CN109190373A - Using detection method, device, computer storage medium and computer equipment - Google Patents

Using detection method, device, computer storage medium and computer equipment Download PDF

Info

Publication number
CN109190373A
CN109190373A CN201810757738.0A CN201810757738A CN109190373A CN 109190373 A CN109190373 A CN 109190373A CN 201810757738 A CN201810757738 A CN 201810757738A CN 109190373 A CN109190373 A CN 109190373A
Authority
CN
China
Prior art keywords
application
application message
risk
current
history
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810757738.0A
Other languages
Chinese (zh)
Inventor
蔡灿
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Guangzhou Youshi Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Youshi Network Technology Co Ltd filed Critical Guangzhou Youshi Network Technology Co Ltd
Priority to CN201810757738.0A priority Critical patent/CN109190373A/en
Publication of CN109190373A publication Critical patent/CN109190373A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The present invention provides a kind of application detection method, device, computer storage medium and computer equipments.This method comprises: obtaining the application message of all applications of current system current application message and history, the application message includes the corresponding installation kit name of application and its MD5 value;The application message for comparing all applications of current system current application message and history, obtains increment application message;Detection interface is called, applies corresponding installation kit name and its MD5 value to detect in the increment application message.Through the embodiment of the present invention, it can be realized and safety detection efficiently carried out to application, guarantee the safety of application, and can efficiently utilize detection resource.

Description

Using detection method, device, computer storage medium and computer equipment
Technical field
The present invention relates to detection field is applied, specifically, the present invention relates to a kind of application detection methods, device, calculating Machine storage medium and computer equipment.
Background technique
There are many application programs, rogue program can usurp to the data of these application programs for installation in computer equipment Change, i.e., maliciously kidnaps the application program.In the prior art, security software tool can be installed in computer equipment to application program It is protected, security software tool can detecte whether application program is maliciously kidnapped, and detect that application program is maliciously robbed When holding, application program is repaired.
Security software tool in the prior art can detect all installed when detecting and apply with the presence or absence of security risk, However the installation kit detected is either risky or devoid of risk, repetition detection can waste customer flow, waste server calculates Resource.Therefore, how to realize both to have detected to apply and bring the sense of security to user, while can efficiently utilize server for detecting Resource, the problem of at urgent need to resolve.
Summary of the invention
The present invention in view of the shortcomings of the prior art, provide a kind of application detection method, device, computer storage medium and Computer equipment, application detection method through the embodiment of the present invention can be realized and efficiently carry out safety detection to application, protect The safety of application is demonstrate,proved, and can efficiently utilize detection resource.
The embodiment of the present invention provides a kind of using detection method according to first aspect, comprising:
The application message of all applications of current system current application message and history is obtained, the application message includes answering With corresponding installation kit name and its MD5 value;
The application message for comparing all applications of current system current application message and history, obtains increment application message;
Detection interface is called, applies corresponding installation kit name and its MD5 value to detect in the increment application message.
Further, the application message for obtaining all applications of current system current application message and history;Compare The application message of all applications of current system current application message and history, obtains increment application message, comprising:
Judge the application message that the history of all applications of current system whether is preserved in internal storage data caching;
If having preservation in internal storage data caching, the current application message of all applications of current system is obtained, it is relatively more current The application message of all applications of system current application message and history, obtains increment application message;
If not saving in internal storage data caching, judge whether disk file caching preserves all applications of current system History application message;
If having preservation in disk file caching, the application message of the history is read in internal storage data caching, and is obtained The application message for taking all applications of current system current compares answering for all applications of current system current application message and history With information, increment application message is obtained;
If not saving in disk file caching, the current application message of all applications of current system is obtained, and will be described The current application message of all applications of current system is as increment application message.
Further, the application message of all applications of relatively current system current application message and history, obtains Increment application message, specifically includes:
It is respectively compared each application current and history installation kit name and its MD5 value;
Determine that the inconsistent application of current and history installation kit name and its MD5 value is application to be detected;
Using the application to be detected current installation kit name and its MD5 value as increment application message.
It is further, described that the increment application message is detected, comprising:
Corresponding installation kit name and its MD5 value will be applied in the increment application message, apply corresponding installation with official Packet name and its MD5 value are compared;
If they are the same, then it detects using no risk;
If not identical, detect to apply to exist and distort risk.
It is further, described to detect after applying presence to distort risk, further includes:
It analyzes there is the application for distorting risk;
Judge in the increment application message all using whether exist distort risk;
If so, starting antivirus applet to system;
If it is not, judging whether download by same download tool in the presence of the application for distorting risk;
If downloading by same download tool, antivirus applet is started to the download tool;
If not downloading by same download tool, whether judge to have the application for distorting risk from same website;
If being derived from same website, prompting the website, there are risks, obtain the official that there is the application for distorting risk It is downloaded for user address;
If not deriving from same website, obtains the official address that there is the application for distorting risk and downloaded for user.
Further, the current application information and historical usage information for obtaining all applications of current system, before also Include:
There is detection opportunity in confirmation;
The detection opportunity are as follows:
Listen to application process starting;Or
Listen to system installation application broadcast;Or
Receive the risk supervision instruction of user's input.
Further, the historical usage information for obtaining all applications of current system, comprising:
If the detection opportunity is the risk supervision instruction for receiving user's input, obtain that current system is all applies preceding Application message when detection in one week, the application message as history;
If the detection opportunity is to listen to system installation application broadcast, obtains all apply of current system and examined in the previous day Application message when survey, the application message as history;
If the detection opportunity is to listen to application process starting, obtains all apply of current system and detected in the last time When application message, the application message as history.
It is further, described to detect after applying presence to distort risk, further includes:
If the detection opportunity is the risk supervision instruction for receiving user's input, there is the application name for distorting risk in display Claim, prompt to delete the application for existing and distorting risk, obtains the official address that there is the application for distorting risk and downloaded for user;
If the detection opportunity is to listen to system installation application broadcast, there are the Apply Names for distorting risk, propose in display Show the application for deleting and existing and distorting risk;
If the detection opportunity is to listen to application process starting, there are the Apply Names for distorting risk in display.
Further, the official address that there is the application for distorting risk that obtains is downloaded for user, comprising:
It analyzes there is the application for distorting risk;
Judge in the increment application message all using whether exist distort risk:
If so, starting antivirus applet to system, obtains the official address that there is the application for distorting risk and downloaded for user;
If it is not, judging whether download by same download tool in the presence of the application for distorting risk;
If downloading by same download tool, antivirus applet is started to the download tool, obtains to exist and distorts risk Application official address for user download;
If not downloading by same download tool, whether judge to have the application for distorting risk from same website;
If being derived from same website, prompting the website, there are risks, obtain the official that there is the application for distorting risk It is downloaded for user address;
If not deriving from same website, obtains the official address that there is the application for distorting risk and downloaded for user.
The embodiment of the present invention additionally provides a kind of using detection device according to second aspect, comprising:
Application message obtains module, for obtaining the application letter of all applications of current system current application message and history Breath, the application message includes installation kit name and its MD5 value;
Increment application message obtains module, for comparing answering for all applications of current system current application message and history With information, increment application message is obtained;
Increment application message detection module detects the increment application message for calling detection interface.
The embodiment of the present invention additionally provides a kind of computer readable storage medium according to the third aspect, is stored thereon with calculating Machine program, which is characterized in that the program realizes application detection method described above when being executed by processor.
The embodiment of the present invention additionally provides a kind of computer equipment according to fourth aspect, which is characterized in that the computer Equipment includes:
One or more processors;
Storage device, for storing one or more programs,
When one or more of programs are executed by one or more of processors, so that one or more of processing Device realizes application detection method as described above.
In embodiments of the present invention, it is gone through by obtaining the current application message of all applications of current system with what is pre-saved The application message of history compares the application message of all applications of current system current application message and history, obtains increment application Information;Detection interface is finally called, the increment application message is detected, to only carry out risk to increment application message Detection, rather than to it is all installed using carry out risk supervision, realize both guarantee application safety, and can efficiently for application into Row risk supervision avoids wasting excessive detection resource, also assures the usage experience of user.
On the other hand, a variety of detection opportunitys are provided, and different applicating history applications is set for different detection opportunitys The acquisition time node of information, and discovery distort risk in application, under different detection opportunitys, provided for user different Content of announcement can guarantee the usage experience to user, while being able to detect resource and make full use of.
The additional aspect of the present invention and advantage will be set forth in part in the description, these will become from the following description Obviously, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments Obviously and it is readily appreciated that, in which:
Fig. 1 is the flow diagram using detection method of one embodiment of the invention;
Fig. 2 is the structural schematic diagram using detection device of one embodiment of the invention;
Fig. 3 is the structural schematic diagram of the computer equipment of one embodiment of the invention.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached The embodiment of figure description is exemplary, and for explaining only the invention, and is not construed as limiting the claims.
It describes in detail below in conjunction with attached drawing to a specific embodiment of the invention.
As shown in Figure 1, in one embodiment, it is a kind of to apply detection method, comprising the following steps:
S110: the application message of all applications of current system current application message and history, the application message are obtained Including the corresponding installation kit name of application and its MD5 value;
Wherein, when all applications of current system refer to current detection, all applications for being installed in system;The history is answered It is the application message of applying of being installed on current system when detecting before with information;It should be noted that described " examine before Survey " it is not to refer in particular to last detection, and can be last detection, the detection times such as detection or the detection of the last week of the previous day Detection of the point earlier than current detection.
S120: comparing the current application information and historical usage information of all applications of current system, obtains increment application letter Breath;
It carries out using after test, the application message of all applications can be all saved in memory, so as under in system at that time When secondary detection can quick obtaining to application historical usage information;Preferably, the application message of all applications can protect There are in disk.
In one embodiment, the current application information and historical usage information for obtaining all applications of current system; The current application information and historical usage information for comparing all applications of current system, obtain increment application message, comprising:
Judge the historical usage information that all applications of current system whether are preserved in internal storage data caching,
If having preservation in internal storage data caching, the current application information of all applications of current system is obtained, relatively more current system It unites the current application information and historical usage information of all applications, obtains increment application message;
If not saving in internal storage data caching, judge whether disk file caching preserves all applications of current system Historical usage information;
If having preservation in disk file caching, the historical usage information is read in internal storage data caching, and is obtained The current application information of all applications of current system compares the current application information and historical usage letter of all applications of current system Breath, obtains increment application message;
If not saving in disk file caching, the current application information of all applications of current system is obtained, and will be described The current application information of all applications of current system is as increment application message.
Internal storage data caching can save long period history with efficient detection historical usage information, disk file caching Application message;By the above method, efficient and stable advantage can be taken into account, realizes and effectively obtains increment application message.
In one embodiment, the application letter of all applications of relatively current system current application message and history Breath, obtains increment application message, specifically includes:
S121: each application current and history installation kit name and its MD5 value are respectively compared;
S122: determine that the inconsistent application of current and history installation kit name and its MD5 value is application to be detected;
S123: using the application to be detected current installation kit name and its MD5 value as increment application message.
Increment application message in order to facilitate understanding is illustrated below by way of example.
For example, acquiring the current application message of described two applications there are two APP1, APP2 is applied in current system It is respectively: APP1 (corresponding MD5_1a), APP2 (corresponding MD5_2a).If the application letter of the described two applicating histories got Breath is respectively: APP1 (corresponding MD5_1a), APP2 (corresponding MD5_2b), by comparison it is found that APP1 is current and the installation of history Packet name is consistent with its MD5 value, illustrate APP1 history detection after, do not change, thus be not necessarily to again to APP1 into Row repeats to detect;And APP2 is currently changed with the MD5 value of the installation kit name of history, i.e. APP2 (corresponding MD5_2a) -> APP2 (corresponding MD5_2b) illustrates that APP2 after history detection, has and variation occurred, then the application message that APP2 is current, wrap Installation kit name and its MD5 value are included as increment application message.
It should be noted that if the application message of the applicating history got only has APP2 (corresponding MD5_2a), and do not have There is the application message of history corresponding with APP1, illustrates that APP1 is after history detects, the application that system is newly installed, it is also desirable to will APP1 current application message is as increment application message.
S130: detection interface is called, is carried out in the increment application message using corresponding installation kit name and its MD5 value Detection.
Specifically, current application information and historical usage information are inconsistent, illustrate to apply to have after history detection and occur Variation.The reason of changing, which is likely to be to apply, carried out update, it is possible to apply is tampered, it is therefore desirable to the increment Application message is detected, to further determine that using with the presence or absence of risk.
In embodiments of the present invention, judged using md5 encryption technology using with the presence or absence of the risk being tampered.Specifically Ground, MD5 (message-digest algorithm 5, md5-challenge) is that one kind is widely used in encryption and decryption technology On technology, any one file, either executable program, image file, temporary file or other any kind of texts Part, it is much regardless of its volume, have and only one unique MD5 value of information, and if this file is modified It crosses, its MD5 value will also change correspondingly.Therefore, we can be by the MD5 value of comparison same file, to verify this file Whether changed.
Specifically, it is described to the increment application message detect in using corresponding installation kit name and its MD5 value, packet It includes:
Corresponding installation kit name and its MD5 value will be applied in the increment application message, apply corresponding installation with official Packet name and its MD5 value are compared;
If they are the same, then it detects using no risk;
If not identical, detect to apply to exist and distort risk.
It should be noted that it includes official's publication about applying in the increment application message that above-mentioned official, which applies, The application for the version released in preset time section, the predetermined time section can be configured by developer, such as nearest half a year, most Nearly one month.
It is further, described to detect after applying presence to distort risk, further includes:
It analyzes there is the application for distorting risk.
In order to further ensure application is safe, judge in the increment application message all using whether exist distort Risk, if so, starting antivirus applet to system;
If it is not, judging whether download by same download tool in the presence of the application for distorting risk, if passing through same downloading Tool downloading starts antivirus applet to the download tool;
If not downloading by same download tool, judge there is whether the application for distorting risk derives from same website, If being derived from same website, prompt the website there are risk, obtain exist the official address of the application for distorting risk for Family downloading obtains the official address that there is the application for distorting risk and downloads for user if not deriving from same website.
Specifically, when system is successfully installed new in application, record the source-information of the new installation application, and will be described Source-information is stored in memory or disk.The source-information, which has recorded, provides the new installation application installation package for user Provider, the application installation package provider include mounted download tool, website in system.The download tool includes answering Application using downloading is provided with shop, the application of third party assistant's class etc. for user.
The acquisition modes of the source-information include reading mounted download tool in system at that time and/or reading The cache information of the browser of installation determines the source-information of the new application according to cache information.
It downloads or when needing to judge whether to pass through same download tool in the presence of the application for distorting risk whether from same When website, read that memory or disk save using corresponding source-information, it is more described to there is coming for the application for distorting risk Source information, thus judge it is described exist distort risk application whether same download tool downloading or whether from same Website.
In the above-mentioned methods, the embodiment of the present invention is able to carry out risk positioning, and uses different processing to different risks Means are preferably experienced to user.
Specifically, the current application information and historical usage information for obtaining all applications of current system, is also wrapped before It includes:
There is detection opportunity in confirmation.
In one embodiment, the detection opportunity are as follows: listen to application process starting;
Since the frequency that the case where application process starting occurs in a practical situation is very high, i.e., application is detected Frequency is very high, therefore using corresponding historical usage information when only needing to obtain last detection, thus realize efficiently into The detection of row application risk.
It is preferred that the historical usage information for obtaining all applications of current system, comprising: if the detection opportunity To listen to application process starting, all application messages applied in the last time detection of current system are obtained, as history Application message.
Specifically, it detects using in the presence of after distorting risk to need that user is notified to handle the application.However by In application process starting the case where the frequency of occurrences it is very high, if there is there is the application for distorting risk, then due to application carry out The frequency of detection is very high, causes the frequency notified to user very high, and user may temporarily be not intended to distort to described The application of risk is handled or user has the processing of more important thing, in order not to cause user to dislike, to believing in the notice of user Breath should be reduced suitably.
It is preferred that described detect after applying presence to distort risk, further includes: if the detection opportunity is to monitor Start to application process, display has the Apply Names for distorting risk.
In another embodiment, the detection opportunity are as follows: listen to system installation application broadcast;
Since the frequency that occurs in a practical situation of the case where system installs application or unloading application is higher, i.e., to application into The frequency of row risk supervision is higher;If timing node setting is too early, can be detected excessive greatly because of the variation of application Increment application message, cause again to detect the application detected, waste detection resource.Therefore, it can incite somebody to action The timing node of the historical usage information of the application of acquisition is set as the time point compared to current sensing time breakfast, such as one day Before.
Therefore in one embodiment, the historical usage information for obtaining all applications of current system, comprising: if described Detection opportunity, acquisition current system is all to apply answering in the previous day detection to listen to system installation or unloading application broadcast With information, as historical usage information.
The case where being installed due to system or unloaded application is lower compared to the occurrence frequency on above-mentioned detection opportunity, it can be with In the notification, some safety measures are prompted for user.
It is preferred that described detect after applying presence to distort risk, further includes: if the detection opportunity is to monitor Application broadcast is installed to system, display has the Apply Names for distorting risk, prompts to delete the application for existing and distorting risk.
In another embodiment, the detection opportunity are as follows: receive the risk supervision instruction of user's input.
Due in actual conditions, it is relatively low that user is actively entered risk supervision instruction frequency, i.e., detects to application Frequency it is lower, thus the timing node of the historical usage information for the application that can be will acquire is set as time point earlier, such as Before one week, to realize in current detection, it can be more thoroughly tested with the application that variation occurred, guarantee the peace of application Entirely.
Therefore in one embodiment, the historical usage information for obtaining all applications of current system, comprising: if described Detection opportunity is the risk supervision instruction for receiving user's input, and acquisition current system is all to apply answering in the last week detection With information, as historical usage information.
Since user is actively entered risk supervision instruction, it is safe for application to can reflect out user to a certain extent Pay attention to, more has a mind to execute safety of the safety measure to guarantee application, therefore, can in the notification, mostly user prompts safety Measure.
Efficiency and demand are taken into account using different processing modes to different detection opportunitys;Improve user experience.
It is preferred that described detect after applying presence to distort risk, further includes:
If the detection opportunity is the risk supervision instruction for receiving user's input, there is the application name for distorting risk in display Claim, prompt to delete the application for existing and distorting risk, obtains the official address that there is the application for distorting risk and downloaded for user.
Specifically, the official address that there is the application for distorting risk that obtains is downloaded for user, comprising:
It analyzes there is the application for distorting risk;
Judge in the increment application message all using whether exist distort risk, if so, to system starting kill Malicious program obtains the official address that there is the application for distorting risk and downloads for user;
If it is not, judging whether download by same download tool in the presence of the application for distorting risk, if passing through same downloading Tool downloading starts antivirus applet to the download tool, obtains the official address that there is the application for distorting risk under user It carries;
If not downloading by same download tool, whether judge to have the application for distorting risk from same website;
If being derived from same website, prompting the website, there are risks, obtain the official that there is the application for distorting risk It is downloaded for user address;If not deriving from same website, the official address that there is the application for distorting risk is obtained under user It carries.
Before providing the official address that there is the application for distorting risk for user's downloading, effective risk judgment is carried out, Different processing means are used for different risks, newly downloaded application is installed to both ensure, can normal use, and mention High user experience.
Specifically, when system is successfully installed new in application, record the source-information of the new installation application, and will be described Source-information is stored in memory or disk.The source-information, which has recorded, provides the new installation application installation package for user Provider, the application installation package provider include mounted download tool, website in system.The download tool includes answering Application using downloading is provided with shop, the application of third party assistant's class etc. for user.
The acquisition modes of the source-information include reading mounted download tool in system at that time and/or reading The cache information of the browser of installation determines the source-information of the new application according to cache information.
It downloads or when needing to judge whether to pass through same download tool in the presence of the application for distorting risk whether from same When website, read that memory or disk save using corresponding source-information, it is more described to there is coming for the application for distorting risk Source information, thus judge it is described exist distort risk application whether same download tool downloading or whether from same Website.
Preferably, if the presence detected distort risk using only one, then directly acquire in the presence of distorting risk Application official address for user download.
It is provided by the invention using detection method in order to preferably introduce, it is specifically described below by an application examples.
The following are application examples.
1. receiving the risk supervision instruction of user's input, there is detection opportunity in confirmation.
2. obtaining the current application information of all applications of current system, APP1 (corresponding MD5_1a), APP2 (corresponding MD5_ 2a)。
3. getting historical usage information corresponding with all applications of current system from internal storage data caching, APP1 is (right Answer MD5_2a), APP2 (corresponding MD5_2b).
4. be respectively compared it is each application currently and history installation kit name and its MD5 value.
5. determining that the inconsistent application of current and history installation kit name and its MD5 value is APP1, APP2.
6. described APP1, APP2 current installation kit name and its MD5 value APP1 (corresponding MD5_2a), APP2 is (corresponding MD5_2b) it is used as increment application message.
7. the corresponding installation kit name of all software versions and its MD5 value APP1 that obtain official's application of APP1 are (corresponding MD5_1a), APP1 (corresponding MD5_2a).
8. the corresponding installation kit name of all software versions and its MD5 value APP2 that obtain official's application of APP2 are (corresponding MD5_2a)。
9. judge APP1, APP2 official application all versions installation kit name and its MD5 value whether include APP1, APP2 current installation kit name and its MD5 value.
10. determining that APP1 does not have risk, APP2 distorts risk.
11. display has the Apply Names APP2 for distorting risk, prompts user to delete APP2, obtain the official address of APP2 It is downloaded for user.
12. a couple APP2 is analyzed.
The embodiment of the present invention also provide it is a kind of using detection device, as shown in Fig. 2, comprising the following modules:
Application message obtains module 110, for obtaining the current application information and historical usage of all applications of current system Information, the application message include the corresponding installation kit name of application and its MD5 value;
Wherein, when all applications of current system refer to current detection, all applications for being installed in system;The history is answered It is the application message of applying of being installed on current system when detecting before with information;It should be noted that described " examine before Survey " it is not to refer in particular to last detection, and can be last detection, detection or the detection of the last week of the previous day etc. are earlier than current The detection of detection.
The application message obtains module 110, includes:
First judging submodule, the history for judging whether to preserve all applications of current system in internal storage data caching Application message;
Second judgment submodule, for when not saving during internal storage data caches, judging whether disk file caching is protected There is the application message of the history of all applications of current system;
The increment application message obtains module, comprising:
First increment application message obtains submodule, for when the application letter for having the preservation history in internal storage data caching When breath, the current application message of all applications of current system is obtained, compares the current application message of all applications of current system With the application message of history, increment application message is obtained;
Second increment application message obtains submodule, for when the application letter for having the preservation history in disk file caching When breath, the application message of the history is read in internal storage data caching, and obtains that all applications of current system are current to answer With information, compares the application message of all applications of current system current application message and history, obtain increment application message;
Third increment application message obtains submodule, for when the application for not saving the history in disk file caching When information, the current application message of all applications of current system, and the application that all applications of the current system are current are obtained Information is as increment application message.
Increment application message obtains module 120, for comparing the current application information and history of all applications of current system Application message obtains increment application message;
The increment application message obtains module 120, specifically includes:
Application message Comparative sub-module, for being respectively compared each application current and history installation kit name and its MD5 Value;
Application to be detected determines submodule, for determining that current and history installation kit name and its MD5 value are inconsistent Using for application to be detected;
Increment application message determines submodule, for making the application to be detected current installation kit name and its MD5 value For increment application message.
Increment application message detection module 130 is corresponded to for calling detection interface to applying in the increment application message Installation kit name and its MD5 value detected.
Specifically, in one embodiment, the increment application message detection module 130, comprising:
Risk application detection sub-module is distorted, for corresponding installation kit name and its will to be applied in the increment application message MD5 value is compared with official using corresponding installation kit name and its MD5 value;
If they are the same, then it detects using no risk;
If not identical, detect to apply to exist and distort risk.
In another embodiment, the increment application message detection module 130 further include:
Risk applied analysis submodule is distorted, for analyzing in the presence of the application for distorting risk;
First safety measure submodule, for judge in the increment application message all using whether exist distort Risk starts antivirus applet to system if all distorting risk using presence;
Second safety measure submodule, for when all using be not exist distort risk when, judge exist distort wind Whether the application of danger is downloaded by same download tool, if being downloaded by same download tool, is started to the download tool Antivirus applet;
Third safety measure submodule, for when there is the application for distorting risk being downloaded by same download tool When, judge prompt the website to deposit if being derived from same website in the presence of whether the application for distorting risk derives from same website In risk, obtains the official address that there is the application for distorting risk and downloaded for user;
4th safety measure submodule, for when being not derived from same website in the presence of the application for distorting risk, acquisition to be deposited It is downloaded in the official address for the application for distorting risk for user.
It is provided in an embodiment of the present invention to apply detection device further include:
Detection opportunity confirmation module 140, for confirming detection opportunity occur;
The detection opportunity are as follows:
Listen to application process starting;Or
Listen to system installation application broadcast;Or
Receive the risk supervision instruction of user's input.
On this basis, the application message obtains module 110, comprising:
First historical usage acquisition of information submodule, for being the risk inspection for receiving user's input when the detection opportunity When surveying instruction, all application messages applied in the last week detection of current system are obtained, as historical usage information;
Second historical usage acquisition of information submodule, for being to listen to system installation or unload to answer when the detection opportunity When with broadcast, all application messages applied in the previous day detection of current system are obtained, as historical usage information;
Third historical usage acquisition of information submodule, for when the detection opportunity be listen to application process starting when, All application messages applied in the last time detection of current system are obtained, as historical usage information.
It is preferably, provided in an embodiment of the present invention to apply detection device further include:
Further include:
First notice submodule, for showing when the detection opportunity is the risk supervision instruction for receiving user's input Show in the presence of the Apply Names for distorting risk, prompts to delete the application for existing and distorting risk, obtain and there is the application for distorting risk It is downloaded for user official address;
Second notice submodule, for when the detection opportunity is to listen to system installation application broadcast, display to exist The Apply Names of risk are distorted, prompt to delete the application for existing and distorting risk;
Third notice submodule, for when the detection opportunity is to listen to application process starting, display, which exists, to be distorted The Apply Names of risk.
Specifically, the first notice submodule, comprising:
Second distorts risk applied analysis unit, for analyzing in the presence of the application for distorting risk;
5th safety measure unit, for judge in the increment application message all using whether exist distort wind Danger, if all obtaining using in the presence of risk is distorted, antivirus applet is started to system and there is the application for distorting risk officially It is downloaded for user location;
6th safety measure unit, for when all using be not exist distort risk when, judge exist distort risk Application whether downloaded by same download tool, if being downloaded by same download tool, to the download tool start kill Malicious program obtains the official address that there is the application for distorting risk and downloads for user;
7th safety measure unit, when the application for distorting risk when presence is not by the downloading of same download tool, Judge, if being derived from same website, the website to be prompted to exist whether from same website in the presence of the application for distorting risk Risk obtains the official address that there is the application for distorting risk and downloads for user;
8th safety measure unit, for obtaining and existing when being not derived from same website in the presence of the application for distorting risk It is downloaded for user the official address for distorting the application of risk.
It should be noted that application detection device provided in an embodiment of the present invention can be realized above-mentioned application detection method reality The function that example is realized is applied, the specific implementation of function is referring to the above-mentioned description using in detection method, and details are not described herein.
The embodiment of the present invention also provides a kind of computer readable storage medium, is stored thereon with computer program, the program It is realized when being executed by processor above-mentioned using detection method.Wherein, the storage medium includes but is not limited to any kind of disk (including floppy disk, hard disk, CD, CD-ROM and magneto-optic disk), ROM (Read-Only Memory, read-only memory), RAM (Random AcceSS Memory, immediately memory), EPROM (EraSable Programmable Read-Only Memory, Erarable Programmable Read only Memory), EEPROM (Electrically EraSable Programmable Read-Only Memory, Electrically Erasable Programmable Read-Only Memory), flash memory, magnetic card or light card.It is, storage Medium includes by equipment (for example, computer) with any medium for the form storage or transmission information that can be read.It can be read-only Memory, disk or CD etc..
The embodiment of the present invention also provides a kind of computer equipment, and the computer equipment includes:
One or more processors 510;
Storage device 520, for storing one or more programs 500,
When one or more of programs 500 are executed by one or more of processors 510, so that one or more A processor 510 is realized above-mentioned using detection method.
It is illustrated in figure 3 the structural schematic diagram of computer equipment of the present invention, including processor 510, storage device 520, defeated Enter the devices such as unit 530 and display unit 540.It will be understood by those skilled in the art that structure devices shown in Fig. 3 not structure The restriction of pairs of all computer equipments may include than illustrating more or fewer components, or the certain components of combination.Storage Device 520 can be used for storing application program 500 and each functional module, and the operation of processor 510 is stored in answering for storage device 520 With program 500, thereby executing the various function application and data processing of equipment.Storage device 520 can be built-in storage or External memory, or including both built-in storage and external memory.Built-in storage may include read-only memory, programming ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory or random storage Device.External memory may include hard disk, floppy disk, ZIP disk, USB flash disk, tape etc..Storage device disclosed in this invention includes but not It is limited to the storage device of these types.Storage device 520 disclosed in this invention is only used as example rather than as restriction.
Input unit 530 is used to receive the input of signal, and the correlations such as selection voice document for receiving user's input are asked It asks.Input unit 530 may include touch panel and other input equipments.Touch panel collects user on it or nearby Touch operation (for example user uses any suitable objects or attachment such as finger, stylus on touch panel or in touch panel Neighbouring operation), and corresponding attachment device is driven according to a pre-set procedure;Other input equipments may include but unlimited In one of physical keyboard, function key (for example playing control button, switch key etc.), trace ball, mouse, operating stick etc. or It is a variety of.Display unit 540 can be used for showing user input information or be supplied to user information and computer equipment it is each Kind menu.The forms such as liquid crystal display, Organic Light Emitting Diode can be used in display unit 540.Processor 510 is computer equipment Control centre be stored in storage by running or executing using the various pieces of various interfaces and the entire computer of connection Software program and/or module in device 520, and the data being stored in storage device are called, it performs various functions and locates Manage data.
In one embodiment, computer equipment includes one or more processors 510, and one or more storage dresses 520 are set, one or more application program 500, wherein one or more of application programs 500 are stored in storage device 520 In and be configured as being executed by one or more of processors 510, one or more of application programs 500 are configured to hold Voice transmitting method described in row above embodiments.
It should be understood that although each step in the flow chart of attached drawing is successively shown according to the instruction of arrow, These steps are not that the inevitable sequence according to arrow instruction successively executes.Unless expressly stating otherwise herein, these steps Execution there is no stringent sequences to limit, can execute in the other order.Moreover, at least one in the flow chart of attached drawing Part steps may include that perhaps these sub-steps of multiple stages or stage are not necessarily in synchronization to multiple sub-steps Completion is executed, but can be executed at different times, execution sequence, which is also not necessarily, successively to be carried out, but can be with other At least part of the sub-step or stage of step or other steps executes in turn or alternately.
It should be understood that each functional unit in various embodiments of the present invention can be integrated in a processing module, It can be physically existed alone, can also be integrated in two or more units in a module with each unit.It is above-mentioned integrated Module both can take the form of hardware realization, can also be realized in the form of software function module.
The above is only some embodiments of the invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered It is considered as protection scope of the present invention.

Claims (12)

1. a kind of apply detection method characterized by comprising
The application message of all applications of current system current application message and history is obtained, the application message includes application pair The installation kit name and its MD5 value answered;
The application message for comparing all applications of current system current application message and history, obtains increment application message;
Detection interface is called, applies corresponding installation kit name and its MD5 value to detect in the increment application message.
2. applying detection method as described in claim 1, which is characterized in that the acquisition current system is all to be applied currently The application message of application message and history;Compare the application message of all applications of current system current application message and history, Obtain increment application message, comprising:
Judge the application message that the history of all applications of current system whether is preserved in internal storage data caching;
If having preservation in internal storage data caching, the current application message of all applications of current system is obtained, current system is compared The application message of all applications current application message and history, obtains increment application message;
If not saving in internal storage data caching, judge whether disk file caching preserves going through for all applications of current system The application message of history;
If having preservation in disk file caching, the application message of the history is read in internal storage data caching, and obtain and work as The current application message of preceding all applications of system, compares the application letter of all applications of current system current application message and history Breath, obtains increment application message;
If not saving in disk file caching, the current application message of all applications of current system is obtained, and will be described current The current application message of all applications of system is as increment application message.
3. applying detection method as described in claim 1, which is characterized in that the relatively current system is all to be applied currently The application message of application message and history obtains increment application message, comprising:
It is respectively compared each application current and history installation kit name and its MD5 value;
Determine that the inconsistent application of current and history installation kit name and its MD5 value is application to be detected;
Using the application to be detected current installation kit name and its MD5 value as increment application message.
4. as described in claim 1 apply detection method, which is characterized in that it is described in the increment application message using pair The installation kit name and its MD5 value answered are detected, comprising:
Corresponding installation kit name and its MD5 value will be applied in the increment application message, apply corresponding installation kit name with official It is compared with its MD5 value;
If they are the same, then it detects using no risk;
If not identical, detect to apply to exist and distort risk.
5. as claimed in claim 4 apply detection method, which is characterized in that it is described detect using exist distort risk it Afterwards, further includes:
It analyzes there is the application for distorting risk;
Judge in the increment application message all using whether exist distort risk;
If so, starting antivirus applet to system;
If it is not, judging whether download by same download tool in the presence of the application for distorting risk;
If downloading by same download tool, antivirus applet is started to the download tool;
If not downloading by same download tool, whether judge to have the application for distorting risk from same website;
If being derived from same website, prompting the website, there are risks, obtain the official address that there is the application for distorting risk It is downloaded for user;
If not deriving from same website, obtains the official address that there is the application for distorting risk and downloaded for user.
6. applying detection method as claimed in claim 4, which is characterized in that described to obtain the current of all applications of current system Application message and historical usage information, before further include:
There is detection opportunity in confirmation;
The detection opportunity are as follows:
Listen to application process starting;Or
Listen to system installation application broadcast;Or
Receive the risk supervision instruction of user's input.
7. applying detection method as claimed in claim 6, which is characterized in that the history for obtaining all applications of current system Application message, comprising:
If the detection opportunity is the risk supervision instruction for receiving user's input, obtain that current system is all applies in the last week Application message when detection, the application message as history;
If the detection opportunity is to listen to system installation application broadcast, acquisition current system is all to be applied in the previous day detection Application message, the application message as history;
If the detection opportunity is to listen to application process starting, acquisition current system is all to be applied in the last time detection Application message, the application message as history.
8. as claimed in claim 6 apply detection method, which is characterized in that it is described detect using exist distort risk it Afterwards, further includes:
If the detection opportunity is the risk supervision instruction for receiving user's input, there are the Apply Names for distorting risk in display, The application for existing and distorting risk is deleted in prompt, is obtained the official address that there is the application for distorting risk and is downloaded for user;
If the detection opportunity is to listen to system installation application broadcast, there are the Apply Names for distorting risk in display, prompt is deleted Except in the presence of the application for distorting risk;
If the detection opportunity is to listen to application process starting, there are the Apply Names for distorting risk in display.
9. applying detection method as claimed in claim 8, which is characterized in that described to obtain the official that there is the application for distorting risk It is downloaded for user square address, comprising:
It analyzes there is the application for distorting risk;
Judge in the increment application message all using whether exist distort risk:
If so, starting antivirus applet to system, obtains the official address that there is the application for distorting risk and downloaded for user;
If it is not, judging whether download by same download tool in the presence of the application for distorting risk;
If downloading by same download tool, antivirus applet is started to the download tool, obtains to exist and distorts answering for risk It is downloaded for user official address;
If not downloading by same download tool, whether judge to have the application for distorting risk from same website;
If being derived from same website, prompting the website, there are risks, obtain the official address that there is the application for distorting risk It is downloaded for user;
If not deriving from same website, obtains the official address that there is the application for distorting risk and downloaded for user.
10. a kind of apply detection device characterized by comprising
Application message obtains module, for obtaining the application message of all applications of current system current application message and history, The application message includes installation kit name and its MD5 value;
Increment application message obtains module, for comparing the application letter of all applications of current system current application message and history Breath, obtains increment application message;
Increment application message detection module detects the increment application message for calling detection interface.
11. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor It is realized when execution as described in any one of claims 1-9 using detection method.
12. a kind of computer equipment, which is characterized in that the computer equipment includes:
One or more processors;
Storage device, for storing one or more programs,
When one or more of programs are executed by one or more of processors, so that one or more of processors are real It is existing as described in any one of claims 1-9 using detection method.
CN201810757738.0A 2018-07-11 2018-07-11 Using detection method, device, computer storage medium and computer equipment Pending CN109190373A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810757738.0A CN109190373A (en) 2018-07-11 2018-07-11 Using detection method, device, computer storage medium and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810757738.0A CN109190373A (en) 2018-07-11 2018-07-11 Using detection method, device, computer storage medium and computer equipment

Publications (1)

Publication Number Publication Date
CN109190373A true CN109190373A (en) 2019-01-11

Family

ID=64935975

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810757738.0A Pending CN109190373A (en) 2018-07-11 2018-07-11 Using detection method, device, computer storage medium and computer equipment

Country Status (1)

Country Link
CN (1) CN109190373A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110443034A (en) * 2019-08-05 2019-11-12 中国工商银行股份有限公司 The recognition methods of risk program file, calculates equipment and medium at device
CN112613726A (en) * 2020-12-18 2021-04-06 深圳前海微众银行股份有限公司 Risk detection method based on federal learning, client, equipment and storage medium
CN115344571A (en) * 2022-05-20 2022-11-15 药渡经纬信息科技(北京)有限公司 Universal data acquisition and analysis method, system and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104102538A (en) * 2013-04-09 2014-10-15 联想(北京)有限公司 Information processing method and electronic equipment
CN104346568A (en) * 2013-07-26 2015-02-11 贝壳网际(北京)安全技术有限公司 Method and device for identifying malicious application program and mobile device
CN104598822A (en) * 2015-01-15 2015-05-06 百度在线网络技术(北京)有限公司 Detection method and detection device of applications
CN107086977A (en) * 2016-02-15 2017-08-22 中国移动通信集团公司 Using security processing and device
US20170302692A1 (en) * 2008-09-12 2017-10-19 George Mason Research Foundation, Inc. Methods and apparatus for application isolation

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170302692A1 (en) * 2008-09-12 2017-10-19 George Mason Research Foundation, Inc. Methods and apparatus for application isolation
CN104102538A (en) * 2013-04-09 2014-10-15 联想(北京)有限公司 Information processing method and electronic equipment
CN104346568A (en) * 2013-07-26 2015-02-11 贝壳网际(北京)安全技术有限公司 Method and device for identifying malicious application program and mobile device
CN104598822A (en) * 2015-01-15 2015-05-06 百度在线网络技术(北京)有限公司 Detection method and detection device of applications
CN107086977A (en) * 2016-02-15 2017-08-22 中国移动通信集团公司 Using security processing and device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110443034A (en) * 2019-08-05 2019-11-12 中国工商银行股份有限公司 The recognition methods of risk program file, calculates equipment and medium at device
CN110443034B (en) * 2019-08-05 2021-09-14 中国工商银行股份有限公司 Risk program file identification method and device, computing equipment and medium
CN112613726A (en) * 2020-12-18 2021-04-06 深圳前海微众银行股份有限公司 Risk detection method based on federal learning, client, equipment and storage medium
CN115344571A (en) * 2022-05-20 2022-11-15 药渡经纬信息科技(北京)有限公司 Universal data acquisition and analysis method, system and storage medium
CN115344571B (en) * 2022-05-20 2023-05-23 药渡经纬信息科技(北京)有限公司 Universal data acquisition and analysis method, system and storage medium

Similar Documents

Publication Publication Date Title
US11687653B2 (en) Methods and apparatus for identifying and removing malicious applications
Kiss et al. Kharon dataset: Android malware under a microscope
CN106294102B (en) Application program testing method, client, server and system
CN109190373A (en) Using detection method, device, computer storage medium and computer equipment
US20130246038A1 (en) Emulator updating system and method
JP5690689B2 (en) Application analysis apparatus and program
US20120331547A1 (en) Static Analysis For Verification Of Software Program Access To Secure Resources For Computer Systems
CN103971056B (en) A kind ofly prevent the unloaded method and apparatus of application program in operating system
CN103632096A (en) Method and device for carrying out safety detection on equipment
CN103390130A (en) Rogue program searching and killing method and device based on cloud security as well as server
US11055416B2 (en) Detecting vulnerabilities in applications during execution
CN106548065B (en) Application program installation detection method and device
CN111343188A (en) Vulnerability searching method, device, equipment and storage medium
US20240160748A1 (en) Method And System For Data Flow Monitoring To Identify Application Security Vulnerabilities And To Detect And Prevent Attacks
CN108959860B (en) Method for detecting whether Android system is cracked or not and obtaining cracking record
CN108874658A (en) A kind of sandbox analysis method, device, electronic equipment and storage medium
Yang et al. Execution enhanced static detection of android privacy leakage hidden by dynamic class loading
CN110502900B (en) Detection method, terminal, server and computer storage medium
US10880316B2 (en) Method and system for determining initial execution of an attack
JP2010134536A (en) Pattern file update system, pattern file update method, and pattern file update program
CN115292716A (en) Security analysis method, device, equipment and medium for third-party software package
KR102054768B1 (en) Automatic analyizing system and method of security weekness of application
CN106909830A (en) A kind of data processing method and device
CN111832061A (en) Sandbox file reading method and device and terminal
KR101453357B1 (en) Method and apparatus for diagnosing and removing malware in portable device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20200422

Address after: 310052 room 508, floor 5, building 4, No. 699, Wangshang Road, Changhe street, Binjiang District, Hangzhou City, Zhejiang Province

Applicant after: Alibaba (China) Co.,Ltd.

Address before: 510640 Guangdong city of Guangzhou province Whampoa Tianhe District Road No. 163 Xiping Yun Lu Yun Ping square B radio tower 15 layer self unit 02

Applicant before: GUANGZHOU UC NETWORK TECHNOLOGY Co.,Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190111