2021-04-02 | 北京启明星辰信息安全技术有限公司 | Nondestructive safety inspection method and system for video monitoring equipment |
CN112668649A (en) * | 2020-12-29 | 2021-04-16 | 中国南方电网有限责任公司 | Reliability verification method, device and system based on computer forensics |
CN115033895A (en) * | 2022-08-12 | 2022-09-09 | 中国电子科技集团公司第三十研究所 | Binary program supply chain safety detection method and device |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116956295B (en) * | 2023-09-19 | 2024-01-05 | 杭州海康威视数字技术股份有限公司 | Safety detection method, device and equipment based on file map fitting |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060161984A1 (en) * | 2005-01-14 | 2006-07-20 | Mircosoft Corporation | Method and system for virus detection using pattern matching techniques |
JP2010097550A (en) * | 2008-10-20 | 2010-04-30 | Intelligent Software:Kk | Virus prevention program, storage device detachable from computer, and virus prevention method |
US20110032567A1 (en) * | 2009-08-06 | 2011-02-10 | Tetsuya Ishida | Job processing system and image processing apparatus |
US8806644B1 (en) * | 2012-05-25 | 2014-08-12 | Symantec Corporation | Using expectation measures to identify relevant application analysis results |
CN104572821A (en) * | 2014-12-03 | 2015-04-29 | 深圳市腾讯计算机系统有限公司 | Method and device for processing files |
JP2015191458A (en) * | 2014-03-28 | 2015-11-02 | エヌ・ティ・ティ・ソフトウェア株式会社 | File risk determination device, file risk determination method, and program |
CN106960153A (en) * | 2016-01-12 | 2017-07-18 | 阿里巴巴集团控股有限公司 | The kind identification method and device of virus |
CN107657175A (en) * | 2017-09-15 | 2018-02-02 | 北京理工大学 | A kind of homologous detection method of malice sample based on image feature descriptor |
CN108268778A (en) * | 2018-02-26 | 2018-07-10 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
CN108334781A (en) * | 2018-03-07 | 2018-07-27 | 腾讯科技(深圳)有限公司 | Method for detecting virus, device, computer readable storage medium and computer equipment |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103699843A (en) * | 2013-12-30 | 2014-04-02 | 珠海市君天电子科技有限公司 | Malicious activity detection method and device |
CN105653956B (en) * | 2016-03-02 | 2019-01-25 | 中国科学院信息工程研究所 | Android malware classification method based on dynamic behaviour dependency graph |
CN106096411B (en) * | 2016-06-08 | 2018-09-18 | 浙江工业大学 | A kind of Android malicious code family classification methods based on bytecode image clustering |
US10586045B2 (en) * | 2016-08-11 | 2020-03-10 | The Mitre Corporation | System and method for detecting malware in mobile device software applications |
US10607010B2 (en) * | 2016-09-30 | 2020-03-31 | AVAST Software s.r.o. | System and method using function length statistics to determine file similarity |
CN106709350B (en) * | 2016-12-30 | 2020-01-14 | 腾讯科技(深圳)有限公司 | Virus detection method and device |
CN109117635B (en) * | 2018-09-06 | 2023-07-04 | 腾讯科技(深圳)有限公司 | Virus detection method and device for application program, computer equipment and storage medium |
-
2018
- 2018-09-06 CN CN201811042877.1A patent/CN109117635B/en active Active
-
2019
- 2019-08-30 WO PCT/CN2019/103600 patent/WO2020048392A1/en active Application Filing
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060161984A1 (en) * | 2005-01-14 | 2006-07-20 | Mircosoft Corporation | Method and system for virus detection using pattern matching techniques |
JP2010097550A (en) * | 2008-10-20 | 2010-04-30 | Intelligent Software:Kk | Virus prevention program, storage device detachable from computer, and virus prevention method |
US20110032567A1 (en) * | 2009-08-06 | 2011-02-10 | Tetsuya Ishida | Job processing system and image processing apparatus |
US8806644B1 (en) * | 2012-05-25 | 2014-08-12 | Symantec Corporation | Using expectation measures to identify relevant application analysis results |
JP2015191458A (en) * | 2014-03-28 | 2015-11-02 | エヌ・ティ・ティ・ソフトウェア株式会社 | File risk determination device, file risk determination method, and program |
CN104572821A (en) * | 2014-12-03 | 2015-04-29 | 深圳市腾讯计算机系统有限公司 | Method and device for processing files |
CN106960153A (en) * | 2016-01-12 | 2017-07-18 | 阿里巴巴集团控股有限公司 | The kind identification method and device of virus |
CN107657175A (en) * | 2017-09-15 | 2018-02-02 | 北京理工大学 | A kind of homologous detection method of malice sample based on image feature descriptor |
CN108268778A (en) * | 2018-02-26 | 2018-07-10 | 腾讯科技(深圳)有限公司 | Data processing method, device and storage medium |
CN108334781A (en) * | 2018-03-07 | 2018-07-27 | 腾讯科技(深圳)有限公司 | Method for detecting virus, device, computer readable storage medium and computer equipment |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020048392A1 (en) * | 2018-09-06 | 2020-03-12 | 腾讯科技(深圳)有限公司 | Application virus detection method, apparatus, computer device, and storage medium |
CN110502900A (en) * | 2019-08-26 | 2019-11-26 | Oppo广东移动通信有限公司 | A kind of detection method, terminal, server and computer storage medium |
CN110502900B (en) * | 2019-08-26 | 2022-07-05 | Oppo广东移动通信有限公司 | Detection method, terminal, server and computer storage medium |
CN112487428A (en) * | 2020-11-26 | 2021-03-12 | 南方电网数字电网研究院有限公司 | Dormant combined computer virus discovery method based on block chain |
CN112487428B (en) * | 2020-11-26 | 2022-03-11 | 南方电网数字电网研究院有限公司 | Dormant combined computer virus discovery method based on block chain |
CN112668649A (en) * | 2020-12-29 | 2021-04-16 | 中国南方电网有限责任公司 | Reliability verification method, device and system based on computer forensics |
CN112668649B (en) * | 2020-12-29 | 2022-04-22 | 中国南方电网有限责任公司 | Reliability verification method, device and system based on computer forensics |
CN112597499A (en) * | 2020-12-30 | 2021-04-02 | 北京启明星辰信息安全技术有限公司 | Nondestructive safety inspection method and system for video monitoring equipment |
CN112597499B (en) * | 2020-12-30 | 2024-02-20 | 北京启明星辰信息安全技术有限公司 | Nondestructive security inspection method and system for video monitoring equipment |
CN115033895A (en) * | 2022-08-12 | 2022-09-09 | 中国电子科技集团公司第三十研究所 | Binary program supply chain safety detection method and device |
Also Published As
Publication number | Publication date |
---|---|
CN109117635B (en) | 2023-07-04 |
WO2020048392A1 (en) | 2020-03-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109117635A (en) | Method for detecting virus, device, computer equipment and the storage medium of application program | |
CN109086709A (en) | Feature Selection Model training method, device and storage medium | |
CN110585726A (en) | User recall method, device, server and computer readable storage medium | |
CN108710496A (en) | Configuration update method, device, equipment and the storage medium of application program | |
CN110222789A (en) | Image-recognizing method and storage medium | |
US20200104320A1 (en) | Method, apparatus and computer device for searching audio, and storage medium | |
CN109815150A (en) | Application testing method, device, electronic equipment and storage medium | |
CN110210219A (en) | Recognition methods, device, equipment and the storage medium of virus document | |
CN111339086A (en) | Block processing method, and data query method and device based on block chain | |
CN109634489A (en) | Method, apparatus, equipment and the readable storage medium storing program for executing made comments | |
CN109646944A (en) | Control information processing method, device, electronic equipment and storage medium | |
CN109324739A (en) | Control method, device, terminal and the storage medium of virtual objects | |
CN111949680A (en) | Data processing method and device, computer equipment and storage medium | |
CN110032417A (en) | Session entry mask method, apparatus, equipment and storage medium | |
CN108897597A (en) | The method and apparatus of guidance configuration live streaming template | |
CN108900925A (en) | The method and apparatus of live streaming template are set | |
CN108491748B (en) | Graphic code identification and generation method and device and computer readable storage medium | |
CN111031391A (en) | Video dubbing method, device, server, terminal and storage medium | |
CN109218751A (en) | The method, apparatus and system of recommendation of audio | |
CN110377784A (en) | Sing single update method, device, terminal and storage medium | |
CN110535890A (en) | The method and apparatus that file uploads | |
CN109189290B (en) | Click area identification method and device and computer readable storage medium | |
CN112560435B (en) | Text corpus processing method, device, equipment and storage medium | |
CN109828915A (en) | A kind of method, apparatus of debugging utility, equipment and storage medium | |
CN108922533A (en) | Determine whether the method and apparatus sung in the real sense |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40001815 Country of ref document: HK |
|
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |